Weekly Virus Report – NiceHello, CodeRed.F, Deloder.A and Prom Worms
Four worms -NiceHello, CodeRed.F, Deloder.A and Prom-, and a Trojan called SysComm are the subject of this week’s report on malicious code.
NiceHello stands out because this week it has knocked Klez.I off the top spot in the ranking of the ten most frequently detected viruses by the free, online antivirus Panda ActiveScan, which Klez.I has headed for several months.
NiceHello spreads via e-mail in a message that is easy to recognize, as the message text always contains the Spanish phrase: “es solo para vos” (it’s only for you). After infecting a computer, this worm sends a copy of itself to all the addresses in the Contact List of the instant messaging program MSN Messenger. Similarly, NiceHello sends an e-mail to the virus author, which contains the MSN Messenger user name and password of the user of the infected computer.
The second worm, CodeRed.F, is a variant of another worm called CodeRed.IIS.2, which differs by only 2 bytes from the original. This modification allows CodeRed.F to keep spreading until the year 34952, whereas CodeRed.IIS.2 could only do this until October 2001.
CodeRed.F exploits a vulnerability in Index Server 2.0, Indexing Service and Internet Information Server (versions 4.0 and 5.0). When it infects a computer, it creates a file with Trojan characteristics called “EXPLORER.EXE” that, in turn, generates two virtual drives, which it uses to access the computer it has infected. From then on, as well as causing the computer to block for no apparent reason, every 48 hours CodeRed.F will restart computers with a Chinese operating system installed, and restart those with an operating system in any other language every 24 hours.
The third worm in today’s virus report is Deloder.A, which spreads across local networks and the Internet and disables shared resources: C$, D$, E$, ADMIN$ and IPC$. In the computers that this malicious code infects, it creates and runs a backdoor Trojan. In order to gain remote access to other computers, Deloder.A tries to connect to certain IP addresses through the TCP port 445.
The last of today’s worms is Prom, which only affects computers running under Windows XP/2000/NT. This virus spreads via e-mail in a message that is difficult to recognize, as it has variable characteristics.
Finally, SysComm is a dialer Trojan that, once it has reached a computer, connects to a premium rate number (“906-xxx-xxx”) when the system date is April 1st or later.
SysComm mainly spreads via e-mail in a message that contains the following attached files: “FERIA.JPG.VBS”, which is the file that carries out infection, “FERIA2.JPG”, which contains an image, and “ATTXXXXX.ATT”, which is empty.
For further information about these and other viruses, visit Panda Software’s Virus Encyclopedia.