Panda Weekly - viruses and intruders - 08/12/05

- Panda Software's weekly report on viruses and intruders -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)​

Madrid, August 12, 2005 - This week's report looks at two Trojans -Spamnet.A and Galapoper.C-, several vulnerabilities (in Internet Explorer and Windows operating systems) two worms -Gaobot.JKO and Gaobot.JKK-, and 5 variants -from A to E- of the Damon worm.

Spamnet.A is a Trojan that executes on entering a certain web page. Once installed on a computer, it starts downloading and running other malware, which it uses to obtain, from the infected computer, email addresses that it sends out via FTP. The infected computer is then also used to send spam.

One of the other malware specimens that Spamnet.A downloads is Galapoper.C. This is a Trojan that connects to several web pages -which host a PHP script- to download a file containing remote control commands (such as downloading and running other files or updating itself). Galapoper.C also sends variable spam messages, made up of information it gets from several servers.

Three of the security problems, which we summarize below, could allow execution of arbitrary code on affected systems and have been classified as "critical".

- Critical vulnerabilities affecting versions 5.01, 5.5 and 6 of Internet Explorer in computers with Windows 2003/XP/2000/Me/98 which could allow an attacker to take complete control of the system.

- Vulnerability in Plug and Play that could allow remote code execution and elevation of privileges. It affects Windows 2000 SP4, Windows XP SP1 and SP2, Windows XP Professional x64 Edition, Windows Server 2003 and Windows Server 2003 SP1.

- Vulnerability in Telephony Application Programming Interface (TAPI) that could allow remote code execution. It affects Windows 2000 SP4, Windows XP SP1 and SP2, Windows XP Professional x64 Edition, Windows Server 2003 (SP1 and x64 Edition), Windows 98, Windows 98 Second Edition and Windows Me.

- Vulnerability in Remote Desktop Protocol that could allow denial of service in computers with Windows 2003/XP/2000.

- Vulnerabilities in Kerberos that could allow denial of service, information disclosure, and spoofing in computers with Windows 2003/XP/2000.

- Vulnerability in Print Spooler Service that could allow remote code execution in computers with Windows 2003/XP/2000.

Microsoft has reported these security issues in six bulletins -MS05-038 to MS05-043- which also include details of the updates that users are advised to apply.

The worms we are looking at in today's report are Gaobot.JKK and Gaobot.JKO, which share the following characteristics:

- They use two forms of propagation: making copies of themselves in shared network resources and via the Internet by exploiting several vulnerabilities (LSASS, RPC DCOM, Workstation Service, WebDAV, etc.).

- They connect to IRC servers to receive remote control commands, which they execute in the infected computer.

- They terminate processes belonging to several security tools, including firewalls and antivirus solutions.

- In order to spread to other systems they install their own FTP and TFTP servers on the affected computers.

We end today's reports with a mention of the A, B, C, D and E variants of the Damon worm. These worms are concept trials that infect the Microsoft Shell console (MSH) -also known as Monad.

You will find more information about these and other threats in the Panda Software Encyclopedia, available at: http://www.pandasoftware.com/virus_info/encyclopedia/