Weekly Report on Viruses and Intrusions – Sasser.F, Cycle.A, Bagle.AC, Sober.G and Wallon.A Worms
This week’s report on viruses and intrusions will deal with five worms -Sasser.F, Cycle.A, Bagle.AC, Sober.G and Wallon.A-, and Qhost.gen.
Sasser.F spreads via the Internet by exploiting the LSASS vulnerability. In the computers it infects, this worm causes a buffer overflow in the LSASS.EXE program, restarts the computer and displays a message on screen. Like previous variants of Sasser, variant F spreads automatically across Windows XP/2000 computers. It also works in the rest of the Windows operating systems, if the file carrying this worm is run by a malicious user.
Like the malicious code mentioned above, Cycle.A also spreads via the Internet by exploiting the LSASS vulnerability and causes affected computers to restart. It also ends the processes of the Blaster, Sasser.A, Sasser.B, Sasser.C and Sasser.D worms and launches Denial of Service attacks (DoS) against several websites when the system date is any other than May 1 to 18, inclusive.
The third worm in today’s report is Bagle.AC, which ends the processes of several IT security applications, such as antivirus and firewall programs, and of several worms. It also tries to connect, through port 14441, to various websites that house a PHP script in order to notify the virus author that the computer has been infected.
Sober.G is a worm that spreads via e-mail. This message can be written in English or German, depending on the domain in the user’s e-mail address. It looks for e-mail addresses in files with certain extensions on the affected computer, and sends itself out to the addresses it finds using its own SMTP engine.
The fifth worm is Wallon.A, which installs itself on computers by exploiting the Exploit/MIE.CHM vulnerability. To do this, it uses the following propagation routine: the user receives an e-mail containing a link to a certain website, if the user accesses the web page, Wallon.A will be downloaded to the computer.
Wallon.A collects all of the addresses in the Windows Address Book and sends them to an e-mail address. This worm also changes the home page of Internet Explorer and if the Windows Address Book does not contain any addresses, it displays an error message on screen.
We are going to finish this week’s report with Qhost.gen, a generic detection routine for HOSTS files modified by several malware, including variants of the Gaobot worm. This file contains a series of lines that are the first lines used by Windows to translate names to IP addresses (before other services like WINS or DNS).
The HOSTS files are modified by this malware so that a list of web address is associated to the IP address 127.0.0.1, making the addresses included in this list inaccessible. These web pages are usually those of security software manufacturers, such as anti-malware solutions. For this reason, users of computers affected by Qhost.gen will not be able to access these pages and obtain information, update their solution, etc.