Virus Alert: Worm Targets Network Shared Resources

Posted by: Ice

Virus Alert: Worm Targets Network Shared Resources - 05/02/03 07:47 AM

Well well, whats new, another worm for windows has been released. Man these just keep coming and coming.

============================
A complex worm with backdoor functionality targets available network shared resources and, when executed, copies itself to a Windows system folder.

W32/Kullan-A copies itself to Windows folder Services.exe and sets certain registry entries. View them and more information about the worm this Sophos page.


IRC-Demfire Trojan Has Some Legitimate Components

IRC-Demfire is an IRC-based remote access Trojan. It consists of multiple components, some of which are legitimate applications. The Trojan exploits an old vulnerability in Microsoft IIS in order to install itself on vulnerable machines. Once running on the victim machine, the backdoor joins an IRC channel (as defined within the IRC config files, included in the package) in order to await commands from the hacker. These commands enable the hacker to perform various functions on the victim machine, such as:


collect machine information (e.g. memory, disk space, processor...)
upload/download files to/from machine
execute files on machine
perform port scanning
To determine if a machine has been infected and for other information, visit this McAfee page.

Sory Worm Sends Confidential Info to an IP Address

Sory is a dangerous worm that obtains confidential information from the affected computer and sends it to an Internet address. Despite this, antivirus software vendor Panda Software has given the worm a very low threat assessment.

The data sent out by Sory includes the operating system version, the CPU number, type and speed, the amount of RAM and the e-mail address of the affected user. Similarly, Sory logs the keystrokes entered by the user of the infected computer and saves them in a file, which it also sends out. By doing this, the recipient of the message can access confidential information belonging to the user, such as the passwords for accessing certain services.

This worm only spreads across networks and through computers with an English or Turkish operating system installed. More information is at this Panda Software page.

I-Worm.Fasong Spreads via LANs

Fasong is a worm virus spreading via local area networks. The worm is a Windows PE EXE file about 170KB in length and is written in Delphi. The worms also copies itself to network drives. To run itself on remote machines Fasong also creates the autorun.inf file in the drive root directory and writes the [autorun], OPEN= command to this file.

Fasong also has a Trojan routine that gets personal information from OICQ and some other Chinese programs, and then it sends emails containing personal data from victim machines to its master. While installing, the Fasong worm copies itself to randomly selected directories on randomly selected drives, and using randomly selected EXE names.
=====================