The past week’s virus report looks at two very different worms and Nimda, which despite being a veteran virus (it appeared a year ago), continues to infect users computers.
W32/Blink is a worm programmed in Delphi which spreads through e-mail and the MSN Messenger application. In fact, it mails itself out to every contact in the Address Book in a message with variable characteristics and an attached file with the PIF extension. This is a dangerous malicious code, as it is programmed to delete files belonging to certain antivirus programs and firewalls.
In order to display messages on screen, the virus inserts some lines in the WINSTART.BAT file and edits the SYSTEM.INI file. W32/Blink also adds code to the AUTOEXEC.BAT file, creates a number of files in the root directory of the hard disk and generates a file called 182.exe in the Windows system directory. Moreover, W32/Blink saves several files to the Kazaa application’s shared directory. Finally, if there is a disk in the floppy disk drive, W32/Blink attempts to copy itself to it.
This week another malicious code appeared in the news, “Linux/Slapper”, reported in the media as it is a potentially dangerous worm for Apache web servers installed on Linux operating systems. In order to spread, “Linux/Slapper” exploits a known buffer overflow vulnerability found in the OpenSSL component of Apache web servers installed on the following Linux distributions: Mandrake, SuSe, Slackware, RedHat and Debian.
We will finish today’s report with a mention of Nimda, a malicious code whose economic impact exceeded 721,000 euro last year according to data from Computer Economics. Even though its first anniversary was this week, Nimda continues carrying out infections, as proved by its constant presence among the top viruses most frequently detected and removed in 2002 by Panda ActiveScan, Panda Software’s free online scanner. The reasons behind this tenacity include its capacity to run automatically by exploiting vulnerabilities in widely-used software.