In today’s weekly virus report, we will look at three worms -Randon and the ‘P’ variants of Lentin and Opaserv-.
Randon spreads through IRC chat channels and shared network resources. The most important characteristics of this malicious code is that it is a dropper type worm that inserts several files on the computers it infects, many of which are other viruses with varying effects. The actions they carry out include opening ports, running applications, propagating and launching Denial of Service (DoS) and flooding attacks, etc.
Randon connects to a web page and downloads a backdoor type Trojan. An indication of the presence of this worm in a computer is an increase in the network traffic through ports 445 and 6667.
The second worm, Lentin.P spreads via e-mail in a message with highly variable characteristics. This virus also exploits a vulnerability in versions 5.01 and 5.5 of Internet Explorer to run automatically when the message carrying the worm is viewed through Outlook’s Preview Pane. It also spreads across networks, as on Wednesdays it copies itself to the shared network drives.
Lentin.P ends antivirus and firewall programs, launches DoS attacks against five websites, changes the home page of Internet Explorer and closes the Windows Task Manager.
We are going to conclude this week’s virus report with Opaserv.P, which spreads across networks and shared resources. When this worm activates, it displays a message in an MS-DOS window and deletes the content of the hard drive. It also intercepts a large number of processes in the computer it infects and looks for IP addresses in the network with port 137 open. If it receives a reply, it spreads through port 139 by copying itself to the C: directory. Another interesting characteristic of Opaserv.P is that it patches the files ‘IO.SYS’ and ‘COMMAND.COM’ in Windows NT 4 computers and in Windows Millennium computers it patches the file ‘REGENV32.EXE’.