Virus News, by Beverly Rosenbaum

Worm-Infected E-Mails Abound

Warning: messages about “account suspension” contain a worm!

In the past few months a flurry of Internet worms have been distributed as attachments to messages that appear to be from support personnel or administrators threatening account suspension. Most people received several of these messages every day. Such messages should be deleted immediately without opening the attachments, because the worm is actually contained in the attachments. If you have inadvertently opened them and infected your PC, this worm can terminate security-related processes and prevent access to security-related web sites that are needed to restore your protection. If your PC remains infected, the bot function of the worm can open a “back door” on port 6677 that will allow a remote attacker to 1) gather email addresses from your computer, 2) download and execute files, 3) perform other IRC commands determined by the attacker, or 4) reboot the compromised computer.

Since this mass-mailing worm terminates certain security processes, including the Windows Task Manager, it may be necessary to use third party process viewers to terminate the worm process itself from memory. In a most unusual posting, Microsoft recognized this problem and directs users in KnowledgeBase Article Q242131 (at support.microsoft.com/kb/q242131/) to a third-party freeware Process Explorer Utility program by Sysinternals, which can be downloaded from www.sysinternals.com/ntw2k/freeware/procexp.shtml. This utility lists the files, registry keys, and other objects that are in use, or the dynamic-link libraries (DLLs) that the processes have loaded. After opening the process viewer, you should locate and terminate the running process called 1HELLBOT.EXE.

Here are a few web sites that maintain free removal tools:

A great deal of confusion circulated about this particular worm because the various companies that provide antivirus software each called it by a different name. For example, when Symantec referred to a version of it as W32.Mydoom.BQ@mm, Trend Micro reported it as WORM_MYTOB.EG. Regardless, this fast-growing family has more than 25 known variants arriving as e-mail attachments and affecting PCs running Windows versions 95/98/ME/NT/2000/XP, and the latest one as of this writing is W32.Mydoom.BQ. The Mytob family of worms is actually a modification of the Mydoom source code, but the author has added network worm functionality. This enables the worm to propagate via the Windows LSASS vulnerability, and the high incidence of this worm means that the majority of users have not installed Windows security updates, even critical ones.

Other Worms

According to Kaspersky Labs, the leading worm in terms of number of versions was IM-Worm.Win32.Kelvir, which appeared in 38 new versions. The Kelvir.k modification used a link to a file with a .php extension instead of sending a link to a .pif or a .scr file. The processing routine used for php files allows a malicious user to add numbers or addresses to the link, and this data is sent to the server when the link is clicked. Kelvir.k adds an Instant Message user’s MSN address to the link. A new version was discovered July 2, 2005.

The most recent version of the e-mail worm Sober is still creating epidemics and outbreaks world-wide. It, too, spreads as an attachment to infected messages, now in both English and German. Mail server data gathered by Kaspersky Labs shows this Sober worm to be the most prevalent malicious program in mail traffic. In Holland, Germany, Hungary and other Western European countries Sober has already surpassed all records set by other worms causing outbreaks so far this year.

After a month in hibernation, Bagle has reappeared as well, but it’s no longer considered an e-mail worm because it’s not able to self-replicate. The new versions of Bagle were sent out using spam technologies. Users received a program containing a long list of Internet addresses where they could allegedly download files that are actually malicious programs. One of those programs harvested e-mail addresses from the victim machines and sent them to the author of SpamTool. It’s likely those addresses were then sold to spammers. So the Bagle worm has simply evolved into a creator of new zombie machines for use in botnets.

Other new Trojans have appeared as well, which periodically contact Web sites to send information from the compromised computer. They include Trojan.Winblod, and Trojan.Mitglieder.R. TrojanHirofu and Trojan.Chimo.C behave as e-mail relays, while others act as covert proxies. There’s even a newly identified Microsoft Word macro virus, called W97M.Enife by Symantec, designed to infect the Microsoft Word global template and other Word documents, deleting files and disabling Microsoft Word security settings. Don’t think for a minute that those have disappeared! It’s an easy matter for a virus hacker to make a small change in an older variant to create a new threat.

The Top 10 viruses reported by Postini.com for June 2005 were:

                      image1

 

According to Postini statistics, one in 45 e-mails is infected, and they screened more than a million incidents of suspicious zip file attachments in a single day, now called “generic malware” by McAfee. In addition, 76.8 % of all messages (that’s an astounding 10 out of every 13 messages) now contain SPAM, a sure sign that these problems are on the rise.

You should never double-click on any attachment arriving as an e-mail attachment that contains an executable. While Word files (.DOC), spreadsheets (.XLS), images (.GIF and .JPG), etc., are data files and can do no damage (except for the macro virus problem in Word and Excel documents. Many attachments are disguised as harmless files but actually have a double extension and are really executable files. These have extensions like EXE, COM or VBS, and can do any sort of damage. Once you click on it and run it, you have given it permission to do anything on your computer. The best defense is to never run executables that arrive via e-mail.

I can’t over-emphasize the importance of keeping current with Windows updates and virus signatures. Lately there have been almost daily releases. And HAL-PC’s Postini virus and spam filters and HALNet’s scanners are working overtime these days, constantly monitoring all our mail accounts to keep them problem-free. HALNet subscribers who don’t have the Postini service yet can try it for 30 days for free. Just visit www.hal-pc.org/support/virus.html for details to activate it.

image2

Beverly Rosenbaum, a HAL-PC member, is a 1999 and 2000 Houston Press Club “Excellence in Journalism” award winner. She can be reached at columns@hal-pc.org.