Thursday, July 21, 2005

Update2: Warning: 'iTunes' Attachment Is AIM Worm

Ryan Naraine writes in eWeek:

Anti-virus vendor Trend Micro on Wednesday issued a warning for a new computer worm infecting users of America Online Inc.'s Instant Messenger application.

The worm, identified by Trend Micro Inc. as W32/Opanki, spreads by tricking users into clicking on a file named after Apple's popular iTunes music service.

"This worm arrives as the file ITUNES.EXE," Trend Micro warned.

"Thus, users may be tricked into thinking that this worm is associated with a legitimate product."

The worm has been programmed to run on Windows 95, Windows 98, Windows Me, Windows NT, Windows 2000, Windows XP and Windows Server 2003.

Update: I would highly recommend keeping an eye out for this one. It is out there "in the wild."

My cohorts and I spent most of the day today trying reduce the impact (and neutralize) this Trojan/Bot/Worm has had in a very large client network. And for a bonus, it includes it's own rootkit .dll (probably downloads it later per instruction from the C&C master) just to make things more fun. And at least one component of it (also, perhaps downloaded from a site via IRC instruction from the C&C Bot Master) does a brute-force dictionary attack on Microsoft Active Directory accounts, which lock out the legitimate user if it is unsuccessful (depending on your AD policies).

Here is what www.virustotal.com had to say about an infected executable:

This is a report processed by VirusTotal on 07/22/2005 at 01:09:35 (CET) after
scanning the file "inf3ct3d.bak" file.

Antivirus Version Update Result
AntiVir 6.31.1.0 07.21.2005 no virus found
AVG 718 07.19.2005 no virus found
Avira 6.31.1.0 07.21.2005 no virus found
BitDefender 7.0 07.21.2005 Backdoor.SDBot.57158BBA
CAT-QuickHeal 7.03 07.21.2005 Backdoor.SdBot.aad
ClamAV devel-20050712 07.21.2005 no virus found
DrWeb 4.32b 07.21.2005 BackDoor.IRC.Sdbot.based
eTrust-Iris 7.1.194.0 07.21.2005 no virus found
eTrust-Vet 11.9.1.0 07.21.2005 no virus found
Fortinet 2.36.0.0 07.21.2005 W32/SDBot.AAD-bdr
F-Prot 3.16c 07.21.2005 no virus found
Ikarus 2.32 07.21.2005 Backdoor.Win32.SdBot.AAD
Kaspersky 4.0.2.24 07.22.2005 Backdoor.Win32.SdBot.aad
McAfee 4540 07.21.2005 W32/Sdbot.worm.gen.by
NOD32v2 1.1175 07.21.2005 probably unknown WIN32 virus
Norman 5.70.10 07.21.2005 no virus found
Panda 8.02.00 07.21.2005 W32/Sdbot.EKF.worm
Sybari 7.5.1314 07.22.2005 Backdoor.Win32.SdBot.aad
Symantec 8.0 07.21.2005 W32.Spybot.Worm
TheHacker 5.8.2.074 07.21.2005 Backdoor/SdBot.aad
VBA32 3.10.4 07.21.2005 Backdoor.Win32.SdBot.aad


Let's be careful out there....

Update two: "Spying worm spreads via MSN Messenger, AIM"

Actually this sounds a bit more descriptive.

Munir Kotadia writes in C|Net News:

Microsoft's MSN Messenger and America Online's Instant Messenger services are being targeted by malicious messages containing links that could infect a computer with a Trojan horse or dangerous worm.

The latest threat is a Trojan called Kirvo, which arrives in the form of an instant message from someone on the user's "friends" list. The message contains a link to a Web site, which, if clicked on, loads a copy of Kirvo onto the computer, according to an advisory from security company Symantec. Kirvo is preprogrammed to then fetch a copy of Spybot, a dangerous worm that can take advantage of software vulnerabilities to spy on the user.

Tim Hartman, systems engineer director of Symantec in the Asia-Pacific region and Japan, said Kirvo worked in tandem with Spybot and the malware author's zombie army to seek out and infect more computers.

"All (Kirvo) does is take advantage of the user--by enticing him or her to click the link and launch the trojan," Hartman said. "Once launched, it attempts to download a variant of Spybot, which is a true worm that takes advantage of several vulnerabilities. Kirvo appears to have been developed to assist SpyBot propagation and increase the army of Spybot zombies on the Internet."

Microsoft and AOL could not be immediately reached for comment on Thursday.


0 Comments:

Post a Comment

<< Home