Weekly Virus Report – Halfint, Nolor Worms and Optix.Pro Trojan

In this report we’ll take a look at Aurity, a Word macro virus, two worms: Halfint and Nolor, and a Trojan called Optix.Pro.

Aurity (W97M/Aurity) is a macro virus belonging to the W97M family, which infects Microsoft Word 97 documents as well as the global template they use. The virus first infects the document which in turn, when it is opened, infects the NORMAL.DOT template. As the template is infected, all documents that then use it also become infected.

Aurity causes the following effects:

· It disables the antivirus protection in Word macros. This means that when a document is opened, Word doesn’t ask for confirmation to enable or disable macros in the document.
· It infects Word documents Word (files with a DOC extension).
· It infects Word’s global template which in turn infects all documents that use it.

Halfint (W32/Halfint) is a worm without destructive effects that spreads via KaZaA, a peer-to-peer file sharing program. When it runs, it creates 36 copies of itself in the KaZaA shared directory. All these files have names referring to computer programs and games such as Age of Empires 2 – Crack.exe, Playstation 2 Emulator Downloader.exe or Windows Key Generator (all versions).exe.

In this way other users are tricked into installing the virus onto their computers.

Nolor (W32/Nolor) is a worm that spreads rapidly via e-mail. Once it has infected a computer, it sends copies of itself, using its own SMTP engine, to all addresses in the address book on the computer. The message used by Nolor is highly variable, all though it often claims to contain photos of Bin Laden, greetings cards or passwords for accessing certain programs.

Nevertheless, Nolor is easily recognized as the message always contains one of the following attached files: LOVE_LORN.KIS.OK.EXE, LOVELORN.KIS.OK.EXE, THUYQUYEN.KIS.OK.EXE, LOVE_LORN.HTM, LOVELORN.HTM o THUYQUYEN.HTM.

Finally today we’ll look at Optix.Pro (Bck/Optix.Pro.13) a dangerous Trojan that opens communication port 3410, allowing an attacker to access remotely resources on the affected computer. It also installs and runs another backdoor Trojan (detected by Panda antivirus as Bck/Sub7.22), disables antivirus programs and terminates processes connected with firewalls.

Optix.Pro does not use any specific method of spreading. In fact, it spreads via any of the normal channels used by viruses: floppy disks, CD-Rom, e-mails with infected attachments, Internet downloads, FTP, etc.