ITSD Computing and Communications Services News
January, 2005

CCS News Home
Back Issues
Search CCS News
Computer Security
Help Request
Software Downloads
Computer Backups
Buy a Computer
Suggestion Box
Email
Calendar
Onsite Computer Training
ITSD
CIS
ISS
NTD
TEID
 

Monthly Virus Update: More than 100,000 Worms and Viruses Erased

The Lab's virus wall continues to protect Lab systems from worm and virus infections; last month it identified and eradicated a total of 108,627 worms and viruses, almost all of which are designed to infect Windows systems. In contrast, the number in December was 123,654. For the eighth consecutive month, the Windows-targeting Netsky.P worm was most frequently found, with 42,992 copies detected and deleted, down from 49,236 the previous month.

Besides Windows worms, the Santy worm, has gained considerable notoriety recently. This worm, one of a minority of worms that do not target Windows systems, exploits vulnerability in the phpBB bulletin board software to infect systems and also to deface web servers on which this software runs. Santy identifies target systems by doing a Google search for "viewtopic.php." If successful in exploiting the vulnerability, Santy copies itself into the victim system as a file, "m1h02OF," and then overwrites files that have extensions of .asp, .htm, .jsp, .php, .phtm, and .shtm with the following content:

“This site is defaced!!
NeverEverNoSanity WebWorm generation X”

Note that the "X" above represents the number of infections that Santy has caused. Santy was very successful until Google modified its search engine to hide the identity of web servers running the phpBB bulletin board software. Santy is just one of several recent worms that has attempted to capitalize upon the power of search engines to quickly identify and attack potential victim systems. Upgrading to phpBB version 2.0.11 is the proper fix for the vulnerability that Santy exploits.

The Sober-I worm, which targets Windows systems, was found second most frequently with 31,032 copies identified and eradicated. Sober-I arrives as a message from a falsified address, which may be an entry in an address book this worm has found in an infected system or a completely fabricated address, such as “postmaster@<domain>, where <domain> is the domain of the message recipient. The subject can be in English or German; examples of the many possible subjects include: “FwD: Your Password,” “FwD: Ok,hieristmein,” “FwD: Warning!” “FwD: Details,” “FwD: Rechnung,” and “FwD: hey dude!” The message content (also either English or German) also varies; the attachments may have one or two extensions. Once it infects a system, this worm displays the message, "WinZip_Data_Module is missing ~Error: {[random number]}," and writes two copies of itself as well as additional files into the system folder. Sobig-I modifies the Registry of systems it infects so that it starts every time the infected system boots. Sobig-I may also attempt to reach several Web sites from which it can download yet another executable.

The Windows-targeting Netsky.D worm came in third place with 5,103 instances detected and deleted. Netsky.D sets up a mail engine that sends messages with subjects such as "Re: Thanks," "Re: Hi," "Re: Your website," "Re: Your Word file," and "Hello." Examples of message bodies include "Here is your file," "Your file is attached," "Your document is attached," and "Please have a look at the attached file." The sender's address is always falsified, based on entries found in address books in systems Netsky.D has infected. Every attachment has a .pif file extension. Netsky.D also modifies the Registry and makes other changes (such as installing a mail engine) in victim systems.