Weekly Report on Viruses and Intrusions – Nine Worms, a Trojan, a Hacking Tool and an Adware Program

Nine worms, a Trojan, a hacking tool and an adware program are the different types of malicious code included in this week’s report on viruses and intruders.

Seven of these nine worms, which are summarized below, are related to Mydoom.

– DoomHunter.A enters computers through the backdoor opened by Mydoom.A and Mydoom.B and if it detects these two worms, Blaster or Doomjuice, it eliminates all trace of them. Furthermore, it tries to open TCP port 3127, and if it manages to do so, it listens in until a computer infected by Mydoom.A or Mydoom.B tries to gain access through this port. When this happens, DoomHunter.A sends a copy of itself to the IP address of the computer it has detected, runs this file and tries to disinfect Mydoom.A and Mydoom.B.

– Mitglieder.A also enters systems through the backdoor created by the Mydoom worms, copying itself in the system under the name system.exe. It is designed to end the processes of certain applications and it creates an entry in the Windows registry to ensure it stays on the computer.

– Deadhat.A and Deadhat.B spread through the P2P (peer to peer) file sharing program SoulSeek and via the Internet. These worms cause boot problems, as they delete files that are essential for the correct functioning of the computer, and end processes belonging to certain antivirus and firewall programs. It also stops the processes belonging to Mydoom.A and Mydoom.B.

Both Deadhat.A and Deadhat.B open TCP port 2766 and connect to an IRC server where they wait for command controls to perform on the affected computer. Similarly, they allow files to be downloaded to the computer through a remote connection. These worms differ in their size and the file they generate on affected computers.

– Nachi.B only affects computers running Windows XP/2000/NT and spreads to as many computers as possible by exploiting known vulnerabilities like RPC DCOM buffer overflow, IIS WebDav and Workstation Service Overflow. It spreads by attacking computers and exploiting the security flaws mentioned above to download a copy of itself to the computer. When the system date is June 1, 2004 or later, this worm deletes itself.

Nachi.B uninstalls Mydoom.A and Mydoom.B by ending their processes and deleting the corresponding files.

– Doomjuice.A and Doomjuice.B spread via the Internet using the backdoor opened by Mydoom.A and Mydoom.B in the computers they infect. These worms launch DDoS (Distributed Denial of Service) attacks against the website www.microsoft.com.

Variant B of Doomjuice differs from variant A in its size and compression format. Similarly, whereas Doomjuice.A drops a file containing the code of Mydoom.A on affected computers, variant B doesn’t.

– Yenik.A spreads via e-mail in a message with variable characteristics and through peer-to-peer (P2P) file sharing programs. It automatically spreads via e-mail by sending itself out to all the contacts in Windows Address Book using its own SMTP engine.

– Dumaru.AA spreads via e-mail in a message that includes a compressed attachment called DOCUMENT.ZIP. When the compressed file is run, the computer will be infected by Dumaru.AA.

The Trojan in today’s report is StartPage.AV, which changes the home page of the browser Internet Explorer and its default search options. When it is run, StartPage.AV goes memory resident and opens an Internet Explorer window that informs about alleged security dangers and prompts the user to download a utility. Then, StartPage.AV connects to a website and receives a list of links, which it adds to the Favorites folder.

Demo-GFI.A is a hacking tool that creates a text file that logs the following data, among other information, from the computers it infects: directories and files on the C: drive; domain name, network printers available, etc. When Demo-GFI.A is run, it opens Notepad and displays the contents of the log file.

We are going to finish this week’s report with BuddyLinks, an adware program that reaches computers when the user accesses the web pages www.wgutv.com or download.buddylinks.net, and agrees to install an ActiveX control. When it reaches a computer, it sends a link to the web pages mentioned above to all the contacts of AOL Instant Messenger and displays a flash game in which Saddam Hussein and Osama Bin Laden appear.




Share this