SYMANTEC.

 
AntiVirus Research Center

"The Sun Never Sets on SARC"

   
 

SARC Home Page

November 2000 Newsletter

 
   

These are the most reported Viruses, Trojans and Worms to SARC's offices during the last month.

Top Global Threats
W95.MTX
W32.HLLW.Qaz.A
VBS.Stages.A
VBS.LoveLetter
VBS.Network
Wscript.KakWorm
W32.FunLove.4099
PrettyPark.Worm
Happy99.Worm

Asia Pacific
Wscript.KakWorm
W32.HLLW.Qaz.A
W95.MTX

Europe
W95.MTX
Wscript.KakWorm
W32.HLLW.Qaz.A

Japan
W95.MTX
W32.FunLove.4099
W32.HLLW.Qaz.A

USA
Wscript.KakWorm
W32.HLLW.Qaz.A
W95.MTX


New Virus Hoaxes reported to Symantec

No New Hoaxes this Month


Top 20
Consolidated
Global Threats

By SecurityPortal

Happy99.Worm
(alias W32.Ska)
W95.MTX
W32.HLLW.Qaz.A
(alias Troj.Qaz.A)
Wscript.KakWorm
(VBS.KakWorm)
VBS.LoveLetter
VBS.Stages.A
W32.PrettyPark
W32.Funlove.4099
VBS.Network
W32.Sonic.Worm
W97M.Thursday
W97M.Marker
W97M.Melissa.BG
W32.ExploreZip
VBS.Quatro.A
W95.CIH
SubSeven.Server

(alias Troj.SubSeven)
W97M.Stand
VBS.FriendMess.A
W95.Firkin

 

  It's already time for the November newsletter and of course December's is already in the works. We are also thinking about some new features for the publication in 2001 whilst maintaining the current format and quality of content.

One option is a very lightweight version of the text only edition with all the information normally carried in the sidebar to the left but with url's instead of the articles themselves. This would be great for mobile devices like WAP enabled phones, PalmOS and PocketPC style devices with web page synchronisation software like AvantGo. We are also working on ways to authenticate or digitally sign the newsletter as the number of requests for this is steadily increasing. Your preferences or comments in either area are welcome, send them to me at the address below.

The Microsoft hack and
W32.HLLW.QAZ made the headlines this month although I must admit I've found it difficult following the constantly revised accounts of what happened but it is entirely probable that QAZ could have been an initial vector for the hack. We have posted QAZ and MTX removal tools at http://www.sarc.com.

This month we have two new threat level 3 worms,
W32.Sonic.Worm, and W32.HLLW.Bymer, we also carry a summary of Mark Kennedy's excellent article Script Based Mobile Threats.

David Banes,
Editor,
sarc@symantec.com

   
        Stop Press - W32.Navidad [4]
PHP.Pirus - New Category of Virus Discovered

Minimal [1]

Script

This virus is merely a proof of concept, rather than any kind of significant threat. It is the first known virus to infect PHP files. PHP is becoming increasingly popular as a server side web site scripting language similar to Perl. Users browsing web sites are not at risk.

It is a direct action infector of .php (other than itself) and .htm files in the current directory. Infection consists of appending to files a PHP script that will load and execute the virus. Thus infected files do not contain the virus itself, only a reference to it.


http://www.sarc.com/avcenter/venc/data/php.pirus.html
by Peter Ferrie, SARC, Asia Pacific
   
             
        Worms in the News  
       
W32.Sonic.Worm

Moderate [3]

Win32

W32.Sonic.Worm is an email worm that appears to have originated in France. The worm emails itself to addresses in the Windows address book.

Once executed, the worm attempts to download additional files, including commercial DLLs that provide emailing routines, and an updated version of the worm. The worm also creates a backdoor that allows remote access to the computer.

Restart the computer in Safe Mode, remove registry entries and delete all detected files.

http://www.sarc.com/avcenter/venc/data/w32.sonic.worm.html
by Eric Chien.
SARC, EMEA.



W32.HLLW.Bymer

Moderate [3]

Win32

W32.HLLW.Bymer is a worm written in a high level language like C rather than assembler. The worm spreads via shared network drives. It looks for shared folders on the network, and copies itself if it is able to insert itself in the Windows\system folder.

The payload includes copying the Dnetc client and modifying the Win.ini file. The Dnet client is not viral and will not be detected by Norton AntiVirus. The worm was previously detected as Dnet.Dropper.

http://www.sarc.com/avcenter/venc/data/w32.hllw.bymer.html
by Neal Hindocha.
SARC, EMEA.
   
                 
       
Viruses in the News

Small [2]

Win9x

   
        W95.Bistro is a virus that infects files under Windows 9x. It is currently one of the most complex and difficult to detect 32-bit metamorphic viruses. It was created by two virus writers working together.

The virus infects Portable Executable (PE) files, and adds an infected executable into .zip or .rar archive files. The virus spreads via an infected dropper. The dropper copies the virus with a random name under the Windows directory and automatically runs when the computer starts.

Norton AntiVirus, with the latest virus definitions file, detects all known dropper files from the virus as well as other infected files by using the Symantec Striker32 scanning engine. Infected files should be deleted and replaced with clean backup copies.

http://www.sarc.com/avcenter/venc/data/w95.bistro.html
by Peter Szor and Peter Ferrie.
SARC, USA.
   
                 
       
 Trojans in the News

Minimal [1]

Win32

   
          Backdoor.Smorph is a polymorphic Trojan horse. It is distributed as an executable that is embedded inside of an .shs file (an OLE container). The Trojan horse drops files and opens network connections.

Take the following steps to remove Backdoor.Smorph from your system:

-Kill the Pnpmgr.pci process.
-Delete the original .shs file.
-Delete Oleproc.exe, Pnpmgr.pci, Vmldr.vxd, and Jpegcomp.dll from the System directory.
-Delete the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\VMLDR

http://www.sarc.com/avcenter/venc/data/backdoor.smorph.html
by Dmitry Reyder.
SARC, USA.
   
         
Visit The Symantec Enterprise Security Web Site
   
          Read "Desktop Firewalls: Protecting Remote Users" to find out how to better mitigate the security risks of mobile computing.
http://enterprisesecurity.symantec.com/content.cfm?articleid=277

Get the latest security news delivered straight to your inbox. Register for
Symantec's free Enterprise Security newsletters.
https://enterprisesecurity.symantec.com/Content/Subscribe.cfm
   
                   
         
Script Based Mobile Threats
   
   

Unsubscribe

First name:

Last name:

Email address:


    Microsoft has created a very flexible, powerful environment on its Win32 platforms. The combination of simple scripting languages coupled with powerful objects through the common interface of COM makes it possible to create fully functional business applications by relatively unsophisticated programmers. Moreover, Microsoft has extended these tools to run from HTML, making deployment of these applications very inexpensive.

The down-side to this power and flexibility is that it is now possible for malicious people to utilize this same technology to attack machines. Exacerbating this threat is standard HTML-based email programs that will execute these scripts. This allows the perpetrator to deliver his package anonymously, and for that package to propagate utilizing the victim's own email address book.

To combat this threat we can inject an intelligent layer, a script firewall if you will, to determine which scripts are allowed to execute. This layer can be customized to the individual or organization to balance the business requirements against the security implications. The linked document below explores the difficulties of building a script behavior blocking system and examine how effective such a system is against today's malicious threats.

http://www.sarc.com/avcenter/reference/script.based.mobile.threats.pdf
By Mark Kennedy
SARC, USA.
   
                 
       

SARC Glossary for definitions of viruses, Trojans and worms and more.

   
        Contacts    
        Correspondence by email to: sarc.avnews@symantec.com, no unsubscribe or support emails please.
Send virus samples to:
avsubmit@symantec.com
Newsletter Archive:
http://www.symantec.com/avcenter/sarcnewsletters.html
   
     

 

     
       

This is a Symantec Corporation publication, use of requires permission in advance from the Editor.
All information contained in this newsletter is accurate and valid as of the date of issue.

 

Copyright © 1996-2000 Symantec Corporation. All rights reserved.