Summary of virus activity – January 2004
- 29 January, 2004 15:31
<p>David Kopp, Head of TrendLabs EMEA comments on virus activities observed by TrendLabs throughout January….</p>
<p>In January Trend Micro detected around 550 new malicious codes (computer worms, viruses, Trojans and other malwares). 30% of these malicious codes are worm-related and 30% are Backdoor-related.</p>
<p>If we take a look at the top ten virus threats in January, we can see that 60% of them are worm-related. So worms are still the main threat we currently face. But new data indicates that the situation is becoming more complex: More and more worms are dropping backdoors.</p>
<p>Backdoors - contrary to viruses – do not have any self-propagation routine. By embedding themselves into worms, backdoors gain the ability to propagate (that they were hitherto lacking). With worms, backdoors can spread via emails, network shares, Instant Messaging and P2P.</p>
<p>As a result, backdoors can now not only compromise a single computer but also the security of entire networks. Embedded into its hosts (worms), backdoors can target a higher number of systems within a network, illustrating that it is more important than ever to set strong security policies to protect network against these constantly evolving threats to corporate networks.</p>
<p>Key threats observed in January
TROJ_XOMBE.A appeared at the beginning of January. It is a typical example of a mix of technologies. We have already seen virus writers and hackers families worked together. Now it appears that the spammers ‘family’ has entered the equation.</p>
<p>As its name implies, TROJ_XOMBE.A is a Trojan. (i.e. it doesn’t have any self-propagation routine in its code). However, many people claimed to have received this malware by email, indicating that that the email is indeed a spam with malware in the attachment.</p>
<p>Spam techniques are now being used to spread malicious codes. The email also misleads computer users by disguising itself as an email seemingly originating from Microsoft (Attachment name: WINXP_SP1.EXE, Subject: Windows XP Service Pack 1 (Express) - Critical Update.) It is worth noting that a simple rule at the Internet gateway level that blocks EXE files is enough to be well protected against this malware.</p>
<p>On January 19th 2:00 AM (GMT +1), Trend Micro was the first company to raise a Yellow Alert for WORM_BAGLE.A. Once again the outbreak was caused by a worm - highlighting that this kind of malware is a real threat nowadays. First discovered in USA, it arrives in an email. The characteristics of this email are as follows:</p>
<p>From: spoofed address
Attachment: (random string).exe
Body: Test =)
<p>WORM_BAGLE.A checks the current system date, terminating if the system date is January 28, 2004 or later. Upon execution this worm opens the port #6777, making the system vulnerable to hackers. Not only is the security of the infected system compromised, the security of the corporate network may also be at risk (if the system belongs to a network).</p>
<p>As with WORM_SOBIG.F, it scans the recipient address for the domain name and queries the DNS (Domain Name Server) associated with the domain for its MailBox (MB) server. This process may speed up its propagation. As well as the malicious actions taken by this worm, we also notice two other interesting characteristics:</p>
<p>This worm spreads by using an EXE file as an attachment. The fact that this kind of malware can be blocked with a basic rule at the Internet gateway level leads to the following conclusions:</p>
<p>• Many users or corporate networks have been infected, showing that there are still companies that are not aware about basic security rules.</p>
<p>• It also leads us to speculate as to whether this malicious code is in its finished state, as EXE files can be blocked by simple rules – and most virus writers know that. This hypothesis is reinforced by the fact that the code is not compressed. Virus writers often compress a malicious code by using an algorithm as a way of getting through weak antivirus solutions – Which leads us to believe that this malicious code may have been released by error.
On January 26, 2004 1:47 PM (US Pacific Time), Trend Micro declared a yellow alert for WORM_MIMAIL.R (also known as Mydoom or Novarg.A)
This mass-mailing worm selects from a list of email subjects, message bodies, and attachment file names for its email messages. It spoofs the sender name of its messages so that they appear to have been sent by different users instead of the actual users on infected machines – again demonstrating an intricate social engineering technique. It can also propagate using the Kazaa peer-to-peer file sharing network.
WORM_MIMAIL.R also performs a denial of service (DoS) attack against the software business site www.sco.com. It attacks the site if the system date is February 1, 2004 or later and it ceases attacking the site and running most of its routines on February 12, 2004. It is thought that this attacked may be motivated by the fact that SCO has filed a lawsuit against several key Linux distributors (in November 2003).
This WORM also demonstrates a backdoor component (as discussed above), which it drops as the file SHIMGAPI.DLL. The backdoor component opens port 3127 to allow remote users to access and manipulate infected systems. Note that it allows remote access even after February 12, 2004. As of January 27 the greatest number of reports of the worm had been noted in the USA.</p>
<p>TrendLabs EMEA monitors suspicious actions or effects within the Europe Middle East Africa area 24/24 7/7 to ensure a high level of protection and services for our customers.</p>
<p>About Trend Micro
Trend Micro is the world leader in providing centrally controlled server-based virus protection and content-filtering products and services. By protecting information that flows through Internet gateways, email servers and file servers, Trend Micro allows companies and service providers worldwide to stop viruses and other malicious code from a central point before they enter the network. For more information visit www.trendmicro.com</p>
<p>Trend Micro, and the t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated. All other company or product names may be trademarks or registered trademarks of their owners.</p>
- Metal firm Hydro plans recovery from ransomware that could be wiper malware
- Quantum computing will break encryption in a few years
- New ransomware shuts down aluminium giant Norsk Hydro’s global IT network
- Australian Signals Directorate will keep security bugs if it’s in national interest
- The week in security: Can the software-defined future save the Internet?