Mydoom.J is a worm that spreads via e-mail in a message with variable characteristics, and through peer-to-peer (P2P) file sharing programs, according to Panda Software, which issued a low-level threat alert Wednesday.
In addition, Mydoom.J uses a Dynamic Link Library (DLL) that has already been used by Bugbear.B. It also opens the Windows Notepad (NOTEPAD.EXE) and displays junk data.
Technical information is at Panda Software page.
Backdoor Trojan/Worm Sets IRC Channel to Remote Server
W32/Agobot-QF is an IRC backdoor Trojan and network worm that establishes an IRC channel to a remote server in order to grant an intruder access to the compromised machine.
This worm will move itself into the Windows System32 folder under the filename EXPLORED.EXE and may create the following registry entries so that it can execute automatically on system restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Login = explored.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows Login = explored.exe
W32/Agobot-QF will also attempt to glean email addresses from the Windows Address Book and send itself to these email addresses using its own SMTP engine with itself included as an executable attachment.
More information is at this Sophos page.
Worm Uses Internet to Exploit Vulnerability
W32/Blaster-G is a worm that uses the Internet to exploit the DCOM vulnerability in the RPC (Remote Procedure Call) service.
The worm will copy itself to the Windows system folder as eschlp.exe and create the file svchosthlp.exe in the same location.
W32/Blaster-G creates the following registry entries to ensure it is run at system logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Helper = \eschlp.exe /fstart
MSUpdate = \svchosthlp.exe
SPUpdate = \svchosthlp.exe
More information is at this Sophos page.
Worm Performs Several Destructive Functions
W32.Opasa@mm is a mass-mailing worm that:
Sends itself to the email addresses that it finds on an infected computer
Terminates processes and services, including various security programs
Attempts to connect to various IRC servers to wait for additional commands from an attacker.
The email contains a .zip attachment, and the Subject line varies.
Technical details are at this Symantec page.
Remote Access Trojan Installs Itself Into Directory
W32/Blaster.worm.k!backdoor is a remote access trojan that is dropped and executed by W32/Blaster.worm.k. Upon execution, the trojan installs itself into the %SYSDIR% directory as svchosthlp.exe. (Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)
For example:
C:\WINNT\system32\svchosthlp.exe
The following Registry key is added to hook system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "MSUpdate" = %SYSDIR%\svchosthlp.exe
The following registry keys are also added:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control "Sysuser"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control "Sysuser"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control "Sysuser"
More information is at this McAfee page.
Worm Drops Itself Into Systems Folder Using Random Names
Worm_Mimail.V is a memory-resident worm that drops a copy of itself in the Windows system folder under random names.
It drops the following files:
\XXXX.TXT--contains logs of running processes and dropped files of malware.
NBI.HTM--detected by Trend Micro as HTML_MOBA.A.
It creates registry entries to ensure its automatic execution at every Windows startup. This worm propagates through file-sharing applications, such as Kazaa, by dropping copies of itself under various names in the Kazaa shared folders. Note that it may use names that are related to security and antivirus companies.
This malware terminates running processes, most of which are related to security and antivirus applications.
It runs on Windows NT, 2000, and XP.
Technical details are at this Trend Micro page.
--Compiled by Esther Shein
Worm Spreads Via Email With Variable Characteristics
