News Stay informed about the latest enterprise technology news and product updates.

Security Bytes: New malware making the rounds

Experts warn of Bropia-E, Gaobot-CTX and Bobax-H; Cisco patches flaw.

Malicious code plays chicken with users
If your MSN Messenger displays a photo of a roast chicken with a bikini tan, you've probably been infected by two new pieces of malicious code. PandaLabs of Glendale, Calif., said the bizarre chicken image is the hallmark of Bropia-E and Gaobot-CTX.

Bropia-E uses MSN Messenger to spread, disguising itself as an image file with a variable name "taken from a long list of options and a .pif or .scr extension," PandaLabs said. Examples include "bedroom-thongs.pif," "LMAO.pif" or "LOL.scr."

If the user runs the file, the sinister code sends itself out to all the contacts in MSN Messenger and creates various files on the computer, including one called "winhost.exe," which contains Gaobot-CTX.

Gaobot-CTX carries out the actions that pose the biggest threat to the computer, connecting to IRC channels and waiting for commands from a remote user, PandaLabs said. This allows the attacker to download "all kinds of files to the affected computer: spyware, adware, other viruses, etc."

"As a rule of thumb, you should never open a file you receive through instant messaging systems without scanning it first with an updated antivirus. A growing number of viruses are using these applications to spread, and their biggest danger lies in the recipient running executable files without thinking twice, as they are sent from a known address. This also implies that there is risk of them spreading rapidly via instant messaging, leaving poorly protected networks vulnerable to becoming infected in a matter of seconds," Luis Corrons, head of PandaLabs, said in a statement.

Flaw in Cisco videoconferencing products
Attackers could exploit a flaw in some of Cisco's videoconferencing products to read or manipulate configuration information, the networking giant said in an advisory. As a precaution, the company recommends users block Simple Network Management Protocol (SNMP) traffic to affected devices.

Danish security firm Secunia said in an advisory that the problem is caused by hard-coded SNMP community strings, which "may grant anyone with knowledge of these control over an affected IP/VC device." The following Cisco products are affected:

  • IPVC-3510-MCU
  • IPVC-3520-GW-2B
  • IPVC-3520-GW-4B
  • IPVC-3520-GW-2V
  • IPVC-3520-GW-4V
  • IPVC-3520-GW-2B2V
  • IPVC-3525-GW-1P
  • IPVC-3530-VTA

Secunia labeled the vulnerability "moderately critical."

Worm poses as Saddam death pics
Lynnfield, Mass.-based antivirus firm Sophos said a new variant of the Bobax worm is posing as photographic evidence Saddam Hussein was killed during an escape attempt. Bobax-H is designed to take over PCs and create an army of zombie machines that can be used to spread junk e-mail. The worm spreads by e-mail and through Microsoft's LSASS vulnerability, for which a patch was issued last April. It's the same security hole the Sasser worm exploited in May.

E-mails generated by Bobax-H use a variety of different message bodies and attached file names, including the following:

Message body: Saddam Hussein - Attempted Escape, Shot dead. Attached some pics that i found.

Message body: Osama Bin Laden Captured. Attached some pics that i found.

Attached files containing the worm can have .pif, .scr, .exe or .zip extensions.

"People who launch unsolicited attachments without thinking are walking straight into the hands of malicious virus writers and spamming gangs," Graham Cluley, senior technology consultant at Sophos, said in a statement.

New mailing list to outline Linux kernel vulnerabilities
A new mailing list created this week by the Linux kernel's developers will keep users abreast of the latest vulnerabilities affecting the core of the open-source operating system. Developers will unveil the list in the near future, according to CNET It is described as an answer to some open-source developers' concerns that reports of security flaws were getting lost in the large amount of e-mail messages sent to the kernel team. "We aim to keep the process as open as possible," Chris Wright, Linux kernel developer at Open Source Development Labs, told CNET "Sometimes, people prefer to report security vulnerabilities in private to make sure the implications are understood and the fix is known before going public. This is in place to facilitate that and keep things from falling through the cracks."

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.