Updates

A compilation of the latest information about viruses and worms, security issues and patches to rectify the same.

Symantec reports W97M.Ruleden

W97M.Ruleden, a macro virus deletes files and lowers security settings.

The virus is triggered when an infected document is opened or closed. Once installed it disables the MS Word virus protection feature.

Trend Micro reports ELF_KAITEN.N

ELF_KAITEN.N spreads via software vulnerabilities. The worm is part of a BotNet distributor that exploits a known vulnerability in Mambo, an open source content management system commonly used in LINUX.

The BotNet distribution starts when this worm attempts to exploit the Mambo vulnerability. If successful, the worm downloads a script, which in turn downloads the script micu from the address 209.{BLOCKED}.48.69/micu. Micu then downloads two files from the same address, Ro and Mare, the latter of which is a copy of this worm, thus enabling the infection cycle to begin again.

The file Ro is the BotNet component that is installed on the exploited system.

McAfee reports Adware-Spyaxe

Adware-Spyaxe is an anti-spyware application that promises to remove unwanted malicious spyware programs. It uses fake system alerts and attempts to convince the user to download and install Adware-Spyaxe.

The alerts are constructed in such a way that they seem to be coming from the operating system (Windows Update, official system errors, etc)

Sophos reports Troj/BagleDl-AQ and W32/Tilebot-CQ

Troj/BagleDl-AQ also known as W32/Bagle.gen is a Windows-based Trojan.

Once installed it terminates security-related software and prevents it from running.

W32/Tilebot-CQ is a worm and IRC backdoor for the Windows platform. Once installed it turns off the anti-virus applications and allows others to access the computer. It downloads code from the Internet, steals information and reduces system security.

The worm spreads to other network computers by exploiting common buffer overflow vulnerabilities, including WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039) and ASN.1 (MS04-007) and copying itself to network shares protected by weak passwords.

Blaster returns

According to a report, Blaster is still alive and many including Microsoft fear that thousands of Windows machines will never be completely dewormed. According to statistics culled from Microsoft’s Windows malicious software removal tool, between 500 and 800 copies of Blaster are removed from Windows machines per day.

The maximum number of removals were made from Windows XP Gold and Windows XP SP1. The reports also show a similar pattern for the Sasser worm that rocked corporate networks last year.

Programmers believe that hundreds of daily Blaster removals are actually ‘reinfections’ on machines that go back to an unpatched state. Reinfections occur when Windows users reinstall the operating system from original media or roll back an OS install to a state where the Blaster patch is removed.

However, the low rate of Blaster and Sasser detections on machines running Windows XP SP2 is a nod to Microsoft’s heavy investment on hardening the OS. One of the key additions to SP2 was an improved firewall that is turned on by default.