The Web    Google
Virus Alert: Macro Virus Targets 2 Specific Dates

Virus Alert: Macro Virus Targets 2 Specific Dates
February 14, 2003

A macro virus that infects Microsoft Word documents executes malicious commands on the 18th and 22nd of each month, according to anti-virus vendor Symantec.

W97M.Trug.A infects Word documents when they are opened or closed, according to Symantec. It attempts to hide its malicious actions and it may delete several files from the system.

On the 18th of each month, a file will be created on the root of the C: drive. On the 22nd, autoexec.bat will be changed, and commands to delete several vital system files will be added. A number of system files will be deleted if the system is running Windows 9x and the second payload has been executed.

This virus contains several bugs that may cause Microsoft Word to crash as well as compromise virus security settings.

Read technical details here.

Two Backdoor Trojans Out in Force

Symantec also posted details Friday about two backdoor Trojans making the rounds.

Backdoor.Optix.04.d is a backdoor Trojan and a variant of Backdoor.Optix.04.c. It is a Delphi application packed with UPX, v0.76.1-1.20. By default, Backdoor.Optix.04.d listens on port 5,151. Backdoor.Optix.04.d attempts to terminate or close any processes of, or windows belonging to, various programs, including antivirus and security programs.

Technical details can be found on this Symantec Web page.

Symantec also reported the appearance of Backdoor.Kilo, a backdoor Trojan that uses an IRC channel to contact a hacker. By default, Backdoor.Kilo opens ports 6,711 and 6,718 on the infected computer. It too is written in Delphi and is packed with UPX. Like Backdoor.Optix.04.d, it has the potential to compromise security settings.

Read more information here.

Aileen Trojan a Mere Annoyance

The effects of the Trojan Aileen are more annoying than harmful, according to Panda Software. When this Trojan is run, it opens and closes the CD-ROM tray. Aileen does not use any specific means to spread. It can reach computers through the usual means used by viruses: e-mail messages with an infected attachment, computer networks, CD-ROMs, Internet downloads, FTP, and floppy disks.

Read prevention and cure methods on this Panda Software page.

Worm_MAAX.A Destructive, but Minor Threat

This worm sends copies of itself using MAPI or Mail Application Program Interface to all email addresses listed in the Microsoft Outlook address book. While considered destructive, Trend Micro is presently giving it an overall low threat rating. Details of the emails can be found here.

Week in Review

Activity this week included the appearance of a Trojan called Egrof, the 'C' variant of the Kazoa worm and the NTRootkit tool, used by hackers to hide their activity on the computers they attack.

Egrof saves in a file called FLOG.TXT, the user name and password entered by the user of the affected computer to access the America Online (AOL) instant messaging service. Hackers can then use this information to access the connection accounts of the computer in which they have installed this Trojan.

Egrof is very easy to recognize, as it simulates a connection to the AOL instant messaging service and returns an error message.

The Kazoa.C worm also acts as a Trojan. It spreads rapidly via KaZaA and IRC. This virus is considered dangerous, as it opens a communications port in the affected computer (usually 31337) and sends the IP address and the number of the open port to the attackers, leaving the computer vulnerable to remote attacks.

Kazoa.C creates a large number of infected files whose names can refer to erotic photos of famous people or IT utilities in order to trick KaZaA users into downloading the infected files. It also creates a numerous copies of itself on the hard disk, using up a large amount of the memory. Finally, Kazoa.C ends active processes related to antivirus, system and security programs and creates keys in the Windows Registry.

Finally, there was NTRootkit, which only works on machines with the operating systems Windows NT, 2000 or XP installed. After gaining remote access to a computer, the hacker installs this tool on the affected machine. Then, the files DEPLOY.EXE and NTROOT.SYS are created in the Windows system directory.

There are different versions of NTRootkit that have different effects on computers. These include:

  • It hides any file, process or entry in the Windows Registry that starts with _root_.
  • It captures keystrokes, which allows hackers to find out data the user enters in the affected computer, such as the user name and password for accessing certain services.

    However, due to a bug when NTRootkit captures keystrokes in Windows NT computers, it can sometimes cause a fatal error, and therefore a Windows blue screen is displayed. Visit Panda Software's Virus Encyclopedia for additional information about these and other viruses.

    Compiled by Esther Shein.

  • 2/10: Mydoom-AS a Mass-Mailing Worm
  • 9/7: Rbot-FL a Network Worm, Backdoor Trojan
  • MARID Floats Sender ID Compromise
  • New China Security Fragments Wi-Fi Future
  • Palyh and Fizzer Top Troublemakers in May
  • Cisco Warns of Voice Product Security Flaws
  • New nCipher Product Targets Online Payment Card Fraud
  • 5/3: Bbprox-A Trojan Acts as Proxy Server
  • 2/24: Agobot-QE a Backdoor Trojan & Worm
  • 9/7: MyWife-C a Mass-Mailing Worm
  • 3/7: Kelvir-B an Instant Messaging Worm
  • Buy Security Camera