Weekly Virus Report – SQLSlammer, Netspree Worms and Winpao Trojan

The attack launched by SQLSlammer is considered to be the one that has had the biggest impact on the Internet over the last 18 months. This worm exploits a vulnerability in Microsoft SQL Server to launch denial of service attacks (DoS) against these corporate servers, blocking networks and communication services.

The second worm in today’s report is Netspree, which can infect computers with any Windows operating system installed, although it only spreads through shared network drives running under Windows XP/2000/NT. This malicious code connects to an IRC server through port 6667 and discloses confidential information from the machine in which it is installed. By doing this it also leaves the computer vulnerable, as any remote user could access it. Another effect of this virus is that it can use the affected computer to launch DoS attacks.

Netspree creates a file called WIN32LOAD.EXE in the Windows system directory, which contains the worm’s code. This file goes memory resident and waits for an Internet connection to be established. When this happens, it downloads a file called LCP_NETBIOS.DLL, which incorporates the utility PSEXEC.EXE and a file with a BAT extension. The BAT file contains instructions for connecting to a remote system and the commands it uses to carry out infection. Netspree also inserts several entries in the Windows Registry in order to ensure that it is run every time the computer is started.

The Trojan in today’s report is Winpao, which is programmed to steal confidential information from the computer and send it to the virus author. The data it steals includes: the server name, the e-mail password, mail received, message subjects, the passwords file, the SMTP ID, etc. It also ends processes that belong to antivirus programs or system monitors.

An indication that Winpao is present in a computer are files with random names appearing in all drives for no apparent reason. This malicious code also creates a file called ESPLORER.EXE in the Windows system directory and multiple copies of itself in the available disk drives. Finally, it is worth highlighting that this Trojan also modifies several entries in the Windows Registry in order to ensure that it is loaded in memory before any file with a EXE, CHM, INI, REG, SCR or TXT extension is run. If the files created by the Trojan are deleted but the Windows Registry is not restored, the files with the extensions mentioned above will not be run.

Share this