symantecTM

 
 Symantec AntiVirus Research Center  

ISSN 1444-9994

   
   
 


SARC Home Page

July 2001 Newsletter

 
   


These are the most reported Viruses, Trojans and Worms to SARC's offices during the last month.

Top Global Threats

W95.Hybris
W32.Magistr.24876@mm
W95.MTX
Backdoor.Sadmind
Wscript.KakWorm

VBS.Haptime.A@mm
W32.HLLW.Bymer
W32.Badtrans.13312@mm
JS.Seeker
W32.Choke.Worm

Asia Pacific
W95.Hybris
Backdoor.Sadmind
W32.Magistr.24876@mm
W95.MTX
VBS.Haptime.A@mm
Wscript.KakWorm
W32.HLLW.Bymer
W32.Badtrans.13312@mm
W32.Blebla.B
W32.FunLove.4099


Europe

W95.Hybris
W32.Magistr.24876@mm
W95.MTX
Wscript.KakWorm
W32.HLLW.Bymer

W32.Badtrans.13312@mm
JS.Seeker
VBS.Haptime.A@mm
VBS.Tam.A
W32.Choke.Worm


Japan
W95.Hybris
W95.MTX
W32.Magistr.24876@mm
Backdoor.Sadmind
W32.HLLW.Bymer
W97.Melissa.A
VBS.Haptime.A@mm
Happy99.Worm
VBS.Companion
W32.HLLW.Qaz

USA
W95.Hybris
Backdoor.Sadmind
W32.Magistr.24876@mm
Wscript.KakWorm
W32.Badtrans.13312@mm
W32.HLLW.Bymer
W95.MTX
W32.Choke.Worm
JS.Seeker
VBS.VBSWG2.X@mm


Top 20
Consolidated
Global Threats

By SecurityPortal

VBS.LoveLetter Family
W32.Magistr@MM
W32.Funlove
W32.BadTrans.A@MM
W32.Hybris
W32.Ska aka Happy.99
VBS.Kakworm
W32.Navidad
VBS.Haptime@MM
VBS.VBSWG.X@mm
(alias Homepage)
PWSteal.Trojan
W32.Choke.worm
W95.MTX
O97M.Tristate.C
W97M.Marker Family
W97M.Melissa.BG
W97M.Ethan Family
X97M.Divi
X97M.Laroux
VBS.Stages




Removal Tools for malicious code are on our web site



A list of Virus Hoaxes
reported to Symantec



A list of Joke Programs
reported to Symantec.


 

  We continue to see many variations on VBScript worms but this month I've tried to cover a few different and interesting threats. One for the Mac as it's rare that we see anything malicious of note targeting the Mac. W32.Leave has stirred a certain amount of interest and concern. There are reports that there may be many thousands of infections on predominantly home or end user machines but the major anti-virus vendors are yet to report large numbers of infections.

The US National Infrastructure Protection Agency (NIPC) has put out an advisory which can be read here;
http://www.nipc.gov/warnings/advisories/2001/01-014.htm

This month we have a very short version of Eric Chien's paper titled Malicious Threats of Peer-to-Peer Networking, Eric has also produced a good paper on Microsoft's .Net security issues. I'll carry that next month.

Anyone in Europe interested in attending the annual Virus Bulletin Conference should start thinking about booking travel and accommodation. The conference is being held at The Hilton Prague, Prague, Czech Republic this year. Details can be found on the web site at;
http://www.virusbtn.com/vb2001/index.html

David Banes.
Editor,
sarc@symantec.com
   
             
        Worms  
       
W32.Leave.B.Worm

Moderate [2]

Win32

This worm downloads components from Web sites and contains code to accept commands from IRC. The only differences between this threat and W32.Leave.Worm are the Web sites from which the components are downloaded, and that this threat is crafted to appear as a security bulletin from Microsoft.

This threat arrives as an email message. The message is written so that it appears to come from Microsoft as a security bulletin with the following subject.

Subject: Microsoft Security Bulletin MS01-037

http://www.sarc.com/avcenter/venc/data/w32.leave.b.worm.html
by:SARC, USA

Mac.Simpsons@mm

Low [2]

Mac

Mac.Simpsons@mm is an AppleScript worm that targets the Macintosh platform. It may open Microsoft Outlook Express or Entourage, and send a copy of itself with the original message to everyone in your address book. The name of the script is "Simpsons Episodes." This worm does not appear to be particularly malicious, and is similar to other mass-mailing worms that affect Window's computers such as VBS.LoveLetter. SARC has received very few submissions of this worm.

http://www.sarc.com/avcenter/venc/data/mac.simpsons@mm.html
by: Ralph Gutierrez
SARC, USA
   
             
        Viruses    
       

W95.BlueCorners.2049

Minimal [1]

Win95

This virus is a fairly simple fast infector. It will infect only Windows 9x computers, and it will fail if run on Windows NT computer.

When executed, this virus performs the following actions:

1. It starts by running the host program in a separate process.
2. Next, it infects all .exe files on the same drive as the virus, and on the C drive (if the virus is located elsewhere.)

NOTES: This virus does not become memory-resident, but it does use a memory location allocated to the operating system to indicate whether to infect the system or not. This simply means that the virus will only try to infect files once, after the system has been rebooted.

Some systems may crash randomly, since this memory location is intended for use by the system. This virus also uses this memory location in such a fashion that if more than 4 logical drives are hooked to the system, then it will try to infect files every time that it is activated.
3. When it is finished infecting files, this virus checks if the date is one of the following:

January 1
February 14
April 1
May 4
October 1
December 25

If it is, it activates its payload routine, which animates a number of small blue balls in the four corners of the screen. The payload assumes that the screen resolution is 800x600 so that , depending on the resolution, the upper right corner, lower right corner and lower left corner balls may appear elsewhere.

http://www.sarc.com/avcenter/venc/data/w95.bluecorners.2049.html
by: Atli Gudmundsson
SARC, EMEA

   
             
        Trojans    
       
Backdoor.Bionet.318

Minimal [1]

Win32

Backdoor.Bionet.318 is a malicious backdoor Trojan that behaves similar to SubSeven, Netbus, and BackOrifice.

The Trojan as the server application that allows a remote user to control and retrieve information from your computer. Some of the capabilities include searching, retrieving and sending files, stealing passwords, changing the colors and resolution, playing sounds, and changing the date and time.

When executed for the first time, this program installs itself into the \Windows\System folder using a configurable name. The following registry key is also added with multiple entries:

HKEY_LOCAL_MACHINE\Software\GCI\BioNet 3

Once the server program is installed, the client program can access the server on a predefined, configurable port. The remote user can be notified that the server application has been installed on your computer. The server can send a page using ICQ, send a notification by IRC, or send an email message.

The default server program is packed with UPX, so it may be variable in size, depending on the type and version of packer used.

The server is executed upon Windows startup. Either the Windows registry, Win.ini, or System.ini is modified to run the program automatically.


http://www.sarc.com/avcenter/venc/data/backdoor.bionet.318.html
by: Cary Ng
SARC, USA
   
             
        Symantec Enterprise Security    
         
VISIT THE SYMANTEC ENTERPRISE SECURITY WEB SITE
http://enterprisesecurity.symantec.com/

Recent Enterprise Security News headlines include:

Attack Program Exploits New Microsoft Bug; Newsbytes
http://enterprisesecurity.symantec.com/content.cfm?articleid=791

No Joke: Email Spoofing on the Rise; National Post
http://enterprisesecurity.symantec.com/content.cfm?articleid=784

Check out our latest feature articles: "Wireless Threats: Hype or Reality?"
http://enterprisesecurity.symantec.com/article.cfm?articleid=778

"The Importance of Layered Security"
http://enterprisesecurity.symantec.com/article.cfm?articleid=767

Get the latest enterprise security news delivered straight to your inbox.Register for Symantec's free Enterprise Security newsletters.
https://enterprisesecurity.symantec.com/Content/Subscribe.cfm
   
             
        Malicious Threats of Peer-to-Peer Networking    
        Peer- to-peer networking allows communication between two systems where each system is considered equal. It is an alternative to the client-server model in which each peer system is both a server and a client, commonly referred to as a servant.

Recently, peer-to-peer networks have gained momentum with searchable peer-to-peer network file databases, increased network connectivity, and content popularity.

The malicious threats discussed include how malicious threats can harness such networks and how peer-to-peer networking provides an additional (potentially unprotected) vector of delivery for malicious code.

New Vector of Delivery
In the past, the primary method of contracting a virus was via a floppy disk. Today, the primary vector of delivery is using an email attachment.

By using peer-to-peer networking one provides another method of introducing malicious code onto a computer system. This simple additional vector of delivery is currently the greatest threat of malicious software to peer-to-peer networking.

Thus, classic peer-to-peer unaware viruses could inadvertently be transmitted via a peer-to-peer network. In addition, viruses could also take advantage of the regular use of a peer-to-peer network.

For example, viruses could specifically attempt to copy themselves to or infect files within the shared peer-to-peer space.

The first discovered Gnutella worm, VBS.GWV.A, does this by copying itself to the Gnutella shared directory as popular filenames. For example, the worm may copy itself into the Gnutella shared directory as 'Pamela Anderson movie listing.vbs'. Thus, the goal is to trick someone into downloading the file and executing the file believing the file is actually a Pamela Anderson movie rather than a worm.

Furthermore, viruses could actually harness the existing peer-to-peer network infrastructure to propagate themselves. For example, a worm could set up a servant on an infected system. Thus, the infected user does not even have to initially be part of the peer-to-peer network. This servant then could return exact matches for incoming search queries and those downloading and executing the file will in turn become infected. An example of such a worm is W32.Gnuman.

Malicious Uses of Peer-to-Peer Networks
However, peer-to-peer software generally is not blocked by the firewall because they make outgoing connections to centralized directory services or other servants. Outgoing connections generally are not blocked. Once an outgoing connection is made, the centralized directory service or other servant can pass information to the client.

The majority of current backdoor Trojans do not make such outgoing connections because they would need to connect to a defined awaiting server, when discovered may lead to the identification of the malicious hacker. Some backdoor Trojans avoid this scenario by making an outgoing connection to IRC or similar centralized services. W32.PrettyPark is an example of a worm that creates an outgoing connection to IRC. Once connected hackers could join the same channel and send remote access commands.

Such methods could be conducted using a peer-to-peer network as well. For example, a malicious threat could register with the Napster centralized server and pass a specific unique list of files. A hacker then would perform a search on those specific files and when matched would be able to identify an infected system. A request for a particular file would signal the infected machine to perform a particular task such as performing a screenshot. Information and control of the system could then be performed in this manner bypassing the firewall and ensuring initially anonymity of the hacker.

Detection of Threats
Since, peer-to-peer malicious threats still need to reside on the system current desktop scanning infrastructure can provide protection against infection.

However, similar to the adoption of gateway and email server scanners, desktop protection may not prove the best method in the future.

In the future, should peer-to-peer networking become standard in home and corporate computing infrastructures, network scanning may become more desirable. Such scanning is not trivial since by design peer-to-peer transfer of data does not pass a centralized server such as an email server.

Systems such as network based IDS (Intrusion Detection System)may prove useful as well as gateway/proxy scanning to prevent malicious threats from peer-to-peer connections that pass between inside and outside an organization.

However, peer-to-peer networking models such as Freenet will render networking scanning useless since all data is encrypted. One will not even be able to scan data residing in the data store on ones system. Detection of threats passed via Freenet type models will only be scanned on the unencrypted file at the desktop just prior to execution. The issue of encryption only reinforces the necessity for desktop based anti-virus scanning.

Future
Threats such as W32.FunLove which infect network shares demonstrate the difficulty of containment in environments that utilize central file servers (along with personal shares). A peer-to-peer networking model that incorporates uploading as well as downloading will only increase the propagation and difficulty of containment of network infectors.

Also, such a model will allow simpler two-way communication of malicious threats. A virus writer may be able to update their threat via a peer-to-peer network. For example, an infected machine may send out an update to all other nearby nodes of a peer-to-peer network and so forth.

Summary
Peer-to-peer networks obviously pose a danger as an additional vector of delivery. Their impact on security will depend significantly on the adoption of peer-to-peer networks in a standard computing environment. If systems use peer-to-peer networks as email is used today, then they will be a significant method of delivery of malicious code.

In addition, the use of two-way network communication exposes the system to potential remote control and can create a hole in a firewall and can lead to exporting of private and confidential information.

Thus, today administrators should begin analyzing their networks for peer-to-peer network usage and potentially configure firewall and systems accordingly to limit or prevent their usage.

Eric Chien
SARC, EMEA
   
   

Unsubscribe

First name:

Last name:

Email address:


         
             
       

SARC Glossary for definitions of viruses, Trojans and worms and more.

   
        Contacts and Subscriptions    
        Correspondence by email to: sarc@symantec.com, no unsubscribe or support emails please.
Follow
this link to unsubscribe or change your subscription type.
Send virus samples to:
avsubmit@symantec.com
Newsletter Archive: http://www.symantec.com/avcenter/sarcnewsletters.html
   
     

 

     
       

This is a Symantec Corporation publication, use of requires permission in advance from Symantec.
All information contained in this newsletter is accurate and valid as of the date of issue.
Copyright © 1996-2001 Symantec Corporation. All rights reserved.