This week’s report looks at three worms – Nachi.A (W32/Nachi.A), Sobig.F (W32/Sobig.F) and Panol.B (W32/Panol.B)-, and the Caraga (W97M/Caraga) macro virus.
Nachi.A is designed, like the infamous Blaster worm, to exploit the RPC DCOM vulnerability that affects some versions of the Windows operating system. Nachi.A does not spread by e-mail. It incorporates a TFTP (Trivial File Transfer Protocol) server that allows it to attack remote computers via TCP/IP in order to cause a buffer overrun in the targeted machine. As a result, the affected computer will download a copy of the worm. Nachi.A, whose origin seems to be China, can also exploit the WebDav vulnerability.
Nachi.A has an unusual feature, it uninstalls the Blaster worm from computers affected by this malicious code, killing its processes and deleting the file that contains the worm. Besides, it downloads and installs the Microsoft security patch that fixes the RPC DCOM vulnerability. Finally, it deletes itself when the year of the system date is 2004.
The F variant of the Sobig worm has become the virus with the highest, quickest proliferation rate in the history of computer viruses. Its presence has been detected all aroung the world, and, in less that 24 hours, it has managed to place itself among the viruses most frequently detected by Panda ActiveScan. This stems from the worm’s unusual capacity to spread via e-mail and across local networks, which makes Sobig.F a serious threat for corporate networks, which could be collapsed by the worm.
Sobig.F also poses additional dangers, as it uses social engineering techniques to trick users into running the file that contains it. Besides, it changes the sender of the e-mail that contains it, like other malicious codes such as Klez.I. In this way, it tries to convince users the infected message comes from a reliable source.
Once the user runs the attachment carrying the worm, Sobig.F uses its own SMTP engine to send itself out to all the e-mail address it finds in the files with the following extensions TXT, HTM*, WAB, DBX and .EML on the affected computer. It also copies itself to the affected system under the name winppr32.exe and creates several keys in the Windows Registry in order to ensure that it is run whenever the affected computer is started.
Sobig.F can also download files from the Internet and has backdoor functions, which allow it to open several communication ports. Finally, it can spread across local networks.
Panol.B looks in the infected computer’s hard drive for files with an extension starting with HTM. Then, it searches these files for e-mail addresses which begin by the string “mailto:.” and sends itself out to them. Once installed on the affected computer, Panol.B stays memory resident and tries to carry out different actions depending on the system date: restarting the computer or disabling the mouse and the keyboard.
Finally, Caraga infects Word documents using the normal means of infection used by macro viruses. Firstly, it infects the global template (NORMAL.DOT file) and then it infects all the documents that are opened, closed or saved in the affected computer.
Caraga also hides or disables many options of the Tools menu: Visual Basic Editor and toolbar, Macros, Control Box toolbar, shortcut keys, etc.