This week’s virus report will describe three computer worms: Danvee (W32/Danvee), Sobig.D (W32/Sobig.D) and Mofei.B (W32/Mofei.B).
Danvee is a malicious code that is programmed to end certain processes on the computers it infects. By doing this, it temporarily stops certain applications from working, which include antivirus and firewall programs.
Danvee spreads rapidly via e-mail. The messages carrying this worm are easy to identify, as they always include an attached file called CROCK.EXE, which has a distinctive icon (a red ‘Y’ and yellow smiley).
The second worm, Sobig.D, also spreads via e-mail by sending itself out to all the e-mail addresses in the files with TXT, EML, HTM*, DBX and WAB extensions it finds on the affected computer. It does this using its own SMTP engine in order not to leave any traces of its actions. The subjects and attached files in the e-mail message carrying the worm are variable (selected from a list) and use what has been dubbed ‘social engineering’ to trick the user into opening it.
Sobig.D can also spread across local networks, provided that the system date is earlier than July 2. In order to do this, it copies itself to the Windows Startup directories in the computers connected to the same network as the affected computer. Similarly, this worm also creates several entries in the Windows Registry in order to ensure it is run whenever the computer is started up.
Finally, Mofei.B is a worm that spreads across networks and has backdoor Trojan and keylogger functions. Through these components, it can obtain data from the infected computer, such as the amount of free disk space, the volume identifier, the processor type, the IP address, etc. After it has collected this information, it connects to the communications ports 135 and 139 in order to send it out. Therefore, an increase in the traffic through these ports could be an indication that Mofei.B has attacked a computer.