Weekly Virus Report – Blaster.F, Mapson.D, Darby.A, Apdoor.B, Daol.A and Surfbar
Blaster.F, which only infects Windows 2003/XP/2000/NT computers, is a worm that exploits the ‘Buffer Overrun in RPC Interface’ vulnerability to spread to as many computers as possible. In this particular case, this worm exploits the vulnerability in order to download a copy of itself to the computer it infects. In order to do so, Blaster.F incorporates its own TFTP server (Trivial File Transfer Protocol).
Indications that Blaster.F has infected a computer are increased network traffic on TCP 135 and 4444 and UDP 69 ports, and if the computer blocks and restarts.
Mapson.D is a dangerous worm that spreads via e-mail, through peer-to-peer (P2P) file sharing programs, and via IRC channels. It ends many processes belonging to Windows, such as system tools as well as antivirus and firewall programs. By doing this, the worm leaves the infected computer vulnerable to attack from other viruses and worms.
On Windows NT computers, Mapson.D starts a Telnet session with the user GEDZAC, which is given local administrator rights by the worm. This allows Mapson.D to validate the IP addresses received.
The third malicious code in today’s report is Darby.A, is a virus that shares characteristics with worms and, like Mapson.D, spreads via e-mail, through peer-to-peer file sharing (P2P) programs and via IRC. It also ends processes belonging to several antivirus programs and other applications, such as firewalls and system monitoring tools.
Darby.A infects Word’s global template (NORMAL.DOT file) and Excel’s template (TEMPLATE.XLS file). All the Word documents and Excel spreadsheets based on these templates will then be infected. In addition, Darby.A disables the macro editing tools incorporated in these programs.
Apdoor.B is a backdoor that allows hackers to gain remote access to the affected computer. In order to do so, it connects to an IRC server and joins a predefined channel. Once it is connected, a hacker can remotely access the computer in order to launch denial of service (DoS) attacks against other computers.
Daol.A is a virus that exploits the ‘Internet zone’ and ‘MHTML’ vulnerabilities in order to enter a PC and run itself. This malicious code infects files with EXE, SCR, ASP, PLG, HTM, HTML, VBS and VBE extensions. When the infected file has an ASP, PLG, HTM, HTML, VBS or VBE extension, Daol.A encodes the original content of the file.
We finish today’s report with a description of Surfbar, which exploits the ‘Internet Explorer Object Data Remote Execution’ vulnerability to reach the computer and then create directories with different links to web pages, most of them with pornographic content. In addition, Surfbar changes the home page of the Internet Explorer browser.