symantecTM

 
 Symantec AntiVirus Research Center  

ISSN 1444-9994

   
   
 


SARC Home Page

February 2001 Newsletter

 
   


These are the most reported Viruses, Trojans and Worms to SARC's offices during the last month.

Top Global Threats
W95.Hybris
JS.Seeker
W95.MTX
Wscript.KakWorm
W32.Navidad.16896
W32.HLLW.Bymer
W32.Navidad
Happy99.Worm
VBS.LoveLetter
W32.HLLW.Qaz.A

Asia Pacific
W95.Hybris
W95.MTX
Wscript.KakWorm
JS.Seeker
W32.Navidad
W32.HLLW.Bymer
W32.FunLove.4099
VBS.Stages.A
W32.HLLW.Qaz.A
VBS.LoveLetter

Europe
W95.Hybris
JS.Seeker
W95.MTX
Wscript.KakWorm
W32.Navidad.16896
W32.HLLW.Bymer
W32.HLLW.Qaz.A
W32.Navidad
Wscript.KakWorm
VBS.Plan.B

Japan
W95.Hybris
W95.MTX
VBS.Mill
W32.HLLW.Bymer
JS.Seeker
W32.Navidad
W32.HLLW.Qaz.A
Happy99.Worm
W95.MTX
W32.FunLove.4099

USA
W95.Hybris
JS.Seeker
W95.MTX
Wscript.KakWorm
VBS.LoveLetter
W32.Navidad
W32.HLLW.Bymer
W32.Navidad
VBS.Plan.B
Happy99.Worm


Top 20
Consolidated
Global Threats

By SecurityPortal

W95.MTX
W32.Navidad
VBS.KakWorm
W32.Hybris
VBS.LoveLetter
W32.FunLove
W32.Prolin
W97M.Marker
W95.CIH
W32.HLLW.Bymer
W97M.Melissa.BG
W97.Ethan
W32.HLLW.Qaz.A
(alias Troj.Qaz.A)
Happ99.Worm
(alias W32.Ska)
VBS.Stages.A
W97M.Thursday
W32.PrettyPark
W97M.Class
W32.ExploreZip.Worm
W32.BleBla




Removal Tools for...

W32.HybrisF
W32.Kriz
W32.Navidad
W32.HLLW.QAZ.A
W95.MTX
W32.FunLove.4099
Wscript.Kakworm
Wscript.Kakworm.B
Happy99.Worm
VBS.Loveletter
PrettyPark.Worm
VBS.Stages.A
W2K.Stream
AOL.Trojan.32512
W95.CIH
Worm.ExploreZip



Virus Hoaxes

reported to Symantec

Elecciones 2000 Hoax
Forward Hoax
Pikachus Ball Hoax
Sarc Virus Test Hoax
Scoutshacker Hoax
Simon Pugh Hoax
Virtual Card 2
WAZ UP Hoax
WordScribe Virus Hoax



Joke Programs
reported to Symantec

Joke.Doh
Joke.Flipped
Joke.Freibier
Joke.Geschenk
Joke.Idioma
Joke.Lancheck
Joke.Scared
Joke.Wobbling
Joke.Wow



 

 


This month we are extending the top threats listings for each region from three to ten. I get a lot of requests for help removing certain viruses and worms so we have added a section in the sidebar linking to software tools for some of the threats that can be difficult to remove. There is also a new section listing common joke programs that may be detected by some anti-virus products but are no threat at all.

This month we are again covering the three main categories of viruses, Trojans and worms. Interestingly one is a Linux worm, another a PHP Trojan. PHP is a server side html embedded scripting language. We covered the first ever PHP threat in the November 2000 edition of the newsletter.

Peter Ferrie of SARC Asia Pacific and Peter Szor, SARC USA have written an excellent analysis of W32.Zmist, a new ''undetectable' virus, we have a shortened version of the article here, the full version will be published in Virus Bulletin in March 2001.

We've changed the wording for our threat severity levels, both here and on the web site, they are now much easier to remember and align us more closely with other vendors categorization. They are now;

  • 5 - Very Severe
  • 4 - Severe
  • 3 - Moderate
  • 2 - Low
  • 1 - Very Low.

Finally a reminder that the EICAR annual conference will be held from 3th - 6th March 2001 in Munich, Germany.

David Banes.
Editor,
sarc@symantec.com

   
        SARC has announced a new alerting service for our Platinum customers. This service will allow SARC to release early warnings for malicious threats. Please see the Platinum Website for details.A Platinum account and password required.    
        Worms  
       
Linux.Ramen.Worm

Very Low [1]

Linux

Linux.Ramen is a Linux worm that attacks machines running the Linux Red Hat 6.2 or 7.0 operating system. This worm does not execute on systems running Microsoft Windows. The worm attempts to use unpatched versions of rpc.statd, wuftpd, and LPRng.

An email message is also sent to an anonymous Yahoo! and Hotmail email account specifying the IP address of the attacked machine. Most likely, these email accounts belong to the author of this worm allowing the author to keep track of machines that are infected

To remove Linux.Ramen.Worm:

1. Delete the files detected by Norton AntiVirus.
2. Install the patches that will fix these mentioned vulnerabilities. These patches are already available for download at the Red Hat website at the following locations:

RedHat 7.0 Security Advisories -
http://www.redhat.com/support/errata/rh7-errata-security.html
RedHat 6.2 Security Advisories -
http://www.redhat.com/support/errata/rh62-errata-security.html

http://service1.symantec.com/sarc/sarc.nsf/html/Linux.Ramen.Worm.html
by: Patrick Martin and Eric Chien
SARC, USA & EMEA.
   
             
        Viruses    
       
W32.Demiurg.16354

Low [2]

Win32

W32.Demiurg.16354 is a virus that can infect DOS programs, batch files, Windows program files, and Excel 97/2000 spreadsheets. The computer that runs this virus will be the only infected computer. This virus does not email itself out, and it is not network aware.

Current virus definitions will detect this virus. Run LiveUpdate to make sure that you have the most recent virus definitions.

If the computer is already infected with W32.Demiurg.16354, follow these steps to remove the virus:

1. Start NAV, run a full system scan, and delete any infected spreadsheets.
2. Boot the computer from a Windows Startup disk, Rescue disk, boot disk, or the Norton AntiVirus 2001 CD, depending on the computer and operating system.
3. Run a full scan using the Norton AntiVirus DOS scanner. If any files are detected as infected with W32.Demiurg.16354, choose Repair.

After you run the DOS scanner and you choose to repair infected files as recommended, then run the DOS scanner a second time. If files are again detected as infected, Norton AntiVirus was not able to repair them. In this case, choose Delete.

http://service1.symantec.com/sarc/sarc.nsf/html/W32.Demiurg.16354.html
by: Peter Ferrie and Cary Ng
SARC, APAC & USA
   
             
        Trojans    
       
PHP.Sysbat

Very Low [1]

Script

PHP.Sysbat is a Trojan horse, not a virus. Trojan horses do not replicate. PHP.Sysbat only executes on computers with PHP interpreters. (PHP is a server-side, cross-platform, HTML-embedded scripting language.) It cannot be contracted by simply visiting an infected Web page.

PHP.Sysbat modifies the Autoexec.bat file so that the next time the computer is restarted, the command to format the hard drive is executed. The Trojan will also append text to C:\Config.sys and to other files with the .sys extension that are located in the C:\Windows\Command folder. Finally, the Trojan tries to delete C:\Windows\System\Wsock32.dll.

To remove this Trojan:

1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Start Norton AntiVirus (NAV), and run a full system scan, making sure that NAV is set to scan all files.
3. If any files are detected as infected by PHP.Sysbat, you need to delete them.
4. Remove the following text from the Autoexec.bat file:

ctty nul
format c: /autotest /q /u


CAUTION: Do not restart the computer until you have removed this text.

5. Restore from backup or reinstall all .sys files that were infected by the Trojan.
6. Replace the Wsock32.dll file, if necessary.

http://service1.symantec.com/sarc/sarc.nsf/html/PHP.Sysbat.html
by: Eric Chien
SARC, EMEA.
   
             
        Visit the Symantec Enterprise Security Web Site    
        Get the latest enterprise security news delivered straight to your inbox.Register for Symantec's free Enterprise Security newsletters.
https://enterprisesecurity.symantec.com/Content/Subscribe.cfm

Recent headlines include:
Anti-globalization Hackers Steal Confidential Data at Davos; Agence France Presse
http://enterprisesecurity.symantec.com/content.cfm?articleid=587

Flaws Leave Net Open to Attack, Group Warns; Los Angeles Times
http://enterprisesecurity.symantec.com/content.cfm?articleid=583

Make sure your enterprise has a comprehensive contingency plan in place before it's too late. Read our latest feature article "Guide to Contingency Planning" to learn more:
http://enterprisesecurity.symantec.com/content.cfm?articleid=573
   
           
        Gorillas in the Mist    
        During VB 2000 Dave Chess and Steve White demonstrated their research result on Undetectable Viruses. Early this year the Russian virus writer Zombie released his "Total Zombification" magazine with a set of articles and viruses of his own. One of the articles in the magazine was titled "Undetectable Virus Technology".

Zombie has demonstrated already his set of polymorphic and metamorphic virus writing skills. His viruses have been distributed for years in source format and other virus writers have modified them to create new variants. Certainly this will be the case with Zombie's latest creation W95.Zmist.

Many of us have not seen for a few years a virus approaching this complexity. We could easily call Zmist one of the most complex binary viruses ever written. W95.SK, One_Half, ACG, and a few other virus names popped to our mind for comparison. Zmist is a little bit of everything: it is an entry point obscuring virus that is metamorphic. Moreover the virus randomly uses an additional polymorphic decryptor.

The virus supports a unique new technique: code integration. The Mistfall engine contained in the virus is capable of decompiling Portable Executable files to its smallest elements, requiring 32MB! of memory. Zmist will insert itself into the code: it moves code blocks out of the way, inserts itself, regenerates code and data references, including relocation information, and rebuilds the executable. This is something which was never seen in any previous viruses.

Zmist occasionally inserts jump instructions after every single instruction of the code section, each of which will point to the next instruction. Amazingly these horribly modified applications will still run as before, just like the infected executables do, from generation to generation. In fact we have not seen a single crash during the test replications. Nobody expected this to work, not even its author Zombie. Although it is not foolproof it seems to be good enough for a virus. It takes some time for a human to find the virus in infected files. Because of this extreme camouflage Zmist is easily the perfect anti-heuristics virus.

A few years ago several anti virus researchers claimed that algorithmic detection has no future. We would like to turn that around, claiming that virus scanners will have no future if they do not support algorithmic detection at the database level. It is amazing to see how polymorphic viruses become more and more advanced over the years. Such metamorphic creations will come very close to the concept of an undetectable virus.

The computing environment did change. Modern viruses completely support this new environment. In the next couple of years we will see how complex DOS viruses would be today if the environment had not changed during the last few years.


[Editors Note:The complete article includes a detailed technical description of W95.Zmist and will be published in the March Edition of Virus Bulletin, and the SARC web site at http://www.sarc.com/].

By Peter Ferrie and Peter Szor
SARC, APAC & USA.
   
   

Unsubscribe

First name:

Last name:

Email address:


         
             
       

SARC Glossary for definitions of viruses, Trojans and worms and more.

   
        Contacts and Subscriptions    
        Correspondence by email to: sarc@symantec.com, no unsubscribe or support emails please.
Follow
this link to unsubscribe or change your subscription type.
Send virus samples to:
avsubmit@symantec.com
Newsletter Archive: http://www.symantec.com/avcenter/sarcnewsletters.html
   
     

 

     
       

This is a Symantec Corporation publication, use of requires permission in advance from Symantec.
All information contained in this newsletter is accurate and valid as of the date of issue.
Copyright © 1996-2001 Symantec Corporation. All rights reserved.