SYMANTEC.

 
AntiVirus Research Center

"The Sun Never Sets on SARC"

   
 

SARC Home Page

August 2000 Newsletter

 
   



Top Threats

VBS.Stages.A
Wscript.KakWorm
Happy99.Worm
VBS.LoveLetter
VBS.Network
PrettyPark.Worm



The following is a list of the top reported viruses, Trojans and worms to SARC's regional offices during the last month.


Asia Pacific

Wscript.KakWorm
VBS.Stages.A
Happy99.Worm


Europe

Wscript.KakWorm
VBS.Stages.A
Trojan Horse


Japan

VBS.Network
Wscript.KakWorm
VBS.Stages.A


USA

Wscript.KakWorm
VBS.Stages.A
VBS.Network



New Virus Hoaxes reported to Symantec

Flower for You

   
We've got an interesting piece on a
mobile phone problem in Japan this month which may be an indication of things to come on mobile devices. There's a new variant of Kakworm and a Trojan called Qaz that's been seen mainly in China.

Apart from that it's been a fairly quiet month with most of the activity in the PC security arena being software bugs and vulnerabilities. You may want to sign up for the Symantec Enterprise Security Newsletter to keep on top of these threats at this url:

http://enterprisesecurity.symantec.com/

David Banes,
Editor,
sarc@symantec.com
   
     

 Stop Press - W32.Sysid.Worm Catagory 3 Risk

 
       
Viruses in the News

Minimal [1]

PC

   
        W95.Smash is a memory-resident polymorphic 32-bit Windows virus that infects files on Windows 9x systems. The virus infects PE files, which will have EXE or DLL extensions. The virus is not able to spread under Windows NT.

The payload will trigger on July 14th and display a message indicating that the Smash virus has infected the computer. The virus may also format the hard drive after the next reboot.

As of July 13, 2000 the Symantec AntiVirus Research Center has not received any reports or submissions of this virus.

http://www.sarc.com/avcenter/venc/data/w95.smash.html
   
             
       
Worms in the News

Severe [4]

PC

 
        There is a new variant of WScript.Kakworm circulating, variant .B, Doug Knowles from SARC USA has given us this quick reference detailing the main differences between the original Kakworm and this variant. Both utilize a known Microsoft Outlook Express security hole, Scriptlet.Typelib, so that a viral file is created on the system without having to run any attachment.

WScript.Kakworm.B

 

WScript.Kakworm

Drops a file called day.hta   Drops a file called kak.hta
adds registry key: HKLM/Software/Microsoft/Windows/
CurrentVersion/Run/cDays
  adds registry key: HKLM/Software/Microsoft/Windows/
CurrentVersion/Run/cAgOu
Triggers message any time on the eleventh day of the month after 4pm   Triggers message any time on the first day of the month after 5pm
Message text is "Days It was a day to be a days!"   Message text is "Kagou-Anti-Kro$oft says not today!"
   
                 
       
 Trojans in the News

Moderate [3]

PC

   
       

W32.HLLW.Qaz.A was first discovered in China in July of 2000. As of Aug 9, 2000, SARC has received over 70 submissions and believes this threat to be in the wild. Qaz.Trojan is a backdoor Trojan that will allow a remote hacker to connect and control the machine. It is network aware and is able to spread over a local area network in a worm like fashion.

When launched it will search for a copy of notepad.exe and rename it to note.com. It will then copy itself to the computer as notepad.exe. Each time notepad.exe is executed, it will run the Trojan and notepad to avoid being noticed. It will also modify the following system registry key to execute itself every time the system is booted.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run as value StartIE=notepad.exe

Qaz.Trojan will enumerate through the network neighbourhood and find a computer to infect. When it finds a machine, it will infect it by searching for notepad.exe and making the same modifications (rename notepad.exe to note.com). It does not require any mapped drives to infect other machines. Once the machine is infected, it will utilize WinSock and await a connection. This will allow a hacker to connect to the infected computer and gain access to the computer.

To remove this Trojan follow these steps.

  1. To remove this Trojan, scan with Norton AntiVirus and delete all files detected as Qaz.Trojan.
  2. Search for a file called note.com and rename it to notepad.exe.
  3. Remove the following registry key:HKLM\Software\Microsoft\Windows\CurrentVersion\Run as value StartIE=notepad.exe
  4. Scan all other machines on the network to find all other infections and repeat the above steps if infections are found.

http://www.sarc.com/avcenter/venc/data/qaz.trojan.html

by: Motoaki Yamamura and Peter Ferrie
SARC USA and SARC Asia Pacific

   
                   
         
iMode phone problem in Japan
   
         

Prank calls to the emergency number using NTT DoCoMo's i-mode mobile phone services increased rapidly in Japan recently. This phone has a "Phone to" capability like the "Mail to" in normal web pages and more than 5 million subscribe to the i-mode service.

This feature enables i-mode mobile phones to automatically dial a number when a user clicks on a linked telephone number contained in an html email or web site. For example;

<a href="tel:(01)0996-4444"> (03)0996-4444 </a>

NTT is not going to disable this functionality because many businesses use this feature in Japan on their web sites or in email. NTT have said that they have plans to expand this feature of the i-mode JAVA enabled phone which may create further security concerns.

Yuji Hoshizawa
SARC, Japan

   
               
         

SARC Reference page, for definitions of viruses, trojans and other terminology.

   
          Contacts    
          Correspondence by email to: sarc@symantec.com, no unsubscribe or support emails please.
Send virus samples to:
avsubmit@symantec.com
Newsletter Archive:
http://www.symantec.com/avcenter/sarcnewsletters.html
   
          To Subscribe and Unsubscribe    
          To be added or removed from the subscription mailing list, please fill out the form available on the SARC website at: http://www.symantec.com/help/subscribe.html
SARC AntiVirus News Update is published periodically by Symantec Corporation. No reprint without permission in writing, in advance.
   
       

 

     
          All information contained in this newsletter is accurate and valid as of the date of issue.  

Copyright © 1996-2000 Symantec Corporation. All rights reserved.