AnnaKournikova Worm

A fast-spreading virus posing as a photo of Russian tennis player Anna Kournikova, this virus appeared in early 2001. It infects Microsoft Windows-equipped PCs and uses Outlook address books to spread. Specifically, the virus uses the Visual Basic scripting language to infect Windows systems and then, on systems using Microsoft's Outlook e-mail program, mails itself out to the entire address book. The ability to mail itself out to a large number of Internet users classifies the virus as a worm. The virus apparently does not damage the systems it has infected. It is one of a series of similar viruses to attack computer systems via e-mail attachments.

Also known as VBS/SST, the virus initially poses as an attachment— AnnaKournikova.jpg.vbs—included in a message with one of three similar subject lines: "Here you are ;-)," "here you have ;o)" and "here you go ;-)."

The virus came and went quickly, but managed to disrupt businesses worldwide. It hit many different types of organizations—e.g., a government agency, a banking institution, a major networking company, a beverage company, and an insurance company. Several experts believe the worm to be the product of a so-called "virus creation kit," a program that lets any online vandal with rudimentary computer skills to point-and-click their way to creating malicious code. Trend Micro's software detected the virus originally as VBS_KALAMAR, and believes that Kalamar is the name of the author of the virus creation kit.

For further information on the AnnaKournikova Virus, see http://vil.nai.com/vil/virusChar.asp?virus_k=99011.

<< Back to Alerts Home

Backdoor.IRC.Ratsou.B

Backdoor.IRC.Ratsou.B is categorized as a Windows Trojan Horse program, but in many ways it is more like a worm than anything else. It gives its creator full control over the computer in which it is installed. The Trojan is automatically downloaded whenever anyone who uses Internet Explorer configured to execute certain kinds of Web executables visits a certain Web site, http://amateur.freegayspace.com/. It can be installed in a number of other ways, including by connecting to unprotected shares. Once a system is infected, it joins a chat channel and attempts to spread itself to other systems connected to the same chat session by connecting them to the previously mentioned Web site. It also scans the network to find other systems to infect through unprotected shares and other methods. Note that (unfortunately) Backdoor.IRC.Ratsou.B can even infect systems with up-to-date antivirus software because it can be
installed via Web interaction.

Backdoor.IRC.Ratsou.B makes many changes to any system it infects. It downloads an executable that is normally named "note.exe" and then creates a new folder, UserMode (normally in the path C:\WINNT\Debug\UserMode or C:\Windows\Debug\UserMode). Next it creates approximately 40 files, some of which hide the processes that this
malicious program creates, others of which provide a variety of types of backdoor access (in case one particular method does not work). It also makes a variety of Registry changes in any system it infects. One of these changes (the addition of a value in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run) starts hid.exe, one of the programs that hide processes whenever the infected system boots, and another starts the chat service at boot time. Cleaning an infected system is difficult because of all the changes Backdoor.IRC.Ratsou.B makes; your best bet is to have your system administrator or the Help Desk (help@lbl.gov) reinstall the operating system. More information is available at: Symantec Security Response: Backdoor.IRC.Ratsou.B

<< Back to Alerts Home

Badtrans.B

A new variant of a mail-based Internet worm has been spreading rapidly over the Internet. This variant, named "Badtrans.B," can run whenever someone uses Microsoft Outlook or Outlook Express to open an email message that contains this worm. This worm will infect systems regardless of whether any attachment is opened. It exploits a buffer overflow condition in the two previously mentioned mail clients by sending a specially formed vCard that results in execution of the worm code. (See Microsoft Security Bulletin MS01-027 for more information on the vulnerability that this worm exploits.)

Once the worm code executes, Badtrans.B plants a Trojan horse program in the victim system to enable attackers to gain remote access to the system and then sends the IP address of the victim to the worm's creator. Next it plants a keystroke logging program that dumps all keystrokes that are entered in the victim system to the system's hard drive. Any keystroke data that are captured are encrypted to help prevent the information from being recognized by anyone other than the attacker. It also spreads a copy of itself to all addresses in the Outlook or Outlook Express address book, or (in some cases) to only the addresses of whoever has sent unread messages.

Spotting other, previous worms such as ILOVEYOU has often been relatively easy because of a well-recognized or implausible message subject (such as "ILOVEYOU"). Badtrans.B, however, finds a subject line from a message that a user has already sent and then lists the subject preceded by "RE." In this manner Badtrans.B tends to raise little suspicion among users. Badtrans.B shows up in email boxes with either no text in the message body or part of the original message's text. Attachments included with the worm look like .MP3, .DOC, ZIP, or .MP3 files, but they are in reality double extension files with .PIF or .SCR extensions. Attachments are likely to be 13,312 bytes long.

Preventing infection by Badtrans.B requires keeping your system's anti-virus software updated. See Symantec's Download Virus Definitions site. You need also ensure that your Windows system has the latest patches installed. See http://www.lbl.gov/download/ for bundled patches for Windows NT and 2000 systems. Alternatively, the Microsoft patch for the vulnerability that Badtrans.B exploits can be downloaded from Microsoft Security Bulletin MS01-027.

<< Back to Alerts Home

The Bobax Worm

The Bobax worm capitalizes on a buffer overflow vulnerability in the lsass.exe program (see Microsoft Security Bulletin MS04-011) in Windows systems, enabling an attacker or malicious program to run unauthorized code on victim systems with superuser privileges that result in total control of these systems. Although the various variants of Bobax (Bobax.A through Bobax.D) work somewhat differently, they have certain characteristics in common. When they infect systems they first create a mutex that prevents multiple copies of the worm from running, then copy themselves into the system folder (%systemroot%). Next they change one or more Registry keys, including one or both of the following:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

to cause the worm code to run every time an infected system boots. Bobax variants then try to delete every file that begins with "~" in the %temp% folder and to insert themselves into this folder in addition to Explorer.exe (something that may cause the Windows Explorer to crash). They also try to connect to a remote Web server to record that they have infected another system. The Web server’s response directs the victim system to send spam, to download and execute programs, to transmit information about itself, or to start or stop scanning designated IP addresses. When the Bobax variants scan remote computers, they determine whether they are Windows XP systems by trying to make a connection on TCP port 5000. If successful in connecting on this port, these variants send input to the system on TCP port 445 in an attempt to exploit the lsass.exe vulnerability. If they are able to do so, the variants also create an HTTP (Hypertext Transfer Protocol) connection from the victim system to the system that launched the attack to push the worm code into the victim. Finally, Bobax variants all open several randomly chosen ports on the victim so that remote connections can be made to this system.

Recovering from a Bobax Infection

Recovering from a Bobax infection can be difficult. Symantec recommends that you first download and install the patch available here , then reboot. Because of the way Bobax works, however, you may have to attempt to do this several times until you are successful. Go here for more details about this problem. Once you have downloaded and installed the patch and rebooted, you need to do the following:

1. Update your system's virus definitions.
2. Restart your computer in VGA or Safe mode.
3. Launch a full virus scan and delete any infected files.
4. Remove any Registry changes that Bobax has made.

Note that if you have a Windows 98/Me system, you will have to disable System Restore before you update your system's virus definitions.

<< Back to Alerts Home

The Brid.A Worm

The Brid.A worm (also known as W32.Brid.A and PE_Brid.A) is a mutation of the FunLove Worm. It gains access to victim systems by exploiting an Internet Explorer flaw in which an incorrectly formed Multipurpose Internet Mail Extensions (MIME) header can cause a mail attachment to run on the system that received it. After infecting a system, the Brid.A worm tries to download several files, and then to mail itself to other potential victims. The subject of infected messages reads, "[Registered Windows company name]," and the attachment is "Readme.exe." Using its own mail server engine, the Brid.A worm subsequently tries to get the address of the email server for the infected system, and then to connect to it. Fortunately, the Brid.A worm is so similar to FunLove that your antivirus software's signature for FunLove will work in detecting and eradicating W32.Brid.A, provided, of course, that you keep your software's signatures up to date.

<< Back to Alerts Home