New Worm Targets Microsoft SQL Servers

A new Internet worm that targets poorly secured systems running Microsoft's SQL Server software is on the loose but unlikely to spread widely, security experts reported today.

The worm, which has not yet been named, appears to target Microsoft SQL servers which have no password on the system administrator account, according to a preliminary analysis of the code by participants on Incidents, a mailing list for tracking computer intrusions.

When it finds a vulnerable system, the worm appears to install two Trojan horse programs that may be used by the worm's creator to control the server.

The programs are downloaded by the worm to the victim server from an apparently compromised system registered to the Philadelphia Museum of Art. By this afternoon, the two files had been removed from the server, essentially sterilizing the worm, experts said.

The worm also attempts to make a connection to an Internet relay chat server at Case Western Reserve University in Cleveland, to which it appears to send the address of the compromised machine as well as what may be a password.

In addition to modifying the victim server's system registry to load the Trojan horse programs at boot-up, the worm appears to contain code that scans the Internet for other vulnerable servers on port 1433.

The SQL worm's dependence on one site for obtaining files gives it a single point of failure, according to Marc Maiffret, chief hacking officer for eEye Digital Security.

"It looks like it was rather poorly developed and therefore it will be rather trivial to stop this worm and track down whomever developed it," said Maiffret, who noted that the weak default password protection on Microsoft SQL Server 7.0 results in many system compromises.

"I am surprised there has not been a worm that exploits this until now," he said.

Microsoft officials were not immediately available for comment.

 W32/Badtrans@mm
    ---------------

The major Anti Virus companies list the threat of this particular
virus as being 'medium' and 'on watch' - this virus has been
discovered at large company gateways and is now infecting home users.

It has been received within the IPA domain in the last 24 hours and
the message originated from an unknown user in Belgium. Like many
other worms, the sender may not realise they are infected and that
their computer is sending the messages.

First discovered in April 2001, this worm has been spreading rapidly
during the last 24 hours (26 Nov 01)

W32/Badtrans@mm is a  mass mailing worm that attempts to send itself
using Microsoft Outlook/Outlook Express by replying to unread email
messages. It emails itself out as several different file names and
also also drops a backdoor trojan that logs keystrokes.

The infected email can come from addresses that you recognize and may
contain the following information:

Subject: Re:  

Body: Take a look to the attachment  (although this may be blank)

Attachment: It will arrive as an attachment that is 13,312 bytes in
length. The attachment name is created from three sections. The first
part is chosen from;

fun
Humor
docs
info
Sorry_about_yesterday
Me_nude
Card
SETUP
stuff
YOU_are_FAT!
HAMSTER
news_doc
New_Napster_Site
README
images
Pics 

The second part of the attachment name is chosen from
.DOC.
.MP3.
.ZIP.

The final part of the attachment name is chosen from
.pif
.scr

Therefore, an attachment name may appear as ;

CARD.DOC.PIF
NEWS_DOC.MP3.SCR
etc.

Aliases ;

Backdoor-NK.svr
BadTrans (F-Secure)
I-Worm.Badtrans (AVP)
TROJ_BADTRANS.A (Trend)
W32.Badtrans.13312@mm (NAV)

Warning ;
Once running, the trojan attempts to mail the victim's IP Address to
the author. Once this information is obtained, the author can connect
to the infected system via the Internet and steal personal
information such as usernames, and passwords. In addition, the trojan
also contains a keylogger program which is capable of capturing other
vital information such as credit card and bank account numbers and
passwords.

** Please ensure that your anti-virus software has been updated in
the last 24 hours. The major companies have included this virus in
their detection list although not all the software is able to repair
the virus **

A DVD cartoon spreads a virus called Funlove

And now, a virus that travels by DVD, reports BBC News

Until now, computer viruses have moved around the globe via the Internet--in e-mail and on websites, in some cases--and on CDs and floppy disks, but not DVDs.

That situation has now changed: a virus called Funlove has been found on DVDs containing the cartoon Powerpuff Girls' "Meet the Beat Alls" episodes (a takeoff on the "Meet the Beatles" album of the 1960s that is based on Beatles songs). Funlove, which is lodged in data files that let users create Powerpuff Girls screensavers and wallpaper (not in the cartoon episodes themselves), corrupts Windows programs and can destabilise and/or crash computers.

The DVDs have been recalled by their producer, Warner Brothers. They were sold in the US but may have been purchased by foreigners visiting in the US or over the Internet and may therefore be spreading abroad, says Graham Cluley of British anti-virus company Sophos.

Since current anti-virus software can protect against Funlove, which has been around for several years, Mr Cluley suggests that "the people producing the DVD may not have been running up-to-date anti-virus software. Old viruses never die; they just lurk in dark corners and directories."

BBC News
DVD cartoon spreads virus

BadTrans.B Worm on rampage

Known as BadTrans.B, the worm is spreading mainly due to people's relaxed approach to security during the holiday season, said April Goostree, virus research manager for computer security company McAfee.com.

"The fact that it comes around this time makes more end-users vulnerable, because they are expecting holiday e-mails," she said.

Reports of the worm, a variant of the original BadTrans virus that started spreading last April, started coming in Friday night. By Saturday, Goostree said, McAfee.com had intercepted several hundred copies of the worm. On Sunday, reports of worm infections were coming in at a rate of three to five every minute.

Data provided online by e-mail screening service MessageLabs showed the virus accelerating quickly, with more than 700 infected e-mail messages intercepted on Saturday and several thousand stopped on Sunday.

The numbers knocked SirCam from the No. 1 slot in MessageLabs' daily rankings of the Top 10 bugs, a spot the persistent e-mail worm has held for more than four months.

The worm doesn't play on the holidays, however. Aside from a handful of general names for the e-mail attachment that spreads the worm--such as "card" and "pics"--the worm makes no overt connection to either Thanksgiving or Christmas.

While Badtrans.B is not destructive, it does install a keylogger, a program that records what a person using the infected PC types and then sends the information to the virus writer's e-mail address. The key-logging program, known as Backdoor-NK.server, focuses specifically on four software functions that are used by programs to allow a person to enter a password, so it mainly records account information entered.

The FBI is reportedly using just such a program to collect the digital keys to suspected criminals' accounts.

A PC user will first encounter the worm as an e-mail message--possibly from someone he or she knows--with an executable attachment. The worm propagates by sending itself as a reply to any unread messages in the person's Outlook mailbox. It also sends itself to e-mail addresses culled from images of Web pages contained in the "My Documents" folder and the browser's cache.

The virus uses a vulnerability in Microsoft's Internet Explorer 5.01 and 5.5 to automatically execute itself on PCs that don't have a patched Web browser. Opening the e-mail in a separate window or Outlook's preview pane will cause the worm to execute on unpatched machines.

The vulnerability had also been used by the Nimda worm as one of its four ways of spreading.

"That's the vulnerability du jour," said Roger Thompson, lead antivirus researcher for security firm TruSecure.

On PCs with patched Web browsers, a dialog box will open, asking the person what to do.

While many home consumers got hit with the worm over the weekend, Thompson fears that corporations will start feeling the sting Monday.

"My main worry was that it was going so strongly over the weekend; what's going to happen when people come to work?" he said. "I don't think as many corporations are getting are patched as we might have expected."

"It looks like the worm is gestating in the fertile ground of the home-user base. But corporate users will be coming into work (Monday) and setting it off on business networks," added Mark Sunner, chief technology officer at MessageLabs.

GONER COMPUTER OUTBREAK:

There was an out break of  a new computer worm early. The computer worm name "Goner"  arrives in an attachment file named "GONE.SCR" masquerading as a screen saver, with "Hi" in the email subject line. Once the attachment is opened, the worm sends itself to everyone in the user's email address book, tries to close programmes that are running and deletes certain system files, including security software. Goner also tries to turn computers into launch pads for hackers to flood Web servers with so much traffic. Four Israeli secondary-school students have already admitted  creating the "Goner" e-mail worm, the youths, aged 15 and 16, were arrested Friday in the northern city of Nahariya, according to Israeli and foreign press reports.They created the worm as part of a competition with a rival group of hackers, the reports said.

It is predicted that Goner could turn into the biggest outbreak sine last year's "love letter" virus, Goner is one of the most incredibly fast moving and potentially dangerous email viruses around now.

Gokar worm spreads by e-mail, Web, chat 

A new worm called "Gokar" began to spread across the Internet from 6th of Dec.  via e-mail, the chat program mIRC and the Web, according to a trio of antivirus firms.

The worm is not destructive and has not yet infected many systems, but as with any mass-mailer worm, could become a nuisance as unsuspecting users spread it. Like other mass-mailing worms such as Anna Kournikova or Badtrans, Gokar spreads through Microsoft Corp.'s Outlook and Outlook Express e-mail clients when a user clicks on an attachment sent with the infected message, according to antivirus firms Symantec Corp., F-Secure Corp. and Trend Micro Inc. Infected e-mail arrives in user inboxes with dozens of combinations of different subject lines, body messages and filenames, though each attachment will end with the .PIF, .SCR, .EXE., .COM or .BAT extensions, the companies said.

When the attachment is double-clicked, the worm installs a file called Karen.exe on the infected system and mails itself to all addresses listed in the computer's address book. The worm then runs every time the infected computer is booted up. Whether a system is infected or not can be determined by searching for the Karen.exe file.

The worm also uses the chat program mIRC (Internet Relay Chat), the companies said. Gokar searches the infected PC for the mIRC application, and if it finds it, attempts to infect IRC users in the same discussion, or channel, as the infected system whenever the application is started, according to Trend Micro.

Lastly, if an infected system is running Microsoft's IIS (Internet Information Services) Web server software, the worm will modify the default Web page on the system and offer users visiting the site a chance to download the worm, according to F-Secure. An infected Web site will be changed to display the text "We are Forever" and point users to a link to download a file called Web.exe, which contains the Gokar worm, according to Symantec.

The Nimda worm also defaced Web sites and downloaded files to the computers of users viewing the site. Unlike Nimda, which automatically downloaded a file through the browser, Gokar requires that the user click a link to download the worm. Both Nimda and Code Red exploited IIS to assist in their spread.

Users should check with their antivirus companies for software updates. Companies are urged to block attachments, especially .exe., .scr. and .pif file, at their mail gateways to avoid infection

Reeezak worm outbreak 

A new mass-mailer worm that offers New Year's greetings and what appears to be a Christmas-related animation, but actually attempts to delete large portions of the Windows operating system, is spreading in Europe Wednesday, according to Computer Associates International Inc.

The worm, called Reeezak, appears in in-boxes with the subject line "Hi," and a message that reads "I can't describe my feelings, but all I can say is Happy New Year :-) Bye," according to Ian Hameroff, business manager for security solutions at CA. An attachment called "Christmas.exe" accompanies the e-mail and appears to be a Macromedia Inc. Flash animation, Hameroff said. When the attachment is double-clicked, the worm sends itself to all addresses listed in the user's address book and also tries to delete all the files in the Windows directory as well as disabling some keys on the keyboard, he said. The worm only affects users of Microsoft Corp.'s Outlook or Outlook Express e-mail clients, according to Hameroff.

Though the worm has only shown up in Europe so far, as the business day begins in the U.S., copies of it will likely begin to appear in corporate mailboxes, Hameroff said.

Other antivirus companies report different effects from double-clicking on Reeezak, however. Symantec Corp., in a virus alert posted on its Web site, says that the worm also tries to spread using the mIRC (Internet Relay Chat) application or through shared folders. Symantec also reports that the worm attempts to delete antivirus programs.

To avoid infection, users are cautioned not to open unexpected attachments and companies should block many e-mail attachments, including .exe files. Users should also check with their antivirus vendor for updated virus protection

Shoho worm adds, deletes files 

A new worm was identified just before Christmas. The worm, name  "Shoho" or "Welyah", spreads via its own e-mail engine, rather than through Microsoft Corp.'s Outlook e-mail client as many worms do, and attempts to delete files, according to antivirus firms Network Associates Inc. and Trend Micro Inc. The worm also exploits the same vulnerability in Microsoft's Internet Explorer browser as the Badtrans worm, which first hit computers earlier this year. This vulnerability allows the worm to execute when an infected e-mail is opened or previewed, rather than when a user double-clicks on an attachment, the companies said.

Even users who have e-mail clients other than Outlook can be affected if they double-click attachments infected with Shoho.

Shoho arrives in in-boxes with a subject line that reads "Welcome to Yahoo! Mail," and a body message of the same text. Also included in the mail is an attachment called Readme.txt. This is actually a .PIF file, however, and 125 spaces are inserted between the .TXT and .PIF extensions, in an attempt to hide the file's true extension from users, Trend Micro said. NAI reports that the Readme.txt is an .EXE file, rather than .PIF.

When the attachment is double-clicked or an e-mail containing the attachment is opened or previewed, the worm sends itself to all addresses found in the Outlook address book, but uses its own SMTP (Simple Mail Transfer Protocol) engine, rather than using Outlook, Trend said. NAI, however, reports that the worm scans the infected PC's hard drive for e-mail addresses, and stores them in a file called EmailInfo.txt before it sends itself to those addresses.

Once the worm has activated, it attempts to add about a half-dozen files to the computer and delete dozens of others, the companies said. The deletion of these files could cause the computer to crash and prevent it from starting up properly afterwards, NAI said. The worm only affects Windows PCs, the companies said.

Though both companies rank to worm as being low risk, its ability to delete files makes the worm worth noting.

The patch to fix the problem in Internet Explorer, which Outlook uses for some functions including previewing messages, can be found at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-027.asp.

Users should check with their antivirus companies for updates to deal with the Shoho worm.

Zoher Worm Gives Unwelcome Christmas PC Present

PC users returning to their machines after the Christmas break should take care to update their security software, after two antivirus firms issued warnings about the Zoher worm.

F-Secure issued a level two security alert to users on its Radar security advisory service over the Christmas break. Level two is one of three alert levels. Level two means the virus is active in the wild and is technically sophisticated.

In its advisory to customers, F-Secure says that Zoher worm arrives in an e-mail with the subject line of "Scherzo!" and with a Javascript attachment. The worm executes automatically on some systems.

Russia's Kaspersky Lab issued a Christmas Day alert to customers about Zoher, which it says is 6.6 kilobytes large and coded in assembler language.

The Moscow-based antivirus company adds that the message body is quite long and has been written in Italian. Kaspersky says that the code uses a similar approach to the Nimda worm - it can be activated from an infected e-mail when a user simply reads or previews a message.

Kaspersky advises users not to open the infected e-mail more than once or else the worm will propagate itself from the users' PC.

DONUT VIRUS/ PE_DONUT.A 

This worm was first discovered on 9/01/02. Win32/Donut is the first virus to use Microsoft's .NET. This worm is also known as Donut, W32.Donut.A. This is the first known virus that infects programs written in C# running in the .NET framework. It only infects computers running Windows 2000 and above. It executes its non-destructive payload once in every 10 infections, and displays a message.

When an infected file is executed, it searches for executable file types of .NET. It replaces the 5 Bytes stub of the file entry point and infects it by replacing it with a jump instruction. While infecting it checks for platform and infects Windows 2000 or Windows XP. It tries to infect all the .EXE files under current directory. It may copy itself repeatedly by adding a space to the filename to the existing filename.

Some times it may display a message box with the following content

This cell has been infected by dotNET virus!
.NET.dotNET by Benny/29A

My Party Virus
 A new virus  W32/Myparty.a@MM was discovered on 27/01/02 in Russia. 

This mass-mailing worm drops a BackDoor trojan (BackDoor-FB.svr.gen) on WindowsNT/2K/XP system. The worm itself carries no destructive payloads. It arrives in an email message containing the following information:

Subject: new photos from my party!
Body: Hello!

My party... It was absolutely amazing!
I have attached my web page with new photos!
If you can please make color prints of my photos. Thanks!

Attachment: www.myparty.yahoo.com (29,696 byte PE file)

The attachment name may trick some users into thinking that if they click on the file, they will be taken to a Yahoo website. Certain email clients, especially those that underline the filename, may make this attachment appear more like a URL than the above Microsoft Outlook example which is more clearly distinguishable. The attachment is an executable file with a .COM extension, not a URL. Running the attachment infects the local machine.

On Windows9x/ME

• If the date is between January 25-29, 2002, the virus copies itself to C:\Recycled\regctrl.exe and executes that file.

On WinNT/2K/XP

• If the date is not between January 25-29, 2002, the worm copies itself to C:\Recycled as F-[random number]-[random number]-[random number] with no extension
• If the date is between January 25-29, 2002, the worm copies itself to C:\regctrl.exe and drops the file MSSTASK.EXE in the STARTUP folder. MSSTASK.EXE is a BackDoor trojan. After the initial file is run, it is deleted. If the executables filename is ACCESS, the user is directed to the www.disney.com website.

• HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\00000001

INDICATION OF INFECTION:

• Presence of C:\RECYCLED\REGCTRL.EXE (visible from a DOS prompt, not from within Windows)
• Presence of C:\REGCTRL.EXE
• Presence of %userprofile%\Start Menu\Programs\Startup\msstask.exe

 virus can be found here or here. You can download a free cleaner to remove the virus from here.