Several security vendors Tuesday issued alerts for W32/Sobig-F, a worm that spreads via email and network shares. W32/Sobig-F copies itself to the Windows folder as winppr32.exe and sets one of the following registry entries:
The worm sends itself, using its own SMTP engine, as an attachment to email addresses collected from various files on the victim's computer. When it distributes itself via email it forges the sender's email address, making it difficult to know who is truly infected.
The email has the following format:
Subject line: Chosen from -
Re: That movie
Re: Wicked screensaver
Re: Your application
Re: Approved
Re: Re: My details
Re: Details
Your details
Thank you!
Message text: Chosen from -
Please see the attached file for details.
See the attached file for details
Attached file: Chosen from -
movie0045.pif
wicked_scr.scr
application.pif
document_9446.pif
details.pif
your_details.pif
thank_you.pif
document_all.pif
your_document.pif
W32/Sobig-F also attempts to spread by copying itself to Windows network shares and uses the Network Time Protocol to one of several servers in order to determine the current date and time. If the date is September 10 2003 or later the worm stops working.
According to Panda Software's Virus Laboratory, Sobig.F can only infect computers if the user runs the file carrying the worm. Detailed information about Sobig.F and other malicious code is available from Panda Software's Virus Encyclopedia here
MessageLabs has also intercepted several copies of the mass-mailing virus, which it has identified as W32/Sobig.F-mm. The initial copies all originated from the United States.
Name: W32/Sobig.F-mm
Number of copies intercepted so far: 1,124 (increasing rapidly)
Most active country: United States (95%), Denmark (3%), Norway (1%)
Initial analysis would suggest that Sobig.F is a mass-emailing virus that is spreading very vigorously. Sobig.F appears to be polymorphic in nature and the email from: address is also spoofed and may not indicate the true identity of the sender. In earlier versions of the Sobig family, the file extension has sometimes been truncated. MessageLabs have not yet observed this with the Sobig.F strain.
In an attempt to bypass local antivirus security, the file size varies on each generation reminiscent of Yaha by appending rubbish to the end of the file, but is on average around 74kb in size. The initial copies are packed using TELock, but there may be other variants in the wild packed using different packers.
For further information, please visit the MessageLabs web site here
According to Trend Micro, Sobig.F may spoof the FROM field using email addresses found on the infected machine so that its email messages appear to originate from one source but was actually sent from another.
This worm runs on Windows 95, 98, ME, NT, 2000, and XP. Read technical details at this Trend Micro page.
W32/Dumaru@MM Pretends to Have IE Patch
This mass mailing worm has been proactively detected with internal heuristics as "virus or variant of New Malware-b" with the 4.2.40 engine and 4239 DAT combination (or greater) since 12/23/2002.
The worm uses its own SMTP engine to email itself in the following format:
From: "Microsoft" security@microsoft.com
Subject: Use this patch immediately!
Attachment: patch.exe
Message Text: Dear friend, use this Internet Explorer patch now!
There are dangerous virus in the Internet now!
More than 500.000 already infected!
The worm trawls the hard disk for files with extensions .htm .wab .html .dbx .tbb .abd for email addresses to send itself to. These email addresses are written to file winload.log. A password stealer component is dropped by this worm, which is detected as PWS-Narod. Read more at this Network Associates page.
According to Sophos, W32/Dumaru-A spreads using email and infects other executable using NTFS Alternate Data Stream.
When the attachment is run W32/Dumaru-A copies itself into the Windows folder as dllreg.exe and into the Windows system folder as load32.exe and vxdmgr32.exe.
W32/Dumaru-A drops and runs \windrv.exe. Windrv.exe is a backdoor Trojan detected by Sophos Anti-Virus as Troj/Narod-B.
The virus creates the registry value load32 of the registry key:
\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the virus file \load32.exe is run on Windows startup.
W32/Dumaru-A also changes system files system.ini and win.ini. The shell entry of the boot section in System.ini is changed so that it contains the reference to the virus file vxdmgr32 in the Windows systrem folder.
The virus creates a run entry in the windows section of win.ini to reference the virus file dllreg.exe in the Windows folder. W32/Dumaru-A has its own SMTP engine and attempts to collect email addresses by searching the content of files with the extensions WAB, HTM, HTML, DBX, ABD and TBB. Read more at this Sophos page.
According to Trend Micro, Dumaru-A infects .EXE files using Alternate Data Stream (ADS). It searches the entire system for target executables but is only able to infect files in the root directory.
This virus propagates via email using its own Simple Mail Transfer Protocol (SMTP) engine. More information is at this Trend Micro page.
W32.Welchia.Worm Exploits Several Vulnerabilities
W32.Welchia.Worm:
exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. The worm specifically targets Windows XP machines using this exploit.
exploits the WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80. The worm specifically targets machines running Microsoft IIS 5.0 using this exploit.
The worm attempts to download the DCOM RPC patch from Microsoft's Windows Update Web site, install it, and then reboot the computer. The worm checks for active machines to infect by sending an ICMP echo, or PING, which will results in increased ICMP traffic.
The worm will also attempt to remove W32.Blaster.Worm.
Symantec Security Response has developed a removal tool to clean the infections of W32.Welchia.Worm. Access it at
this Symantec page.
Nachi.A Exploits RPC DCOM Vulnerability
Panda Software's Virus Laboratory has reported the appearance of a new worm called W32/Nachi.A. This malicious code is programmed to exploit the RPC DCOM vulnerability that affects some versions of the Windows operating system in order to spread to as many computers as possible.
Nachi.A does not spread via e-mail but attacks remote machines via TCP/IP and tries to cause a buffer overflow in them. After doing this, the attacked computer is forced to download a copy of the worm, which is done through a TFTP (Trivial File Transfer Protocol) server incorporated in this worm.
This worm, which originated in China, can also use another exploit known as WebDav. Information about this exploit and the patch to fix it are available at this Microsoft page.
The worm is programmed to delete itself from the affected computer in 2004. Another interesting characteristic of Nachi.A is that it can uninstall the Blaster worm. In order to do this, it destroys the process and deletes the files belonging to this worm. However, not only does it remove this worm but it also installs the Microsoft patch that fixes the vulnerability it exploits on affected computers.
Panda Software advises network administrators, IT managers and home users to immediately install the patches released by Microsoft to fix the RPC DCOM vulnerability. These are available at http://www.microsoft.com/security/security_bulletins/ms03-026.asp where you can also find detailed information about this flaw.
In order to avoid falling victim to attack, Panda Software advises users to update their antivirus solutions immediately. Users can also detect this and other malicious code using the free, online antivirus, Panda ActiveScan, which is available on the company's web site here
Email
Print
Digg This
Add to del.icio.us
