Panda Software: Weekly virus report

Posted in GD as a public service.

The poster is not an employee of, or in any way associated with Panda Software.
---

Weekly virus report

Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, November 14, 2003 - Today's report on malicious code will focus on two worms -Mimail.I and Sinala.A-, and two Trojans -Sdbot.BL and Webber.C-.

The I variant of Mimail spreads via e-mail in a message with the subject: "YOUR PAYPAL.COM ACCOUNT EXPIRES", and an attached file called paypal.asp.scr or w w w.paypal.com.scr. After infecting a computer, this worm looks for e-mail addresses in all the files that do not have any of the following extensions: COM, WAV, CAB, PDF, RAR, ZIP, TIF, PSD, OCX, VXD, MP3, MPG, AVI, DLL, EXE, GIF, JPG and BMP, and saves them in the file el388.tmp. Mimail.I then sends itself out to all the addresses it has found, using its own SMTP engine.

Sinala.A spreads by exploiting the MHTML vulnerability in Outlook Express, which allows a hacker to send and run programs on the affected computer. It also spreads through P2P programs, in files with an EXE or SCR extension that have the same icon as AVI video files. This worm reaches computers in a message from demionklaz@hotmail.com, or from an address that it takes from the Outlook address book or MSN Messenger contact list on the affected computer. The file attached to this message, which infects the computer when it is run, is called ALANIS.EXE.

A clear indication that Sinala.A has infected a computer is a fake Windows error message displayed on screen. This malicious code also regularly checks if there is a floppy disk in the floppy disk drive and if there is, it copies files to it.

The first Trojan in today's report is Sdbot.BL, which mainly spreads via e-mail and IRC channels, in a message with an attached file. When this file is run, the Trojan goes memory resident and connects to a specific IRC channel. By doing this, it allows a hacker to carry out different actions on the affected computer, such as scanning and redirecting ports, downloading and running files and changing the security parameters in the Windows Registry and launching Denial of Service (DoS) attacks.

Sdbot.BL is difficult to identify, as it does not display any messages or warnings that indicate that it has reached a computer. However, if net shares are disabled or if certain programs that are running on the computer stop for no apparent reason, Sdbot.BL might have reached the computer.

The last malicious code in this week's report is Webber.C which, when it is installed on a computer, downloads a file from the Internet. This files steals the passwords for accessing different services that are stored on the affected computer.

Webber.C has been spammed in an e-mail message that seems to have been sent from a financial entity. The subject of this message is always: "RE: Your credit application" and it includes an attachment called W W W.CITIBANKHOMELOAN.HTM.PIF. This file has a double extension, and is designed like a web page in order to trick the user into opening it, allowing Webber.C to infect the computer.

For further information about these and other malicious code, visit Panda Software's Virus Encyclopedia at: http://www.pandasoftware.com/virus_info/encyclopedia

Additional information

- DoS / Denial of Service: This is a type of attack, sometimes caused by viruses, that prevents users from accessing certain services (in the operating system, web servers, etc.).

- Extension: Files have a name and an extension, separated by a dot: NAME.EXTENSION. A file can have any NAME, but the EXTENSION (if it exists) has a maximum of three characters. This extension indicates the type of file (text, Word document, image, sound, database, program, etc.).

More definitions of virus and antivirus terminology at: http://www.pandasoftware.com/virus_info/glossary/default.aspx

NOTE: The addresses above may not show up on your screen as single lines. This would prevent you from using the links to access the web pages. If this happens, just use the 'cut' and 'paste' options to join the pieces of the URL.

just cause