W32/Prestige

Discussion in 'malware problems & news' started by Technodrome, Dec 12, 2002.

Thread Status:
Not open for further replies.
  1. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Virus categories : Worm
    Repairable?: Yes
    First appeared : 12/10/2002
    'In The Wild': No

    Basic description : W32/Prestige is a worm that is easy to recognize because it refers to the sinking of Prestige, an oil tanker off the Spanish coast.

    It spreads rapidly using the following means of transmission:

    E-mail messages with the subject fotos INEDITAS del PRESTIGE en el fondo del Atlantico, which includes an attached file called PRESTIGE.ZIP.
    By automatically sending itself via IRC.
    The message text entices the user to open the PRESTIGE.ZIP file by claiming that it contains some pictures of the Prestige oil tanker. When the file is opened, however, a window is displayed, which informs the user that a plug-in must be installed to display the pictures. If the user clicks on the Yes button an error message is displayed.

    W32/Prestige is not considered dangerous, as its only aim is to spread to other computers. However mass mailing of this virus could cause infected e-mail accounts and IRC chat channels to collapse.

    source: http://www.pandasoftware.com


    Technodrome
     
  2. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    VSantivirus no. 889 - Year 7 - Fridays 13 of December of 2002

    The virus "Prestige", variant of the family "Duksten"
    http://www.vsantivirus.com/duksten-fam.htm

    By Jose Luis Lopez
    videosoft@videosoft.net.uy

    The virus " Prestige " (it simulates to contain photographies of the petroleum spill caused by the Prestige oil tanker), is a variant of the W32/Duksten (VSA # 791, http://www.vsantivirus.com/duksten.htm ) and W32/BogusBear.A (VSA # 831, http://www.vsantivirus.com/bogusbear-a.htm ).

    Because each laboratory antivirus to him usually puts names different, a same worm with different names can exist confusion when identifying, according to the used antivirus.

    This worm in concrete (and its variants), are detected with the following names (in alphabetical order):
    Duksten
    I-Worm.Duksten.d
    I-Worm.Gain
    I-Worm.Skudex
    Netskudo
    Predig
    Prestige
    W32.Duksten.B@mm
    W32.Protex.Worm
    W32/BogusBear.A
    W32/BogusBear.A
    W32/Duksten
    W32/Duksten
    W32/Duksten.Drp
    W32/Duksten.h@MM
    W32/Duksten@MM
    W32/Prestige
    W32/Pretige
    W32/Skud
    W32/Skudo
    Win32.BogusBear.A@mm
    Win32.Duksten.H
    Win32/BogusBear@MM
    Win32/Duksten.H.Worm
    Win32/Gex
    Worm/Antiax
    Worm/BogusBear
    Worm/Predig
    Worm_Bogusbear.A

    All sends a file ZIP as an associate and almost releases to the archives "m_base64.xrf" (version of the codified worm to send by electronic mail in format MIME-encoded), "m_prgrm.zip" (ZIP containing the worm).

    Other variants send the associate in format directly EXE.

    Some properties of the different variants, all of them encriptadas:


    * Variant A

    It releases the file "C:\NetSkudo.exe" of 10.240 bytes, is not encriptado).


    * Variant B

    The message has these characteristics:

    Of: "Anti-SirCam" [ Panda@PandaSoft.com ]
    Subject: Free Anti-Vir to protect you SirCam Trojan
    Attached data: SKUDO.EXE (7.680 bytes, encriptado)


    * Variants C and E

    One of the following senders:

    Of: "Anti29A" [ darknode@dejalo.com ]
    Of: "ReEnviaMe" [ Skudo@Seguro.com ]
    Of: [ Grupo@Anti29A.net ]

    One of the following subjects:

    Subject: creative group of virus 29A
    Subject: AyudaME, AyudatE... AYudEMonoS! Anti29A - SKUDO

    In all the cases:

    Attached data: ANTI_29A.EXE (7.680 bytes, encriptado)

    This variant usually is sent through the group of the news "es.comp.virus" in a message with the text "you give pain JUA JUA JUA" .


    * Variant D

    The message has these characteristics:

    Of: "Anti-SirCam" [ Panda@PandaSoft.com ]
    Subject: Run ThiS Free Anti-Vir to protect you SirCam Trojan
    Attached data: SKUDO.EXE (7.680 bytes, not encriptado)


    * Variants F and G

    One of the following senders:

    Of: [ boletin@viralert.net ]
    Of: "Alerta_RaPida" [ boletin@viralert.net ]

    In all the cases:

    Subject: TOTAL protection against W32/Bugbear (30dias)
    Attached data: PROTECT.ZIP (it contains a 9.728 EXE of encriptado)

    This variant contains the following text in its code:

    WKaPCOM bY XRF, 19SePtiembre2002 PandaSoftware, please, rename Duksten to WKaPExE About::Me 198ÄppleIIe.1986Univac1100.1987MV4000. 1988MV20000.1990EpsonPcJ2

    * Variant H

    To see description of the W32/Prestige (VSA # 888, http://www.vsantivirus.com/prestige.htm )


    References:

    W32/Duksten. Attached data: SKUDO.ZIP
    http://www.vsantivirus.com/duksten.htm

    W32/BogusBear.A. A false protection against the Bugbear
    http://www.vsantivirus.com/bogusbear-a.htm

    W32/Prestige (Predig). False photos of the "Prestige"
    http://www.vsantivirus.com/prestige.htm
     
Thread Status:
Not open for further replies.