symantecTM

 
 Symantec AntiVirus Research Center  

ISSN 1444-9994

   
   
 


SARC Home Page

January 2001 Newsletter

 
   


Year 2000 Summary

1 WScript.KakWorm 21.4%
2 W95.MTX 9.5%
3 VBS.LoveLetter 8.3%
4 W95.Hybris 5.1%
5 VBS.Stages.A 3.7%
6 W32.HLLW.Qaz.A 4.7%
7 Happy99.Worm 2.5%
8 W32.Navidad 2.3%
9 VBS.Network 2.1%
10 W32.FunLove.4099 1.6%


These are the most reported Viruses, Trojans and Worms to SARC's offices during the last month.

Top Global Threats
W95.Hybris.gen
JS.Seeker
W95.MTX
Wscript.KakWorm
W32.Navidad.16896
W32.HLLW.Bymer
W32.Navidad
Happy99.Worm
VBS.LoveLetter
W32.HLLW.Qaz.A

Asia Pacific
JS.Seeker
W95.Hybris.gen
W95.MTX

Europe
JS.Seeker
W95.Hybris.gen
W95.MTX

Japan
W95.Hybris.gen
W95.MTX
W32.HLLW.Bymer

USA
W95.Hybris.gen
JS.Seeker
Wscript.KakWorm


New Virus Hoaxes reported to Symantec

No New Hoaxes this Month



Top 20
Consolidated
Global Threats

By SecurityPortal

W32.Navidad
W32.Prolin
W32.Hybris
VBS.KakWorm
VBS.LoveLetter Family
W95.MTX
Happ99.Worm
(alias W32.Ska)
W95.CIH
W97M.Melissa.BG
W32.Funlove
VBS.Stages.A
W97M.Marker Family
W97M.Thursday Family
W32.BleBla
W32.ExploreZip.Worm
W32.HLLW.Qaz.A
(alias Troj.Qaz.A)
VBS.Quatro.A
W32.Sonic
W97M.Stand
VBS.Network



 

 
Here in SARC we've been discussing the past year's viruses and worms and speculating about the possibilities for the coming year. Rather than spend time taking a detailed look back at the year 2000 I thought you'd rather we looked forward to 2001, so I've included a table in the sidebar this month showing the top 10 threats for the year 2000 as reported by Symantec and we'll get straight into some speculation about the coming year in my article 'Looking forward in 2001'

Whilst running some reports for this months newsletter I realised that JS.Seeker, discovered mid December, has shot up the list of reported threats. Even though it is still rated as a low risk and has no dangerous payload I thought we'd inlcude it this month. We also cover W32.Music.E.Worm, VBS.Sorry.A and VBS.TQLL.A@mm (@mm means mass mailer). Last months top new theats were also all worms, it looks like worms have hit the top of the trendy list if you are into writing malicious code. If you want to know the difference between a virus and a worm then go to our glossary or this article.

EICAR (European Institute for Computer Anti-Virus Research) is having it's annual conference in March. The 10th Annual EICAR & 2nd European Anti-Malware Conference will be held from 3th - 6th March 2001 in Munich, Germany.

David Banes.

Editor,
sarc@symantec.com
   
             
        Worms in the News  
       
JS.Seeker

Small[2]

Script

JS.Seeker is a Trojan horse program that alters the default startup and search pages of your Web browser. The Trojan horse sometimes arrives as a file named Runme.hta, and runs only if Windows Scripting Host is installed.

When JS.Seeker is executed, it makes several changes to the Windows registry.

HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
HKCU\Software\Netscape\Netscape Navigator\Main\Home Page

Original registry values are saved to the files Backup1.reg and Backup2.reg in the Windows directory.

The Trojan horse creates a file named Homereg111.reg in the Windows directory and sets the above mentioned registry keys to its own values. The Trojan horse then runs Removeit.hta, which deletes the file Runme.hta from the C:\Windows\Start Menu\Programs\Startup folder.

The Trojan horse also creates Prefs.js in the Windows directory. The Prefs.js file is a JavaScript file, which changes Netscape Preferences to its own.

To remove JS.Seeker scan with Norton AntiVirus and delete all files detected as JS.Seeker. Delete the Homereg111.reg and Prefs.js files from the Windows directory. Run Backup1.reg and Backup2.reg from your Windows directory.

http://www.sarc.com/avcenter/venc/data/js.seeker.html
by: Gor Nazaryan
SARC, USA

W32.Music.E.Worm

Minimal[1]

Win32

W32.Music.E.Worm is a worm that runs only on Windows 95 and Windows 98 systems. The worm requires a specific Win32 API that is only available in Windows 95 and Windows 98 versions of Kernel32.dll.

W32.Music.E.Worm is a variant of W32.Music.A.Worm. The main difference between these two variants is that W32.Music.E.Worm goes to a different website to download the mailer component. This new dropper component does not necessarily depend on a specific mailer component; i.e. it may work with any version of that mailer component. The result of this is that the subject and body of the message to which the file is attached may vary, as well as the name of the attachment.

To remove W32.Music.E.Worm follow this link.

http://www.sarc.com/avcenter/venc/data/w32.music.e.worm.html
by: Cary Ng
SARC, USA

VBS.Sorry.A

Small [2]

Script

VBS.Sorry.A is a Visual Basic Script worm which copies itself to multiple directories on the hard drive and network drives. The worm also drops an mIRC configuration file which searches for computers infected with SubSeven Trojan. It copies and executes itself on those computers.

The worm attempts to delete uncommon files and folders and copies itself as sndload.vbs, ttfload.vbs, or random a filename
To remove VBS.Sorry delete all detected files, restore the Internet Explorer Start Page and delete or revert all registry entries to their previous values.

http://www.sarc.com/avcenter/venc/data/vbs.sorry.a.html
By Eric Chien
SARC, EMEA
   
             
       
VBS.TQLL.A@mm

Minimal [1]

Script

VBS.TQLL.A@mm is a worm written in Visual Basic Script. Symantec has no confirmed reports of this virus in the wild and considers it low or no risk at this time.

The worm will arrive by email with the following message and attachment.

Subject:
New Year !
Body:
Wow Happy New Year !

It will have an attachment called 'happynewyear.txt.vbs'which is 10,390 bytes in size.

The worm will not execute by simply reading the email. But if the attachment called happynewyear.txt.vbs is executed, it will create a malicious program called 3k.exe in your windows directory and run it automatically. The 3k.exe program is a Trojan horse program. Norton AntiVirus will detect it as Backdoor.TQLL. The worm will also send itself to everyone in your Microsoft address book automatically.


To remove this worm delete all files detected as VBS.TQLL.A@mm and Backdoor.TQLL

http://www.sarc.com/avcenter/venc/data/vbs.tqll.a.html
by: Motoaki Yamamura
SARC, USA
   
               
          Visit the Symantec Enterprise Security Web Site    
          Get the latest enterprise security news delivered straight to your inbox. Register for Symantec's free Enterprise Security newsletters.
https://enterprisesecurity.symantec.com/Content/Subscribe.cfm

Recent headlines include:
Leahy Computer Crime Bill Receives Final Senate Approval; US Newswire (USA)
http://enterprisesecurity.symantec.com/content.cfm?articleid=539

Net Tightens Around the Hacktivists: Big Corporations and Governments Want
to Curb the Protests of the Cyber Hippies; The Guardian (London)
http://enterprisesecurity.symantec.com/content.cfm?articleid=547

Read our latest feature article "The Rise of the Trojan Virus" to learn about the best defense against viruses carrying Trojans.
http://enterprisesecurity.symantec.com/content.cfm?articleid=535
   
               
          Looking forward in 2001.    
   

Unsubscribe

First name:

Last name:

Email address:


    Many people have already published their thoughts on this topic, from anti-virus vendors to journalists and independent research organizations. The opinions are varied and sometimes contradictory. We thought you'd like to read about our thoughts on this subject now we've had a chance to look at the trends in threats and technologies that Symantec have seen over the last year. Whilst this is an interesting topic this article should be read as a long range weather report.

Over the last year we have seen an increase in the number of complicated Windows 32 bit worms and viruses, in fact if you look back over the last five years you could estimate that 50% of threats in this category appeared in 2000, a sobering thought if you have your head in a debugger all day. The level of complexity increased by a factor of two or three and we now estimate that to write detection and repair for the average Win32 threat takes anything from two to six hours whilst something very complicated may take a week. You can get an idea of the level of concern we have about this when you realize that a mass mailing worm could send out as many copies of itself as you have email addresses in your address book.

We will continue to see threats that blur the line between the traditional computer virus type of threat, network security breaches and DoS attacks. We've seen the start of this in 2000 with the several well publicized denial of service attacks and DNS hijackings. Looking at our own reports we see many more back door and remote control Trojans that target specific types of data, such as password files and financial account details.

To counter these types of threats vendors like Symantec have been busy releasing upgraded versions of server based anti-virus, content filtering and fire wall products. Most corporations would have spent the year reviewing not only their email scanning solutions and policies but their security across the whole enterprise, from personal firewalls and desktop anti-virus to complete enterprise wide managed solutions such as those offered by the recently merged Symantec/Axent portfolio.

I'm also sure that with the convergence of mobile devices such as hand-held computers and mobile phones these devices will be targeted by malicious code authors. All of us, both anti-virus researchers and anti-virus customers, need to keep an open mind and realize that's it's only a matter of time before mobile devices are in the high risk category. How much time is a guessing game but we need to be prepared, anti-virus research specialists like Eric Chien from SARC EMEA and his work on PDA's, continually researching these areas, are essential if we are to be ready to face threats in a connected mobile world.

Expect to see new threats for Linux, PalmOS powered devices such as PDA's and mobile phones, PocketPC's(Windows CE), and maybe even EPOC and WAP (v1.2 or later) enabled devices by the end of the year or early 2002. We've already seen things moving in this direction with several Linux viruses and the first PalmOS virus and Trojan. As Linux becomes more common on the desktop and the cost of ownership of PDA's drops dramatically these platforms become more accessible to virus and worm authors. Add more processing power (Compaq's iPaq 3600 PocketPC is already over 200Mhz) wireless networking and increasingly rich media being seen on handheld devices and the levels of risk rise substantially.

These threats can be avoided or marginalized if the vendors of mobile computing and telephony devices rationalize the functionality, encapsulate features like scripting within the devices security model and enhance that security with digital signatures, encryption and access control. Only then will mobile computing remain safe computing.


By David Banes
SARC, APAC
   
             
       

SARC Glossary for definitions of viruses, Trojans and worms and more.

   
        Contacts and Subscriptions    
        Correspondence by email to: sarc@symantec.com, no unsubscribe or support emails please.
Follow
this link to unsubscribe or change your subscription type.
Send virus samples to:
avsubmit@symantec.com
Newsletter Archive:
http://www.symantec.com/avcenter/sarcnewsletters.html
   
     

 

     
       

This is a Symantec Corporation publication, use of requires permission in advance from the Editor.
All information contained in this newsletter is accurate and valid as of the date of issue.
Copyright © 1996-2001 Symantec Corporation. All rights reserved.