Rolark is a Trojan that is designed to gain remote access and complete control of computers. It does this by exploiting a vulnerability in web servers running Windows 2000 and version 5.0 of Internet Information Server. This flaw is a buffer overflow vulnerability in the ntdll.dll library, which is used by the WebDAV component in Internet Information Server 5.0.
Rolark is difficult to identify, as it does not display any warnings or messages that indicate that it has reached a computer or install or copy itself to the machine. Therefore, a hacker could attack servers that are not correctly updated.
Today’s second malicious code, SFC, is a macro virus that spreads through the chat applications IRC and PIRCH and via e-mail. The e-mail message that this virus uses to spread it is very easy to identify, as it always includes a Word document and a text that claims that computers that contain a file called ‘SFC.EXE’ are infected by a virus. However, ‘SFC.EXE’ is a Windows system file that exists on all computers running under Windows.
SFC infects Word’s global template and all the Word documents opened, closed or saved on the infected computer. It also prevents users from working with Word macros and disables the macro antivirus protection incorporated in this text editor.
We are going to finish today’s virus report with the ‘F’ and ‘G’ variants of Lovgate, which are worms that spread via e-mail and local networks. In order to spread across local network drives, they create a large of copies of themselves in the shared directories and subdirectories that they gain access to. They also send a large number of e-mail messages that included infected files to the senders of the messages in the Inbox and to the address they find in certain directories.
Lovgate.F and Lovgate.G are written in the programming language visual C++ and compressed with ASpack. The difference between the ‘G’ and ‘F’ lies in the name of the mutex they create in order to indicate that they are memory resident.