Weekly Virus Report – Mimail.B, Gaobot.L, Neroma, Gelcan.A and Vote.K Worms

This week’s report focuses on six recent worms: Mimail.B, Gaobot.L, variants ‘A’ and ‘B’ of Neroma, Gelcan.A and Vote.K and on an hoax named Evocash.

Mimail.B is a worm with Trojan characteristics that spreads via e-mail in a message with the subject ‘Fraudulent escrow service’ and the attached file ‘INFO.ZIP’. Due to its Trojan characteristics, Mimail.B logs keystrokes.

In order to infect as many computers as possible, Mimail.B exploits the Internet zone (Internet Explorer) and MHTML (Outlook Express) vulnerabilities. These flaws allow hackers to run code in the local area of the affected computer.

Gaobot.L is a worm with backdoor characteristics that only infects Windows XP/2000/NT computers. It exploits the RPC DCOM and WebDAV vulnerabilities to infect as many computers as possible. Gaobot.L also spreads by attempting to copy itself to network shared resources. It gains access to these shared resources by using passwords that are typical or easy to guess. Once it is run, Gaobot.L connects to a specified IRC server through the port 9900 and waits for control commands.

As a backdoor, Gaobot.L could allow an attacker to obtain information on the affected computer, run files, launch distributed denial of service (DDoS) attacks, upload files by FTP, etc. It also ends processes belonging to Nachi.A, Autorooter.A, Sobig.F and several variants of Blaster.

Neroma.A y Neroma.B are two worms that spread via e-mail. They send themselves out to all the contacts in the Outlook Address Book in the affected computer. The e-mail message is written in English and it refers to the attacks in New York on September 11 2001. In addition, both worms modify an entry in the Windows Registry, in computers with Windows XP/2000/NT.

The fifth worm in this report is Gelcan.A that spreads by copying itself in the floppy disk drive. Once it is run, Gelcan.A goes memory resident and tries to access the floppy disk drive from time to time, in order to copy itself there.

Vote.K, is a worm that infects only Windows 9.x/ME and Windows NT/2000/XP computers. It sends a copy of itself to all the contacts in the Outlook Address Book out via e-mail or the IRC channel. In addition, Vote.K overwrites all the files with the following extensions: exe, com and scr, bmp, jpg, rar, zip, wav, and txt.

We finish today’s report with the Evocash hoax. It is not a virus; it is a hoax or an e-mail message designed to deceive recipients into thinking that the message received contains a destructive worm, sent by Evocash. In fact, this company is not involved in any way, and the message does not contain any worms.

The Evocash hoax simply aims to cause alarm among users. In order to avoid problems, delete this message and do not forward it to anyone.


Subscribe to the Help Net Security breaking news e-mail alerts:


Don't miss