[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Security alert



PureBytes Links

Trading Reference Links

Kapersky Labs reports new Internet viruses on the loose.

--------------------------------------------------------

Kaspersky Lab warns users of the notable activity of 
several dangerous Internet-worms occurring at this time.
Kaspersky Lab has been receiving reports from users, whose
 computers have been infected by the Internet-worm Hybris. 
Recently, Kaspersky Lab informed users of this worm's danger, 
and we reiterate that this virus is a very complex malicious code 
that can be updated by its author through his own Web page or 
through an anti-virus conference alt.comp.virus, which is already
 replete with this virus' components.

Also still active is an Internet-worm called Navidad, and although
 it is fairly harmless, it still causes users trouble. The infected 
e-mail contains an embedded file and the following message in 
Spanish: "Nunca presionar este boton" (never click on this button).
 By clicking on this button, a user causes himself headaches, 
because on the screen appears a dialogue box that tells the user 
he has lost his computer due to his curiosity. However, in reality, 
this malicious code is easily deleted.

The first reports of the Internet-worm Music arrived at Kaspersky Lab 
already a week and a half ago, and we estimate that this worm has all
 the chances of becoming an epidemic.

An entertaining payload hiding the worm's main activity accompanies 
this virus, displaying a Christmas scene and playing a carol. 
Music-worm contains the following Subject and Texts:

Subject: Testing to send file Text: Hi, just testing email using
 Merry Christmas music file, not bad music. 
or:
Text: Hi, just testing email using Merry Christmas music file, 
you'll like it. 

"Music" has the ability to upgrade its components from an Internet 
site. This malicious utility downloads three files from there (that are 
supposed to be its plugins) detects their versions, and if these versions
 are above those currently used, the worm replaces its components with
 new ones. So the worm is able to change its functionality depending 
on its author's needs.

Another Internet-worm that has attracted the attention of Kaspersky 
Lab's specialists is called Blebla, which was discovered on November 16 
in Poland. Several reports also have been received from Denmark. The 
worm appears as an e-mail message in HTML format and has two attached 
files: MYJULIET.CHM and MYROMEO.EXE.

The worm's specifics are that for the start of the malicious program, no 
opening attached file is needed. The worm activates itself automatically 
when an infected message is being opened or previewed. To activate
 itself, the worm exploits a vulnerability in the Windows scripting security: 
the first part of the malicious utility contains a script program that is 
automatically executed by this operating system. As a result, the 
CHM-component of the message (the MYJULIET.CHM file) is loaded 
and activated, which in turn executes the MYROMEO.EXE file that is
 the main worm body itself.

When the malicious programme runs, it opens the Address Book, reads 
E-mail addresses from there and sends its HTML message with the 
attached CHM and EXE files to there. The message has a Subject that 
is randomly selected from the following list:

Romeo&Juliet
:)))))) 
hello world
!!??!?!? 
subject
ble bla, bee
I Love You ;) 
sorry... 
Hey you ! 
Matrix has you... 
my picture
from shake-beer 
Protection procedures thwarting all of the above-mentioned Internet 
worms have been added to the Kaspersky Anti-Virus (AVP) anti-virus
 database.