Posted in GD as a public service. The poster is not an employee of, or in any associated with Panda Software.
---
Weekly virus report
Virus Alerts, by Panda Software (
http://www.pandasoftware.com)
Madrid, November 28, 2003 - This week's report will focus on four completely different examples of malicious code: Sysbug.A, Psshutdown.A, Randex.BF and Dialer.CB.
Sysbug.A is a Trojan which has been massively distributed by e-mail in a message with the subject "Re<2>:Mary" and an attached file called PRIVATE.ZIP. This is a compressed file (ZIP format) which contains a file with a double extension called WENDYNAKED.JPG.EXE.
Sysbug.A steals confidential data from infected computers. This includes passwords for mail accounts, mail servers (SMTP and POP3), newsgroups, dial-up accounts, etc. The Trojan then saves this information to a file and sends it to a hacker. Sysbug.A also opens the TCP port 5555 waiting for the hacker's commands. It finally accesses the address finance.red-host.com and makes GET/POST requests to two Perl scripts.
Psshutdown.A is a hacking tool that allows a hacker to shut down or restart the victim's computer (similarly to the Unix "shutdown" command). Restarting the computer could cause loss of all the information that has not been saved. Psshutdown.A can be used by several worms and Trojans with malicious intentions.
Randex.BF is a worm with Trojan features that spreads across networks. It generates random IP addresses and attempts to connect to them, using typical or easy-to-guess passwords. If it succeeds to do so, the worm copies itself to the computers it has gained access to. Randex.BF also joins the channel #goep in the IRC server opqleure.qopmafia.net waiting for remote control commands (such as Ntscan and Sysinfo).
Finally, Dialer.CB is a dialer that connects to the Internet and downloads files that it then saves to a directory. It also creates four files (2_INFO_PERSIST, NAVPMC.DLL, NAVPMC.EXE and UNINSTALL.EXEin) in the Windows NAVPMC subfolder. In addition, Dialer.CB creates four entries in the Windows Registry.
For further information about these and other malicious code, visit Panda Software's Virus Encyclopedia at:
http://www.pandasoftware.com/virus_info/encyclopediaAdditional information
- Dialer: This is a program that is often used to maliciously redirect Internet connections. When used in this way, it disconnects the legitimate telephone connection used to hook up to the Internet and re-connects via a premium rate number.
- Hacking tool: A program that allows hackers to carry out actions that pose a security risk for other computers (spam, port scanning, denial of service attacks -DoS-, etc.).
- POP (Post Office Protocol): This is a protocol for receiving and sending e-mails.
More definitions of virus and antivirus terminology at:
http://www.pandasoftware.com/virus_info/glossary/default.aspxNOTE: The addresses above may not show up on your screen as single lines. This would prevent you from using the links to access the web pages. If this happens, just use the 'cut' and 'paste' options to join the pieces of the URL.