SYMANTEC.				AntiVirus Research Center "The Sun Never Sets on SARC"
	SARC Home Page			November 2000 Newsletter
		These are the most reported Viruses, Trojans and Worms to SARC's offices during the last month. Top Global Threats W95.MTX W32.HLLW.Qaz.A VBS.Stages.A VBS.LoveLetter VBS.Network Wscript.KakWorm W32.FunLove.4099 PrettyPark.Worm Happy99.Worm Asia Pacific Wscript.KakWorm W32.HLLW.Qaz.A W95.MTX Europe W95.MTX Wscript.KakWorm W32.HLLW.Qaz.A Japan W95.MTX W32.FunLove.4099 W32.HLLW.Qaz.A USA Wscript.KakWorm W32.HLLW.Qaz.A W95.MTX New Virus Hoaxes reported to Symantec No New Hoaxes this Month Top 20 Consolidated Global Threats By SecurityPortal Happy99.Worm (alias W32.Ska) W95.MTX W32.HLLW.Qaz.A (alias Troj.Qaz.A) Wscript.KakWorm (VBS.KakWorm) VBS.LoveLetter VBS.Stages.A W32.PrettyPark W32.Funlove.4099 VBS.Network W32.Sonic.Worm W97M.Thursday W97M.Marker W97M.Melissa.BG W32.ExploreZip VBS.Quatro.A W95.CIH SubSeven.Server (alias Troj.SubSeven) W97M.Stand VBS.FriendMess.A W95.Firkin			It's already time for the November newsletter and of course December's is already in the works. We are also thinking about some new features for the publication in 2001 whilst maintaining the current format and quality of content. One option is a very lightweight version of the text only edition with all the information normally carried in the sidebar to the left but with url's instead of the articles themselves. This would be great for mobile devices like WAP enabled phones, PalmOS and PocketPC style devices with web page synchronisation software like AvantGo. We are also working on ways to authenticate or digitally sign the newsletter as the number of requests for this is steadily increasing. Your preferences or comments in either area are welcome, send them to me at the address below. The Microsoft hack and W32.HLLW.QAZ made the headlines this month although I must admit I've found it difficult following the constantly revised accounts of what happened but it is entirely probable that QAZ could have been an initial vector for the hack. We have posted QAZ and MTX removal tools at http://www.sarc.com. This month we have two new threat level 3 worms, W32.Sonic.Worm, and W32.HLLW.Bymer, we also carry a summary of Mark Kennedy's excellent article Script Based Mobile Threats. David Banes, Editor, sarc@symantec.com
					Stop Press - W32.Navidad [4] PHP.Pirus - New Category of Virus Discovered Minimal [1] Script This virus is merely a proof of concept, rather than any kind of significant threat. It is the first known virus to infect PHP files. PHP is becoming increasingly popular as a server side web site scripting language similar to Perl. Users browsing web sites are not at risk. It is a direct action infector of .php (other than itself) and .htm files in the current directory. Infection consists of appending to files a PHP script that will load and execute the virus. Thus infected files do not contain the virus itself, only a reference to it. http://www.sarc.com/avcenter/venc/data/php.pirus.html by Peter Ferrie, SARC, Asia Pacific
					Worms in the News
					W32.Sonic.Worm Moderate [3] Win32 W32.Sonic.Worm is an email worm that appears to have originated in France. The worm emails itself to addresses in the Windows address book. Once executed, the worm attempts to download additional files, including commercial DLLs that provide emailing routines, and an updated version of the worm. The worm also creates a backdoor that allows remote access to the computer. Restart the computer in Safe Mode, remove registry entries and delete all detected files. http://www.sarc.com/avcenter/venc/data/w32.sonic.worm.html by Eric Chien. SARC, EMEA. W32.HLLW.Bymer Moderate [3] Win32 W32.HLLW.Bymer is a worm written in a high level language like C rather than assembler. The worm spreads via shared network drives. It looks for shared folders on the network, and copies itself if it is able to insert itself in the Windows\system folder. The payload includes copying the Dnetc client and modifying the Win.ini file. The Dnet client is not viral and will not be detected by Norton AntiVirus. The worm was previously detected as Dnet.Dropper. http://www.sarc.com/avcenter/venc/data/w32.hllw.bymer.html by Neal Hindocha. SARC, EMEA.
					Viruses in the News Small [2] Win9x
					W95.Bistro is a virus that infects files under Windows 9x. It is currently one of the most complex and difficult to detect 32-bit metamorphic viruses. It was created by two virus writers working together. The virus infects Portable Executable (PE) files, and adds an infected executable into .zip or .rar archive files. The virus spreads via an infected dropper. The dropper copies the virus with a random name under the Windows directory and automatically runs when the computer starts. Norton AntiVirus, with the latest virus definitions file, detects all known dropper files from the virus as well as other infected files by using the Symantec Striker32 scanning engine. Infected files should be deleted and replaced with clean backup copies. http://www.sarc.com/avcenter/venc/data/w95.bistro.html by Peter Szor and Peter Ferrie. SARC, USA.
					Trojans in the News Minimal [1] Win32
					Backdoor.Smorph is a polymorphic Trojan horse. It is distributed as an executable that is embedded inside of an .shs file (an OLE container). The Trojan horse drops files and opens network connections. Take the following steps to remove Backdoor.Smorph from your system: -Kill the Pnpmgr.pci process. -Delete the original .shs file. -Delete Oleproc.exe, Pnpmgr.pci, Vmldr.vxd, and Jpegcomp.dll from the System directory. -Delete the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\VMLDR http://www.sarc.com/avcenter/venc/data/backdoor.smorph.html by Dmitry Reyder. SARC, USA.
					Visit The Symantec Enterprise Security Web Site
					Read "Desktop Firewalls: Protecting Remote Users" to find out how to better mitigate the security risks of mobile computing. http://enterprisesecurity.symantec.com/content.cfm?articleid=277 Get the latest security news delivered straight to your inbox. Register for Symantec's free Enterprise Security newsletters. https://enterprisesecurity.symantec.com/Content/Subscribe.cfm
					Script Based Mobile Threats
		Unsubscribe First name: Last name: Email address:			Microsoft has created a very flexible, powerful environment on its Win32 platforms. The combination of simple scripting languages coupled with powerful objects through the common interface of COM makes it possible to create fully functional business applications by relatively unsophisticated programmers. Moreover, Microsoft has extended these tools to run from HTML, making deployment of these applications very inexpensive. The down-side to this power and flexibility is that it is now possible for malicious people to utilize this same technology to attack machines. Exacerbating this threat is standard HTML-based email programs that will execute these scripts. This allows the perpetrator to deliver his package anonymously, and for that package to propagate utilizing the victim's own email address book. To combat this threat we can inject an intelligent layer, a script firewall if you will, to determine which scripts are allowed to execute. This layer can be customized to the individual or organization to balance the business requirements against the security implications. The linked document below explores the difficulties of building a script behavior blocking system and examine how effective such a system is against today's malicious threats. http://www.sarc.com/avcenter/reference/script.based.mobile.threats.pdf By Mark Kennedy SARC, USA.
					SARC Glossary for definitions of viruses, Trojans and worms and more.
					Contacts
					Correspondence by email to: sarc.avnews@symantec.com, no unsubscribe or support emails please. Send virus samples to: avsubmit@symantec.com Newsletter Archive: http://www.symantec.com/avcenter/sarcnewsletters.html
					This is a Symantec Corporation publication, use of requires permission in advance from the Editor. All information contained in this newsletter is accurate and valid as of the date of issue.		Copyright © 1996-2000 Symantec Corporation. All rights reserved.