Here are a bunch of emails you DON'T want to open:

The two newest entrants are Bagle.AA and Netsky.AB, both of which have been rated as medium risks by antivirus vendors. There is little new in either of the viruses and they both borrow heavily from their forebears.

The new variant of Bagle uses an increasingly popular tactic among virus writers: attempting to terminate various security applications, including antivirus software and personal firewalls. The rest of its behavior is fairly typical, as the virus arrives via e-mail with a random subject line and spoofed sending address. Subject lines include "Re: Msg reply," "Re: Yahoo," and Re: Document." The text of the e-mail is random and meaningless, as well.

Netsky.AB is even less clever than Bagle.AA. It simply spreads via e-mail messages with subject lines such as "Correction," "Hurts," "Privacy" and "Password." The body of the message is nonsensical; a portion of the text includes:

How can I help you?
Still?
I've your password

Osama Spam
A persistent new spam campaign that purports to show recipients pictures of Osama bin Laden being captured is in fact a ruse that could lead victims to download a malicious Trojan.

The e-mails have been flooding inboxes all over the Internet since Thursday, carrying a subject line that reads: "Osama bin Laden Captured." The sending
"Just got this from CNN Osama Bin Laden has just been captured! A video and some pictures have been released. Go to the link below for pictures, I will update the page with the video as soon as I can: http://xxx.xxx.xxx.xx/pics/ God Bless America!"

Users who click on the URL in the message are taken to what looks like an ad for Viagra. But the Web page also attempts to exploit a vulnerability in Internet Exlorer to download a file named Exploit.exe, which contains a Trojan called Small.B, according to an analysis of the threat by Panda Software, based in Glendale, Calif.

New Bugbear
BugBear.E, aka BugBear.C, Tanatos.E and PWSteal Hooker Trojan, is a new variant of the BugBear worm discovered in the early morning hours of April 6, 2004. Updated anti-virus software did not detect BugBear.E at the time of its discovery.

BugBear.E uses a new Microsoft Corp.'s Internet Explorer vulnerability to silently auto-execute itself on vulnerable computers. BugBear.E was authored with Microsoft Visual C++ and packed with UPX and uses the same keylogger DLL file used by BugBear.A. BugBear.E is about 52,736–52,772 bytes in size. The worm's size varies and may exceed this sample range.

BugBear.E spreads via HTML e-mails with a ZIP archive containing a malicious HTM file. At least one sample has the e-mail attachment name of "Biology 121sUnit 4 Essays.zip," containing an HTM file with the same name but with an .htm extension instead.

If the malicious attachment is executed, the worm performs a mass-mailing and installs a keylogger onto the local computer to steal sensitive information. It attempts to create a copy of itself in the Windows System directory with a randomized filename and an .exe extension. DLL files are also created with randomized filenames, used to steal and store sensitive information in an encrypted form on the local computer.

To perform a mass mailing, BugBear harvests e-mail addresses from the local drive. The following file types are searched by the worm for e-mail addresses: DBX, EML, MBX, NCH, ODS, and TBB. It also scans a file called inbox, if found, for e-mails.

The worm collects a list of file names taken from files with extension .ini and .rdp on the local hard drive. The worm then randomly selects a file name from this list to create the attachment name. The attachment also arrives with a filename randomly chosen from the following list: "Card", "data", "Docs", "image", "images", "music", "news", "photo", "pics", "readme", "resume", "Setup", "song", and "video". The attachment may have one of the following extensions: EXE, HTM, PIF, SCR, or ZIP.

Once installed, BugBear.E is able to log keystrokes and steal sensitive information from the local computer. Specifically, the worm attempts to steal cookies, keylogging data, text from various windows, and clipboard data. The worm has a list of eight e-mail addresses and severs in the body of the worm. This data is used to send out malicious e-mails and data to the attacker.

Considerable precautions are warranted due to the success and payloads of former BugBear variants. The current prevalence of BugBear.E is difficult to gauge since it is very early in the outbreak and it is not detected by anti-virus software. Early data indicates that it is spreading in the wild to some degree, but the rate or degree of prevalence has not been firmly established at the time of writing this report. BugBear worms have traditionally had great success as a top ten worm for many months. As a result, this new variant of BugBear will likely have similar success.

Detection: Look for questionable files with a size of about 52k and ZIP attachments with an HTM file. Also look for a new EXE, DLL and other files created by the worm and the change to the Windows registry. The computer may also show degregaded performance once the mass mailings are initiated.

Workaround: User awareness is the best method of defense against this class of attack. Users must be wary of suspicious URLs and never follow links from untrusted sources.

SoberF
Sober.F arrives in an e-mail sent by the worm's own SMTP engine. According to F-Secure's description of the worm, the incoming message can have any of a large number of subject lines and message bodies, some in German and some in English.

The message also contains an executable file attachment, which, according to Symantec's analysis, contains any of a list of names with an .EXE extension and is 42,496 bytes large. When a user launches the attachment it sets itself to run automatically when Windows starts, then searches files on the hard disk to use as senders and recipients in the messages sent as it attempts to spread itself.

BagleU
Yet another version of the Bagle worm is on the loose and is already causing trouble in parts of Europe. Bagle.U appeared early Friday morning and has begun spreading quickly, even though it contains none of the social engineering tricks that Bagle's author has used to help previous versions succeed.

This variant arrives in an e-mail with a blank subject line and no body text. The sending address, as always, is spoofed, and the name of the infected executable attachment is completely random. After execution, the worm mails itself to all of the addresses in the infected machine's address book.

Bagle.U does include a backdoor component that listens on TCP port 4751 and connects to a Web server in a German domain, www.werde.de, according to an analysis by the McAfee Security unit of Network Associates Inc., based in Santa Clara, Calif. Once it establishes a connection with the remote server, the worm generates a unique ID number for each specific infected machine and sends that number and the number of the port on which it is listening to the server.

The worm also is capable of downloading an updated copy of itself from the remote server or downloading a batch file that removes the worm from the infected PC.

MyWife and Snapper
Two new low-threat worms are making the rounds on the Internet Thursday, continuing the plague of malware that began in January and has shown no signs whatsoever of abating.

Of the two worms, known as Mywife and Snapper, the former appears to be the more worrisome and have the greater potential for spreading widely, security services said. Mywife arrives in an e-mail with a spoofed sending address and any one of several vaguely pornographic subject lines, including, "very hot XXX" and "FW:RE: Hot Erotic." The body of the e-mail also varies and some of the messages are quite graphic.

The e-mail contains two attachments, one of which is simply a graphic file that displays a fake Norton AntiVirus 2004 logo, supposedly certifying that the other attachment is virus-free. The second attached file is compressed and can have any one of several names, including: Aprilgoostree, Parishilton, Rickymartin or a handful of profanities. The compressed file contains a third file with either an .exe or .scr extension, according to an analysis of the worm done by Panda Software Inc.

A second version of the virus-infected e-mail carries a fake virus warning, purportedly from antivirus vendor Symantec Corp., informing recipients that their machine is infected by the fictitious BlackWorm virus. This version has an attachment named either Scan.tge or Scan.zip.

The Mywife code also contains a jab at Microsoft Corp., although it is never displayed on the user's screen: "microsoft do u hear me? we gon kick u ass an *** u down u got my word **Black Worm**."

Once resident on a computer, Mywife goes to work removing the Windows registry entries for a variety of antivirus and security applications.

The Snapper worm is quite different from Mywife, and in fact resembles the last few variants of the Bagle virus that showed up last week. Instead of relying on the user to open an infected attachment, Snapper sends blank e-mails with spoofed sending addresses that contain code that automatically executes once the message is opened or viewed in the preview pane in Outlook. The code causes the local host computer to connect to a remote Web server located at 198.170.245.129 and try to download a file called HTMLhelp.cgi.

SoberD
Sober.D appeared Sunday and began spreading in Germany and the United Kingdom. The worm arrives in an e-mail message with a subject line of "Microsoft Alert: Please Read!" and carries a sending address with a Microsoft domain. The domain extension on the messages are typically from Germany, Israel, Switzerland or Austria.

The rules for avoiding worms/viruses
BE VERY SKEPTICAL OF ANY ATTACHMENT IN E-MAIL. This doesn't mean that you shouldn't trust any attachment at all, but unless you know the sender and were expecting the file, you should scrutinize it and not open it unless you can determine that it's legitimate.
Keep your antivirus software and firewall up to date. They aren't perfect, but they help a lot.
If your mail client can block all executables, let it. Most worms, including NetSky, will be blocked just by this. If not, find some other way to do it. It's just not worth being able to mail executables around. Incidentally, both Outlook and Outlook Express have done this for years, and therefore their users have been immune to these worms.





Comments

Popular Posts