ITSD Computing and Communications Services News
February, 2004

CCS News Home
Back Issues
Search CCS News
Computer Security
Help Request
Software Downloads
Computer Backups
Buy a Computer
Suggestion Box
Email
Calendar
Onsite Computer Training
ITSD
CIS
ISS
NTD
TEID
  Monthly Virus Update: New Deadhat Worm Targets Windows

The LBNL virus wall continued to detect and eradicate many worms and viruses last month. How many? The viruswall kept a total of 8893 worms and viruses from getting to Lab users' computers. To nobody's surprise, Windows-based worms and viruses were the most pervasive. The Sobig.F worm was once again the most prevalent with 2062 instances detected and eradicated. Sobig.F generates and sends email containing a copy of its code which, if opened, causes the system on which it is opened to become infected.

The Swen.A worm was once again the second most prevalent with 2205 instances found and deleted. Swen.A tricks users by distributing a bogus Microsoft security bulletin announcing the availability of a cumulative patch for Internet Explorer, Outlook, and Outlook Express. Opening the attachment infects the system used to open it.

The Beagle.H worm, also called the Bagel worm, took third place with 1123 instances identified and destroyed. Beagle arrives in a message with a subject of "Hi" and text consisting of random characters generally followed by "Test, yep." Anyone who opens the attachment causes his/her system to become infected if antivirus software has not been appropriately updated, and if the system date is January 28, 2004 or before. An infection causes a large number of changes in the infected system. For more information see http://www.lbl.gov/ITSD/Security/vulnerabilities/virus-archive-ab.html#beagle

New on the horizon last month was the Deadhat (W32.HLLW.Deadhat or Vesser) worm, which targets Windows systems that are or have been infected with the Norvarg (MyDoom) worm. It scans remote systems to determine whether TCP port 1080, 3127 and/or 3128 is open. If any of these ports is open because of a backdoor program installed by the Norvarg (MyDoom) worm, the Deadhat worm copies itself to the victim system, sometimes popping up a message reading 'Error executing program!' or 'Corrupted File.' To ensure that it starts every time the infected system boots, this worm modifies the Registry of the infected system. Additionally, it kills processes started by personal firewalls and anti-virus software, opens TCP port 2766 to enable a remote attacker to connect to this port and upload programs, and stops Norvarg from running. See http://www.lbl.gov/ITSD/Security/vulnerabilities/virus-archive-cd.html#deadhat

Additionally, new versions of the Mimail worm continue to cause trouble. Although the wording in messages that contain this worm differ, as do the actual mechanisms and effects of each version, they have several things in common--they entice users to open an attachment and then to reveal personal information that can be used in identity theft attempts.