symantecTM

 
 Symantec AntiVirus Research Center  

ISSN 1444-9994

   
   
 


SARC Home Page

August 2001 Newsletter

 
   


These are the most reported Viruses, Trojans and Worms to SARC's offices during the last month.

Top Global Threats

W95.Hybris
W32.Sircam.Worm@mm
W32.Magistr.24876@mm
VBS.Haptime.A@mm
W95.MTX
Wscript.KakWorm
W32.HLLW.Bymer
Trojan Horse
W32.Badtrans.13312@mm
W95.SoFunny.Worm@m

Asia Pacific
W32.Sircam.Worm@mm
W95.Hybris
W32.Magistr.24876@mm
VBS.Haptime.A@mm
W95.MTX
Wscript.KakWorm
W32.HLLW.Bymer
W32.Badtrans.13312@mm
Trojan Horse
Backdoor.Trojan


Europe

W95.Hybris
W32.Sircam.Worm@mm
W32.Magistr.24876@mm
W95.MTX
VBS.Haptime.A@mm
Wscript.KakWorm
Trojan Horse

W32.HLLW.Bymer
JS.Seeker
W32.Choke.Worm


Japan
W95.Hybris
W32.Sircam.Worm@mm
W95.MTX
W32.Magistr.24876@mm
W32.HLLW.Bymer
Trojan Horse

VBS.Haptime.A@mm
Backdoor.Sadmind
JS.Seeker
W32.HLLW.Qaz.A

USA
W95.Hybris
W32.Sircam.Worm@mm
W32.Magistr.24876@mm
VBS.Haptime.A@mm
Wscript.KakWorm
W95.SoFunny.Worm@m
W95.MTX
W32.HLLW.Bymer
W32.Badtrans.13312@mm
Trojan Horse



Top 20
Consolidated
Global Threats

By SecurityPortal

W32.Sircam.Worm@mm
VBS.LoveLetter Family
W32.Funlove
W32.Hybris
W32.BadTrans.A@MM
PWSteal.Trojan
VBS.Stages.A
VBS.Kakworm
W95.MTX
W95.Choke.Worm
VBS.Haptime@MM
VBS.VBSWG.X@mm
(alias Homepage)
W97M.Marker Family
W97M.Thus
W97M.Ethan Family
O97M.Tristate.C
Happy99.Worm
(aka W32.Ska )
W32.HLLW.Bymer
W32.Navidad




Removal Tools for malicious code are on our web site



A list of Virus Hoaxes
reported to Symantec



A list of Joke Programs
reported to Symantec.


 

  It's not often we get two high level virus alerts in the same month, let alone at the same time. Both W32.Bady.Worm@mm(Code Red) and W32.SirCam.Worm@mm have generated a lot of attention and rightly so, there were significant threats to network traffic (Code Red) and privacy (Sircam). Symantec has been busy writing, testing and releasing updates to our anti-virus and intrusion detection products for both of these worms.

Just as Code Red activity was dying off we have posted a level 3 alert for
VBS.Potok@mm which is a simple VBS worm that exploits NT streams.

Urs Gattiker of EICAR has issued a call for papers for the next EICAR conference. Refer to th eend of the newsletter for more information. Next years conference is being held in Berlin, Germany from the 8-11 June 2002. Details are available here; http://Conference.EICAR.org

David Banes.
Editor,
sarc@symantec.com
   
             
        Worms  
       
CodeRed.II Worm

Severe [4]

Win32

CodeRed II was discovered on August 4, 2001. It has been called a variant of the original CodeRed Worm because it uses the same "buffer overflow" exploit to propagate to other web servers. Symantec AntiVirus Research Center received reports of a high number of IIS web servers that were infected. CodeRed II is considered to be a high threat.

The original CodeRed had a payload that causes a Denial of Service attack on the White House Web server. CodeRed II has a different payload that allows the hacker to have full remote access to the Web server.

SARC has created a tool to perform a vulnerability assessment of your computer and remove the CodeRed Worm and CodeRed II. To obtain the CodeRed removal tool, please click
here.

Additionally, Symantec is offering a free tool, Symantec Security Check, that you can use to determine if your computer is at risk. The tool is available in two forms, both of which are free. Click
here to begin an online scan, or click here to download the tool onto your computer.

If you are running Microsoft’s IIS server, it is strongly recommended that you apply the latest Microsoft patch to protect yourself from this worm. The patch can be found at:
http://www.microsoft.com/technet/security/bulletin/MS01-033.asp

Norton AntiVirus is able to detect an infection on the Web server by detecting the payload (Trojan component) of this worm as Trojan.VirtualRoot.

http://www.sarc.com/avcenter/venc/data/codered.v3.html
by: Peter Szor and Eric Chien
SARC, EMEA

W32.Sircam.Worm@mm

Severe [4]

Win32

W32.Sircam.Worm@mm contains its own SMTP engine, and propagates in a manner similar to the W32.Magistr.Worm.
Due to what appears to be a bug, this worm does not replicate under Windows NT or 2000.

This worm has two payloads, 1) The date of October 16th triggers the file deletion payload. 2) If the file deletion occured, or after 8000 executions, the the space filler payload triggers.

The worm appends a random document from the infected PC to itself and sends this new file via email. There is a 1 in 20 chance of deleting all files and directories on C:. Only occurs on systems where the date is October 16 and which are using D/M/Y as the date format. Always occurs if attached file contains "FS2" not followed by "sc". There is also a 1 in 50 chance of filling all remaining space on the C: drive by adding text to the file c:\recycled\sircam.sys It will export a random document from the hard drive by appending it to the body of the worm

The Subject of the email will be the filename of the attachment which will be a file from the sender's computer with the extension .bat, .com, .lnk, or .pif added to it. The sSize of attachment: at least 134kb long. Sircam searchs for shared drives and copies itself to those it finds.


http://www.sarc.com/avcenter/venc/data/w32.sircam.worm@mm.html
by Peter Ferrie and Peter Szor
SARC, USA.

VBS.Potok@mm

Moderate [3]

Script

The VBS.Potok@mm worm is a simple Visual Basic script that exploits a little-known feature of Windows NT/2000 to spread. It sends itself to the first 50 recipients in the Microsoft Outlook Address Book. It attempts to add a new user to the infected computer and grant the user Administrator rights. The sample of this worm the Symantec AntiVirus Research Center (SARC) received has bugs that prevent it from operating correctly.

SARC has posted a tool to repair any infections. Click
here to download the tool.

http://www.sarc.com/avcenter/venc/data/vbs.potok@mm.html
by: Jimmy Shah and Douglas Knowles
SARC, USA
   
             
        Viruses    
       
W32.HLLO.Videoinf

Minimal [1]

Win32

W32.HLLO.Videoinf is a virus that overwrites .ht* and .exe files in the folder that it is executed from. It sends information from the computer on which it is run to an email address. On certain dates, the virus will modify the C:\Autoexec.bat file so that the hard drive will be formatted when the computer is restarted.


http://www.sarc.com/avcenter/venc/data/w32.hllo.videoinf.html
by: Neal Hindocha
SARC, EMEA
   
             
        Trojans    
       

Trojan.Diagcfg

Minimal [1]

Win32

This Trojan modifies the registry so that it loads whenever Windows is started. It listens on port 6967 for commands. It sends email to its creator with information about the computer's IP address and connected hosts. If the program is run again while it is already running, it displays the message:

This program is part of the system and can not be run separately.

http://www.sarc.com/avcenter/venc/data/trojan.diagcfg.html
by: Jimmy Shah
SARC, USA

   
             
        Symantec Enterprise Security    
        Visit the Symantec Eenterprise Security Web Site
http://enterprisesecurity.symantec.com/

Recent Enterprise Security News headlines include:
Martyr or Criminal? Debate Over Electronic Copyright Law Rages as Russian Programmer Sits in a San Jose Jail; The San Francisco Chronicle.
http://enterprisesecurity.symantec.com/content.cfm?articleid=823

Guard Against Revenge of the Downsized; VNU Computing.
http://enterprisesecurity.symantec.com/content.cfm?articleid=821

Security Vulnerabilities Found in Directory Protocol; Computerworld.
http://enterprisesecurity.symantec.com/content.cfm?articleid=812

Get the latest Enterprise Security News delivered straight to your inbox.Register for Symantec's free Enterprise Security newsletters.
https://enterprisesecurity.symantec.com/Content/Subscribe.cfm
   
             
        3rd European Anti Malware Conference & 11th EICAR Annual Conference    
        http://Conference.EICAR.org
Berlin, 8-11 June 2002

1st Call for Papers: Submission Deadline Dec. 1, 2001

This conference brings together experts from industry, government, academia, and research as well as end-users interested in keeping abreast of new developments.

Papers pertaining to malicious code & unwanted side-effects or malfunction, information age, warfare & society, cryptography and the protection of privacy, new media and e-commerce, electronic payments, are of interest. Research papers, case studies, research in progress short papers, panels, symposia, workshops and tutorials are welcome. Please clearly mark your contribution according to category it belongs to when submitting.

Conference offers Best Paper Award, Student Awards, Best Paper Proceedings and more. Registration fees are waived for presenting authors. For more information visit
http://Conference.EICAR.org/?Author
Thank you

Urs E. Gattiker
EICAR
   
   

Use this form to unsubscribe

First name:

Last name:

Email address:


         
             
       

SARC Glossary for definitions of viruses, Trojans and worms and more.

   
        Contacts and Subscriptions    
        Correspondence by email to: sarc@symantec.com, no unsubscribe or support emails please.
Follow
this link to unsubscribe or change your subscription type.
Send virus samples to:
avsubmit@symantec.com
Newsletter Archive: http://www.symantec.com/avcenter/sarcnewsletters.html
   
     

 

     
       

This is a Symantec Corporation publication, use of requires permission in advance from Symantec.
All information contained in this newsletter is accurate and valid as of the date of issue.
Copyright © 1996-2001 Symantec Corporation. All rights reserved.