Panda Software weekly virus report

Posted in GD as a public service. The Poster is not an employee of, or in any way associated with Panda Software.
---

Weekly virus report
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, December 28, 2003 - This, the last report of the year, will look at the C variant of the Sober worm, and two other examples of malware: Firedaemon.A and Memwatcher.B.

Sober.C sends itself -via e-mail- to all the addresses that it finds in files with the following extension: WAB, CFG, NSF, LDIF, NAP, ADP, ADE, VAP, MHT, HTT, RTF, DOC, XLS, INI, MDB, TXT, HTM, HTML, PST, FDB, LDB, EML, ABC, NAB, MDW, MDA, MDE, SLN, DSW, DSP, PHP, ASP, SHTML, SHTM, DBX, HLP or NFO. If the domain extension of the address is "de", "ch", "at", "li", "nl" or "be", the worm sends the message in German and if not, it sends it in English. To send itself out it uses its own SMTP engine validating itself in mail servers as MailerVB.de.

Sober.C creates two copies of itself that go memory resident and check if both are currently running. If one of the processes is ended or one of the files is deleted, the other creates it again. Also, in the Windows system directory of the infected computer, it creates the following files: REGEAPI.EXE, CRYPTFQ.EXE and SYSHOSTX.EXE.

To ensure that it runs every time the system is started, Sober.C creates several entries in the Windows registry. Once this worm has activated it is easy to recognize, as it displays a false error message.

Firedaemon.A is a hacking tool which allows Win32 applications to be run as services in Windows 2003/XP/2000/NT computers. It allows a complete setup of the service: name, default directory, priority, autostart, different run modes, etc. Firedaemon.A itself does not represent a threat, but it could be used by other malware to register itself as a Windows service.

Memwatcher.B on the other hand is an adware program, which opens ad banners in Internet Explorer. It also generates traffic at the following addresses: rads01.quadrogram.com and w w w.sandboxer.com.

In the Windows system directory, Memwatcher.B creates several files, with random names of between 4 and 8 characters. Some of the files are 433KB, and will run when Windows is started up, while others are 221KB and go memory resident.

More information about these and other malicious code in Panda Software's Virus Encyclopedia: http://www.pandasoftware.com/virus_info/encyclopedia/

Additional information

- Adware: originally a type of user license for programs that can be installed for free in exchange for viewing advertising banners while using it. However, these programs can occasionally be used to collect information about the user's Internet activity.

- Hacking tool: program that can be used by a hacker to carry out actions that cause problems for the user of the affected computer (allowing the hacker to control the affected computer, steal confidential information, scan communication ports, etc.).

More definitions of virus and antivirus terminology at: http://www.pandasoftware.com/virus_info/glossary/default.aspx

NOTE: The addresses above may not show up on your screen as single lines. This would prevent you from using the links to access the web pages. If this happens, just use the 'cut' and 'paste' options to join the pieces of the URL.