Wednesday, September 21, 2005

Worm disguising as Excel

Worm Tries to Disguise Itself as Excel Spreadsheet File
May 5, 2004

W32/Famus-A is a mass mailing worm for the Windows platform that copies itself to the system folder as the file PentagonSecret.xls.exe, where the second extension is several white space characters after the first, in an attempt to disguise itself as a Microsoft Excel spreadsheet file. Copies of the worm will also have a crude Excel icon, according to Sophos, which issued an alert Wednesday.

W32/Famus-A will make additional copies of itself as Casper9247.exe and Red7324.exe in the Temp folder along with other non malicious files related to the sent emails. Among these will be the file SMTP.OCX which is a freeware SMTP engine used in the mailing of W32/Famus-A to members of the user's address book.

W32/Famus-A will send itself to members of the user's Outlook address book attached to an email with the following characteristics:

Subject:
Que sabe el Pentagono sobreusted (What the Pentagon knows about you)
Body:
?Crees que estas a salvo del Pentagono de los E.U? Mira estos datos y te asombraras.
Do you believe you are safe from the Pentagon of the E.U? Just look these data and you will be surprised
Password: 123

More information is at this Sophos page.

Sasser Leaves Effects in Many Organizations

As Sasser continues to spread, the number of organizations affected by the virus continues to rise, according to Panda Software. These include governmental institutions the world over, such as the European Commission--where 1,200 computers have been affected--the University of Massachusetts, banking IT systems, travel booking services and companies such as British Airways. In addition to the direct damage caused by Sasser in corporate environments, production is also lost as machines are brought up-to date and the Microsoft patch applied to correct the vulnerability that the worm is exploiting.

Other victims include all those who simply can't use their computers as systems infected by variants of Sasser restart every 60 seconds. This means that there is no time to eliminate the virus from the computer and download the Microsoft patch. One way that users can get round this is by first putting the system clock back, as described below:

- When the window is displayed saying that the system will restart, double-click on the time displayed at the bottom of the screen.

- Once the time settings window opens, put the clock back a few hours.

Users can detect and disinfect the new worm with an up-to-date antivirus, but it is important to install the Microsoft patch to ensure that Sasser doesnt re-infect computers. The vulnerability exploited by this worm was reported by Microsoft recently in bulletin MS04-011, along with the patch.

More information about these and other IT threats is available from Panda Software's Virus Encyclopedia here.
Reference: http://www.esecurityplanet.com/alerts/article.php/3349871

0 Comments:

Post a Comment

<< Home