Three worms and the tricks they use to spread |
 |
By Bill Brenner, News Writer
30 Mar 2005 | SearchSecurity.com |
|
|
Antivirus firms are eyeing a trio of worms, all carrying dangerous payloads.
The first spreads through instant messaging, poses as a funny screensaver and downloads a "dangerous" bot on impacted PCs. The second has appeared as several different variants in the past week and can leave backdoors on the computers it infects. The third spreads through network shares and steals confidential information.
Here's the breakdown on Kelvir-F, multiple strains of Mytob and Sory-A:
Kelvir-F
Lynnfield, mass.-based antivirus firm Sophos said Kelvir-F is an instant messaging worm that poses as a funny screensaver. It spreads via Windows Messenger, uses a variety of different messages and sends itself to every person in the infected computer's contact list.
"More people are becoming aware that they need to be suspicious of unsolicited e-mail attachments, but many are still oblivious to the dangerous other ways in which viruses can attack their systems," Graham Cluley, senior technology consultant for Sophos, said in a statement. "Users of instant messaging software must run up-to-date virus protection software on their desktop computers, as well as exercising caution about what they choose to run or click on."
The worm is attached to messages it randomly plucks from the following list:
- hey check this out I almost pee'd my pants
- wow, i almost fell off the chair when i saw this
- haha i just found the funniest drawing, check it out
- wow, this drawing makes you feel like your're on some type of drug
- crazy, its like a virtual acidtrip or something, check it out
Clicking on the URL that immediately follows the message takes the user to a Web page containing a file called funnyashell.scr, Sophos said. "At the time of analysis,
the file available for download contained the dangerous W32.Rbot-ZU… which can quickly infect unpatched computers… without requiring any user interaction," the firm added in its advisory.
"People need to get out of the bad habit of exchanging joke programs, funny screensavers and the like willy-nilly with each other," Cluley said. "Virus writers will often disguise their malware as this kind of content in an attempt to lure people into clicking before they think."
Multiple Mytob variants
Cupertino, Calif.-based antivirus firm Symantec has been monitoring about eight different variants of the Mytob mass-mailing worm in the past week. The latest are Mytob-R and Mytob-S. Like the earlier variants, Symantec has labeled both as a low-to-moderate threat. But the firm still recommended users keep their security software updated.
The Mytob family spreads by e-mail, can open backdoors on affected machines and exploits security holes in Windows. The latest variants also try to block infected computers from accessing security update Web sites from companies like F-Secure, Kaspersky, McAfee, Symantec and Microsoft by appending text to the Hosts file.
Sory-A
Symantec is also watching Sory-A, a worm that spreads through network shares and steals confidential information. The firm said the worm tries to log keystrokes, e-mail settings, information about the computer hardware and Windows registration details.
Symantec considers the worm, which also targets Windows systems, to be a medium-level threat when its potential for damage and distribution are factored in. But it isn't spreading rapidly enough at this point for the company to raise its overall ThreatCon above Level 1.
|
|
|
|
