Weekly Report on Viruses and Intrusions – Netsky and MyDoom Variants, Blaster.H and Spam/Trojan Combo

This week’s report on viruses and intrusions focuses on four variants of Netsky -W, X, Y and Z-, two variants of Mydoom -I and J-, the Zafi.A worm, Blaster.H, and a spam message designed to download a Trojan to the computer.

The four new variants of Netsky are very similar to one another. They are all designed to spread in files attached to e-mail messages with variable characteristics.

The actions carried out by Netsky.W include deleting entries from the Windows Registry that are generated when some variants of the Mydoom, Mimail and Bagle worms attack computers. The X, Y and Z variants try to launch denial of service attacks against certain web pages.

The I variant of the Mydoom worm spreads via e-mail in a message with variable characteristics. This worm also launches Distributed Denial of Service (DDoS) attacks against a web page.

As well as e-mail, Mydoom.J also spreads through the peer-to-peer file sharing program KaZaA. A characteristic of this worm that can be highlighted is that it uses a dynamic link library (DLL) which was also used by the Bugbear.B worm and is detected by Panda Antivirus as Trj/PSW.Bugbear.B.

It is easy to know whether a computer has been infected by either of these variants of Mydoom, as when they are run, they open Windows Notepad and display junk data.

Zafi.A is a worm that spreads via e-mail in a message written in Hungarian, which always has the subject ‘kepeslap erkezett!’. This worm ends the processes belonging to antivirus and firewall programs, among others, leaving the computer vulnerable to attack from other types of malware.

Zafi.A stops spreading on May 1, 2004 and from this date on, it displays a window on screen with a political message.

Like its predecessors, Blaster.H exploits a Windows vulnerability known as ‘Buffer Overrun In RPC Interface’ discovered last July. This worm can get into computers that have not been correctly patched directly through the Internet.

When Blaster.H reaches a computer, it creates a backdoor in one of the communications ports, which it uses to carry out a large number of actions.

Finally, this week a spam message has been detected which tries to get recipients to visit an advertising page and which also downloads a Trojan to users computers.

The characteristics of the message are:

Sender: the name of the sender is variable, although it tries to make recipients think it has been sent by the BBC or CNN.

Subject: “Osama Bin Laden Captured”,

Message text: “Hey, Just got this from CNN, Osama Bin Laden has been captured! Goto the link below to view the pics and to download the video if you so wish: (Internet address) “Murderous coward he is”. God bless America!”.

The address indicated in the message takes users to what appears to be an advertising page. However, the page actually contains code that exploits a vulnerability (detected by Panda antivirus as Exploit/MIE.CHM). This code downloads and runs a file (detected as VBS/Psyme.C). Finally, a file called EXPLOIT.EXE, which contains the Trojan Trj/Small.B is downloaded from Internet to users’ computers.

For further information about these and other computer threats, visit Panda Software’s Virus Encyclopedia at: http://www.pandasoftware.com/virus_info/encyclopedia.