Panda Weekly - viruses and intruders - 12/24/04

Discussion in 'other security issues & news' started by Randy_Bell, Dec 24, 2004.

Thread Status:
Not open for further replies.
  1. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    - Weekly report on viruses and intruders -
    Virus Alerts, by Panda Software (http://www.pandasoftware.com) ​

    Madrid, December 24 2004 - Today's report deals with three worms -Santy.A, which started to spread rapidly at the beginning of the week, Mugly.C and Gaobot.CDO-, the Constructor/Mastof virus, and a Trojan called Mastof.A.

    Santy.A is a worm that uses the viewtopic.php vulnerability to spread via the Internet. It affects servers that have versions earlier than 2.0.11 of the phpBB installed and which have not been updated.

    After infecting a computer, Santy.A takes the following action, among others:

    - It uses Google to search for vulnerable computers.

    - It overwrites all files with ASP, HTM, PHP, PHTM and SHTM extensions, and replaces them with HTML code that displays a message.

    - It slows down the affected server and Internet access.

    The second worm we're looking at today is Mugly.C, which spreads using a variable email message, with an attachment called ATTACHED.ZIP. This file contains an executable which is actually the worm itself and will be sent in an email.

    Mugly.C searches through files on the affected machine with the following extensions: ADB, ASP, DBX, DOC, HTM, HTML, PHP, SHT, TBB, TXT or WAB-, looking for email addresses to send itself to, unless addresses that contain text related to an antivirus company. This worm also prevents the user accessing web pages of certain antivirus companies.

    Alter it is run, Mugly.C displays an image on screen, and installs and runs another worm that Panda Software detects as Gaobot.CDO.worm.

    Gaobot.CDO affects computers with Windows 2003/XP/2000/NT operating systems, by exploiting the LSASS, RPC DCOM and WebDAV vulnerabilities. In order to spread it makes copies of itself in the shared network resources that it manages to access. Gaobot.CDO also connects to an IRC Server and awaits orders.

    The next codes we are looking at in today's report are Constructor/Mastof and Mastof.A, which are closely linked to each other, as the second one is a Trojan that has been created by the first to steal Yahoo Messenger passwords.

    Mastof.A, and the Trojans generated by Constructor/Mastof, include the following features: they execute every time the PC is restarted, they stay resident in the PC and they sent the password they find to a specific Yahoo address.

    For further information about these and other computer threats, visit Panda Software's Encyclopedia: http://www.pandasoftware.com/virus_info/encyclopedia/
     
Loading...
Thread Status:
Not open for further replies.