SYMANTEC.

 
AntiVirus Research Center

"The Sun Never Sets on SARC"

   
 

SARC Home Page

October 2000 Newsletter

 
   

These are the most reported Viruses, Trojans and Worms to SARC's offices during the last month.

Top Global Threats
W32.HLLW.Qaz.A
W95.MTX
VBS.Stages.A
Wscript.KakWorm
W32.FunLove.4099
Happy99.Worm
VBS.LoveLetter
VBS.Network
PrettyPark.Worm

Asia Pacific
Wscript.KakWorm
W32.HLLW.Qaz.A
W95.MTX

Europe
Wscript.KakWorm
Backdoor.SubSeven
W32.HLLW.Qaz.A

Japan

W32.HLLW.Qaz.A
W95.MTX
VBS.LoveLetter

USA
Wscript.KakWorm
W32.HLLW.Qaz.A
W95.MTX


New Virus Hoaxes reported to Symantec

No New Hoaxes this Month



Top 20
Consolidated
Global Threats

By SecurityPortal

Happy99.Worm
(alias W32.Ska)
W32.HLLW.Qaz.A
(alias Troj.Qaz.A)
W95.CIH
VBS.LoveLetter
VBS.Stages.A
W32.PrettyPark
W97M.Marker
W32.ExploreZip
VBS.KakWorm
W95.MTX
W97M.Melissa.BG
W97M.Thursday
VBS.Quatro.A
W97M.Panther
W95.Firkin
SubSeven.Server

(alias Troj.SubSeven)
W97M.Stand
VBS.FriendMess.A
W97M.Cybernet.A
W97M.Ethan.A

 

  Welcome to the October edition of the Symantec AntiVirus Research Center Newsletter. The HTML version of this issue includes a new unsubscribe panel at the bottom of the left margin and a new colour scheme, as well as updating you on the new threats.

The Palm platform has finally succumbed to the virus threat and we cover a PalmOS
virus and a Trojan this month, while they both have our lowest threat rating of 1 they are interesting. W2K.Stream has also received attention in the media due to it's novel file infection method.

In the July newsletter we carried an abbreviated version of Eric Chien's
article on PalmOS Security. Eric has since updated this to include two other platforms, EPOC and Windows CE/Pocket PC. See below for a summary of the article in the newsletter and the full version can be read online at the SARC web site.

The Association of anti-Virus Asia Researchers (
AVAR) annual international conference to be held in Tokyo this year on the 28th and 29th October, speakers include Motoaki Yamamura(SARC USA), Randy Abrams(Microsoft), Shane Coursen(Wildlist) and senior research staff of various anti-virus companies and Japanese security agencies. For more information please visit their web site at http://www.aavar.org/ .


W95.MTX and W32.FunLove.4099 have both been moved up to a threat level 4 due an increase in the number of 'in the wild' reports over the last month.

David Banes,
Editor,
sarc@symantec.com
   
   

 

   
   

 

       
             
       
Worms in the News

Small [2]

Win32

 
        JS/VBS.LostSoul.Worm is a worm that spreads via email. When executed, it displays a text file containing the Wobbler Hoax. The attachment in the email message is named Wobbler.txt.jse or Wobbler.txt.vbe. When opened, these attachments create and execute a temporary file containing malicious code.

The worm also spreads via networks by copying itself to the root directories of shared drives. The worm originated in Argentina. As of September 8th, SARC has had no reports of this virus being in the wild.
To remove the worm delete all JS/VBS.LostSoul.Worm emails and files.

http://www.sarc.com/avcenter/venc/data/vbs.lostsoul.worm.html
by: Neal Hindocha
SARC, EMEA


VBS.Funny.A

Small [2]

Win32

VBS.Funny.A is a worm that spreads via Microsoft Oulook. When executed, the worm opens the URL www.makeyoulaugh.com in your default Internet browser. The worm then checks for the existence of a registry key used by the United Bank of Switzerland's PIN software. If the key exists, the worm creates an executable file. This file is a Trojan horse. It logs cached passwords and keyboard input. The Trojan horse is detected as PWSteal.Trojan. Delete all files detected as VBS.Funny.A.

http://www.sarc.com/avcenter/venc/data/vbs.funny.a.html
by: Neal Hindocha
SARC, EMEA
   
                 
       
 Viruses in the News

Minimal [1]

PalmOS

   
        Palm.Phage.Dropper is the first virus discovered on the Palm OS based handheld platform. It was discovered on Sept 22, 2000. Symantec AntiVirus Research Center does not have any confirmed reports of users being affected by this virus and is considered a very low threat.

This Palm OS virus overwrites all installed applications on a Palm OS handheld device. Norton AntiVirus can detect this program on a desktop computer before the malicious application is hot synched to the Palm OS based handheld. If Norton AntiVirus is not set to scan all files, add the .prc extension to the list of program files to scan.

Delete the .prc file that Norton AntiVirus detects as Palm.Phage.Dropper from Palm Desktop backup folder.
If Palm.Phage.Dropper is detected on your desktop, you should hard reset your Palm OS device and perform a hot sync.

Symantec AntiVirus for Palm OS® Beta Version Now Available

http://www.sarc.com/avcenter/venc/data/palm.phage.dropper.html
by: Motoaki Yamamura
SARC, USA


W2K.Stream

Minimal [1]

W2K

W2K.Stream virus was discovered in early September, 2000. The virus was created by Benny and Ratter of the 29A virus group. This virus is a proof of concept virus that utilizes NTFS streams and has received much attention. It is a new subclass of the traditional companion virus and is now being referred to as the "Stream Companion" virus.

W2K.Stream virus will only infect files on Windows 2000 using NTFS, and only the files in the same directory. The infected files will become 3,628 bytes long regardless of the original file size because the original host file is replaced by the virus and stored in a different stream.

http://www.sarc.com/avcenter/venc/data/w2k.stream.html
by: Peter Szor

SARC, USA
   
                   
         
 Trojans in the News

Minimal [1]

PalmOS

   
          Palm.Vapor is the second Trojan horse program on the Palm OS based handheld platform. It was discovered on Sept 22, 2000. Symantec AntiVirus Research Center does not have any confirmed reports of users being affected by this Trojan horse and is considered a very low threat.

This Palm OS Trojan marks all installed Palm OS applications as hidden applications. Norton AntiVirus can detect this program on a desktop computer before the malicious application is hot synched to the Palm OS based handheld. If Norton AntiVirus is not set to scan all files, add the .prc extension to the list of program files to scan.

A hard reset and hot sync will restore the hidden icons.
The .prc file that NAV detects as Palm.Vapor needs to be deleted.

Symantec AntiVirus for Palm OS® Beta Version Now Available

http://www.sarc.com/avcenter/venc/data/palm.vapor.html
by: Motoaki Yamamura
SARC, USA
   
                   
         
Malicious Threats to Personal Digital Assistants
   
   

Unsubscribe

First name:

Last name:

Email address:


    PDAs are more than just an address book. Combined with technologies such as Bluetooth and WAP (wireless application protocol), the functionality of the PDA is moving towards a desktop computer combined with a
Cellular phone.

As corporations begin to adopt PDAs as a standard computing device within their digital infrastructure, and applications become more robust and meaningful with the standardisation of wireless computing, threats from malicious code become more serious.

The linked article explores the malicious code threats on the three major PDA platforms (PalmOS, EPOC32, and Windows CE/PocketPC), it covers the hardware and software configurations and system architecture of each type of PDA. The connection mechanisms that malicious code is likely to use to install itself are discussed as well as the types of solutions that will be required to adequately protect against and recover from virus or worm infections.

http://www.symantec.com/avcenter/reference/malicious.threats.to.pdas.html
Eric Chien
SARC, EMEA
   
                 
       

SARC Glossary for definitions of viruses, Trojans and worms and more.

   
        Contacts    
        Correspondence by email to: sarc.avnews@symantec.com, no unsubscribe or support emails please.
Send virus samples to:
avsubmit@symantec.com
Newsletter Archive:
http://www.symantec.com/avcenter/sarcnewsletters.html
   
     

 

     
       

This is a Symantec Corporation publication, use of requires permission in advance from the Editor.
All information contained in this newsletter is accurate and valid as of the date of issue.

 

Copyright © 1996-2000 Symantec Corporation. All rights reserved.