Weekly Virus Report – Gibe.C, Opaserv.X, Backterra, Reksa.A and Blaster.G Worms
The first worm, Gibe.C, spreads via e-mail in a message that perfectly imitates the style of Microsoft web pages, in order to trick the user into thinking that the attached file is a security patch. It also spreads through the peer-to-peer (P2P) file sharing program KaZaA, across shared network drives and via IRC. This worm exploits the iFrame and Incorrect MIME Header vulnerabilities, and it ends processes belonging to several antivirus programs, firewalls and system monitoring tools. This leaves the affected computer vulnerable to attack from other malicious code. In addition, Gibe.C disables the Windows Registry Editor and displays a message on screen to obtain users’ confidential information (as mail account passwords). The second worm in today’s report is Opaserv.X. This worm spreads to other computers by attacking IP addresses, in which it tries to make copies of itself to the existing shared network drives. It attempts to access these shared drives by exploiting the Share Level Password vulnerability. Opaserv.X creates several files in the Windows directory and it also creates an entry in the Windows registry of the affected computer. Similarly, Backterra.A and Backterra.B spread through the peer-to-peer (P2P) file sharing program eMule. In order to do so, these worms try to trick the user into thinking that it is a password generator for computer applications and games. After Backterra.A and Backterra.B are executed, and if eMule is not installed, they will display several messages on screen. The main difference between variant ‘A’ and variant ‘B’ lies in the size of the file that carries out the infection. The file of variant ‘A’ is 81,920 bytes and the file of variant ‘B’ is 69,632 bytes. The fifth worm on this report is Reksa.A, which spreads via e-mail in a message with the subject ‘Support Message’ and the attachment ‘MSNUPDATE.EXE’. Once it is run, Reksa.A displays a message on screen and it creates the file MSN.EXE in the Windows directory. This file contains the code of the worm. We finish the worms section with Blaster.G, which affects only Windows 2003/XP/2000/NT computers. It exploits the Buffer Overrun in RPC Interface vulnerability. Blaster.G spreads by attacking IP addresses generated at random and exploits the vulnerability mentioned above to download a copy of itself to the compromised computer. In order to do this, Blaster.G incorporates its own TFTP (Trivial File Transfer Protocol) server. Two clear symptoms that indicate that Blaster.G has reached the computer are that the network traffic increases -on the TCP 135 and 4444, and UDP 69 ports-, and that it blocks and restarts the affected computer. Finally, Surfbar.B is malware that exploits the Internet Explorer Object Data Remote Execution vulnerability to reach computers. Its main action is to change the home page of the Internet Explorer browser.