|
|
symantecTM
|
|
| Symantec AntiVirus Research Center |
|
ISSN 1444-9994
|
|
|
|
| |
|
| |
SARC Home Page
|
April 2001 Newsletter
|
|
| |
|
These are the most reported Viruses, Trojans and Worms to SARC's offices
during the last month.
Top Global Threats
W95.Hybris
W95.MTX
Wscript.KakWorm
W32.HLLW.Bymer
VBS.SST@mm
VBS.LoveLetter
W32.Navidad
Happy99.Worm
W32.Magistr.24876@mm
VBS.Vbswg.gen
Asia
Pacific
W95.MTX
W95.Hybris
Wscript.KakWorm
W32.HLLW.Bymer
W32.FunLove.4099
W32.Navidad
W32.HLLW.Qaz
W32.Magistr.24876@mm
VBS.LoveLetter
VBS.Network
Europe
W95.Hybris
W95.MTX
Wscript.KakWorm
W32.HLLW.Bymer
VBS.LoveLetter
VBS.Tam.A
W32.Navidad
W97.Satt.A
Happy99.Worm
W32.Magistr.24876@mm
Japan
W95.Hybris
W95.MTX
W32.HLLW.Bymer
W32.HLLW.Qaz.A
Happy99.Worm
W32.Magistr.24876@mm
VBS.LoveLetter
VBS.Network
Wscript.KakWorm
W32.Navidad
USA
W95.Hybris
Wscript.KakWorm
W95.MTX
W32.HLLW.Bymer
VBS.LoveLetter
VBS.SST@mm
VBS.Sorry
HLLP.Krile.4768
VBS.Stages.A
W32.Navidad
|
|
Top 20
Consolidated
Global Threats
|
|
By SecurityPortal
|
|
W32.Hybris
W32.Magistr@mm
W95.MTX
W32.Navidad
VBS.LoveLetter
W97M.Marker
VBS.KakWorm
W32.Funlove
W97M.Ethan
VBS.SST@mm
W32.HLLW.Bymer
W95.CIH
PWSteal.Trojan
W32.Prolin
W32.Naked@mm
(Troj_Nakedwife)
W97M.Thus.A
W95.Spaces
W97.Class
W32.Kriz
Happy99.Worm
(alias W32.Ska)
|
|
Removal
Tools for...
W32.HybrisF
W32.Kriz
W32.Navidad
W32.HLLW.QAZ.A
W95.MTX
W32.FunLove.4099
Wscript.Kakworm
Wscript.Kakworm.B
Happy99.Worm
VBS.Loveletter
PrettyPark.Worm
VBS.Stages.A
W2K.Stream
AOL.Trojan.32512
W95.CIH
Worm.ExploreZip
New Virus Hoaxes
reported to Symantec
Foot N Mouth Virus Warning
No New Joke Programs
reported to Symantec this month
|
|
|
Those of you that follow the threats listed in the sidebar would have noticed
that there's been a fairly big shake up over the last month. W32.Magistr.24876@mm moved up to level 4 (Severe)
because we have seen a sharp rise in the number of reported incidents of this worm and virus hybrid. FunLove has
returned to the Asia Pacific top ten and others have either dropped out of the listings or appear for the first
time.
We usually get increased levels of virus and worm activity around Easter time and I expect this year to be no different,
let's just hope that we don't see another Melissa or LoveLetter level incident. VBS worms are very common and still
pose a major threat to many organizations and individuals alike. Symantec recently released a script blocking feature
in our consumer product NAV 2001 v7.07 and I asked the lead developer Mark Kennedy to write a short article on this for us.
David Banes.
Editor, sarc@symantec.com |
|
|
| |
|
|
|
|
|
|
| |
|
|
|
Worms |
|
| |
|
|
|
| VBS.Pleh.A@mm |
Medium [3]
|
Script
|
VBS.Pleh.A@mm sends itself to email addresses in the Microsoft Outlook address
book. It overwrites files on local and remote drives, including files with the extensions .mp3, .pwd, .exe, .mp2,
.doc, .avi, .mpeg, or .htm. The contents of these files are replaced with the source code of the worm, destroying
the original contents.
Removing this worm is complicated please visit the web page linked to below for detailed instructions.
http://www.sarc.com/avcenter/venc/data/vbs.pleh.a@mm.html
by: Douglas Knowles
SARC, USA
| VBS.Futonik.A@mm |
Low [2]
|
Script
|
VBS.Futonik.A@mm sends itself to email addresses in the Microsoft Outlook address book. It overwrites files on
local and remote drives, including files with the extensions .vbs, .vbe, .js, .txt, .bmp, .htm, .html, .gif, .jpg,
and .htt. The contents of most of these files are replaced with the source code of the worm, destroying the original
contents.
NOTE: Due to a bug in the virus code, in some cases files with the extensions .hta, .htt, .htm, .html, or .asp
will be infected by the worm, instead of being overwritten. If this happens, the viral code will execute prior
to executing the original file.
VBS.Futonik.A@mm also infects the Microsoft Word global template, Normal.dot.
http://www.sarc.com/avcenter/venc/data/vbs.futonik.a@mm.html
by: Douglas Knowles
SARC, USA |
|
|
| |
|
|
|
|
|
|
| |
|
|
|
Viruses |
|
|
| |
|
|
|
BW.770.B is a virus that infects DOS .exe and .com files. It is 770 bytes
in size, and it appears to have been created with the "Biological Warfare" virus creation kit . The virus
appears to have been modified manually after being created with the kit. BW.770.B can be inserted on your system
by the "futs" hackers tool.
NOTE: This virus was previously detected as Bloodhound.Filestring. All viruses that can be created with the Biological
Warfare virus creation kit will be detected by Norton AntiVirus.
http://www.sarc.com/avcenter/venc/data/bw.770.b.html
by: Neal Hindocha
SARC, EMEA |
|
|
| |
|
|
|
|
|
|
| |
|
|
|
Trojans |
|
|
| |
|
|
|
| JS.StartPage |
Minimal [1]
|
Script
|
JS.StartPage is a Trojan horse program, which alters the default home page
of Microsoft Internet Explorer. It sometimes arrives as a file with the .hta extension. This file is an HTML application,
and it runs only if the Windows Scripting Host is installed.
When JS.StartPage is executed, it makes changes to the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
To remove this Trojan:
1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Start Norton AntiVirus (NAV), and run a full system scan, making sure that NAV is set to scan all files.
3. Delete any files detected as JS.StartPage.
4. Start Internet Explorer, and reset the home page to one of your preference.
http://www.sarc.com/avcenter/venc/data/js.startpage.html
by: Serghei Sevcenco
SARC, APAC |
|
|
| |
|
|
|
|
|
|
| |
|
|
|
Symantec Enterprise Security |
|
|
| |
|
|
|
Visit the Symantec Enterprise Security web site; http://enterprisesecurity.symantec.com/
Recent headlines include:
Cyber Terror Threatens UK's Biggest Companies; The Guardian (London)
http://enterprisesecurity.symantec.com/content.cfm?articleid=676
U.S. Legislature Eyes Cybersecurity - Effort Aims to Boost Public Trust in Internet; Computerworld
http://enterprisesecurity.symantec.com/content.cfm?articleid=677
Denial-of-Service attacks are becoming more common, and your Web site could be a target. Find out what you can
do to stay protected in our latest feature article, "Ten Steps to Protect Your Enterprise from DoS Attacks."
http://enterprisesecurity.symantec.com/article.cfm?articleid=659
Get the latest enterprise security news delivered straight to your inbox.Register for Symantec's free Enterprise
Security newsletters.
https://enterprisesecurity.symantec.com/Content/Subscribe.cfm |
|
|
| |
|
|
|
|
|
|
| |
|
|
|
| W32.Magistr.24876@mm |
Severe [4]
|
Win32
|
|
|
|
| |
|
|
|
W32.Magistr.24876@mm is a polymorphically encrypted, entry point-obscuring,
anti-heuristic, anti-debugging, memory resident, parasitic infector of Portable Executable .EXE and .SCR files,
with replication across the local area network, mass-mailing capabilities using its own SMTP engine, some highly
destructive payloads, an interesting visual effect... and a number of bugs.
As an anti-heuristic device, files infected with W32/Magistr do not have their entry point altered. Instead, the
virus will save the first 512 bytes of code, and replace them with polymorphic garbage which includes subroutines,
jumps, and some Structured Exception Handling tricks to interfere with debuggers and code emulators.
The virus will search for .DOC and .TXT files and take words from one of these files for the mail subject and body.
It will address the mail to up to 100 recipients whose names are taken from the Windows Address Books (*.WAB),
Outlook Message stores (*.DBX, *.MBX), and the Netscape Messenger mail files, and attach an infected .EXE or .SCR.
The virus will occasionally copy an infected file into the Windows directory and add a "run=" line to
WIN.INI or alter the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run key in the registry to point
to the infected file.
The virus will search local hard drives and shared network directories and infect .EXE and .SCR files. If the Windows
directory is located, then a "run=" line will be added to WIN.INI. It is similar to the replication mechanism
of the W32/Cholera worm or the W32/Funlove virus.
After one month, the first payload might activate. This payload appears to have been adapted from W32/Kriz or W95/CIH.
Under Windows 9x and Windows Me, it will erase the contents of the CMOS memory and flash BIOS, and overwrite a
single sector on the first hard disk. Under all platforms, it will delete one in every twenty-five files on every
local hard drive and shared network directory, and overwrite every other file with some text.
After two months, the second payload will activate which will reposition the desktop icons whenever the mouse pointer
approaches, giving the impression that the icons are "running away" from the mouse.
[Editors Note:The complete article includes a detailed technical
description of this virus and will be published in the May Edition of Virus Bulletin, and the SARC web site at
http://www.sarc.com/, a short description and removal instructions are also on the site, http://www.sarc.com/avcenter/venc/data/w32.magistr.24876@mm.html].
by Peter Ferrie
SARC, APAC |
|
|
| |
|
|
|
|
|
|
|
| |
|
|
|
|
Proactive Detection of Script based viruses and worms |
|
|
| |
|
|
|
|
Virus writers increasingly use scripting technologies such as JavaScript
and VBScript to infect computer systems. Script Blocking technology in Norton AntiVirus 2001 v 7.07 monitors scripts
and alerts users of virus-like malicious behavior, stopping these viruses before they can infect a system. Some
of the most famous and prevalent viruses are script based. For example, VBS.LoveLetterA, VBS.SST@mm, and VBS.BubbleBoy.
Script Blocking is a proactive technology that detects script based viruses and worms without the need for signatures.
Customers will now have protection against certain types of viruses even before virus definitions have been made
available. This technology runs in the background and works in real-time. It is able to detect and stop malicious
behavior by monitoring objects used by the Windows Scripting Host. It also prevents Outlook from being remotely
controlled. This closes the vulnerability Microsoft's Visual Basic Script (VBS) and Java Script (JScript) have
opened.
By default none of these objects may be used via a script. This prevents worms like LoveLetter from mass mailing
themselves. The specific Outlook behavior that is forbidden is the enumeration of the address book coupled with
sending mail. A script or application may do either, but not both. NAV 2001 v7 can be configured to exclude such
non-malicious activity by adding these scripts to an exclusion list or using a machine specific authorization code.
by Mark Kennedy
SARC, USA. |
|
|
| |
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
| |
|
|
|
SARC Glossary for definitions of viruses, Trojans and worms and more.
|
|
|
| |
|
|
|
Contacts and Subscriptions |
|
|
| |
|
|
|
Correspondence by email to: sarc@symantec.com, no unsubscribe or support emails please.
Follow this
link to unsubscribe or change
your subscription type.
Send virus samples to: avsubmit@symantec.com
Newsletter Archive:
http://www.symantec.com/avcenter/sarcnewsletters.html |
|
|
| |
|
|
|
|
|
|
| |
|
|
|
This is a Symantec Corporation publication,
use of requires permission in advance from Symantec.
All information contained in this newsletter is accurate
and valid as of the date of issue.
Copyright © 1996-2001 Symantec Corporation. All rights reserved.
|
|
|
| |
|
|
|
|
|
|
|