Madrid, July 30 2004 - This week's report on viruses and intruders looks at
four worms (Lovgate.AT, Mydoom.N, Zindos.A and Mabutu.B), a Trojan
(Dropper.O), a spy program (Ndrv) and an exploit (MhtRedir.N).
Lovgate.AT is a worm that uses a wide range of propagation techniques, such
as email messages, the KaZaA file sharing program, shared network resources,
etc. It also opens a backdoor on the computer, and sends a message by email
to a remote user letting them know that the system has been infected and is
accessible through a backdoor.
The most significant event this week has been the appearance of Mydoom.N.
This worm is designed to spread rapidly via email to addresses that it finds
in infected computers. However, it also uses the four main Internet search
engines to search for all these addresses, thereby trying to saturate them
with traffic. One of them, Google, suffered serious problems for some hours
at the beginning of the week.
Mydoom.N also uses a communication port to create a backdoor on the infected
computer. This backdoor is exploited by the Zindos.A worm in order to
spread. The worm appeared one day after Mydoom.N, which makes it seem likely
that both malicious code are the work of the same person. In addition,
Zindos.A launches DDoS (Distributed Denial of Service) attacks against
Microsoft's website.
Mabutu.B is a worm that connects to different IRC servers to notify its
creator that the computer has been affected and to receive messages from
remote users. The email messages that it uses to spread have variable
characteristics.
Dropper.O is a Trojan that downloads the Adware/Nsearch application onto the
computers it infects. Dropper.O spreads via web pages previously infected by
the MhtRedir.N exploit, which was also detected for the first time this
week. MhtRedir.N has been designed to exploit a vulnerability in Microsoft
Outlook Express, which it uses to install Dropper.O on computers.
Finally, Ndrv is a spyware program offering use of a program in exchange for
viewing a series of advertising messages. Ndrv is made up of a DLL which
loads along with Internet Explorer, so that every time the browser is
opened, the spyware is activated.
- Adware: A program that can be installed for free in exchange for viewing
advertising banners while using it.
- Exploit: This can be a technique or a program that takes advantage of a
vulnerability or security hole in a certain communication protocol,
operating system, or other IT utility or application.
