The Web    www.100share.com    Google
 
Virus Alert: Optix.Pro Trojan Rated Low Threat
 

Virus Alert: Optix.Pro Trojan Rated Low Threat
April 28, 2003

A backdoor Trojan that allows attackers to gain remote access to affected computers gets a low threat rating from antivirus software vendor Panda Software.

Optix.Pro is a dangerous backdoor type Trojan that opens the communications port 3410 and allows attackers remote access to computers. It also installs and runs another backdoor type Trojan (detected by Panda Software as Bck/Sub7.22) on the affected computer, disables certain antivirus programs and ends the processes belonging to certain firewalls.

Optix.Pro spreads through the typical means used by viruses: CD-ROMS, e-mail messages with infected attachments, Internet downloads, FTP and floppy disks. Despite its harmful effects, antivirus software vendor Panda Software has given the Trojan a very low threat assessment.

For a list of the antivirus programs that Optix.Pro disables and the firewall processes it ends, visit this Panda Software page.

Halfint Worm Spreads through KaZaA

Halfint is a worm that does not have any destructive effects and spreads through KaZaA, a P2P (peer-to-peer) file sharing program. Halfint creates 36 copies of itself in the shared directory in KaZaA. The names of these files, which are copies of Halfint, refer to IT programs, games, etc. By doing this, other users will download copies of the virus to their computer, thinking that they are downloading utilities.

Halfint also creates 36 copies shortcuts to two Web pages, which are currently unavailable. For a list of the files created by Halfint, go here.visit this Panda Software page.

W32.HLLW.Kullan Worm Copies Itself to 'Start' Menu

W32.HLLW.Kullan is a worm with backdoor capabilities that spreads across networks by copying itself to the Start menu on computers that are accessible from an infected machine.

The most common reason for this access is an unprotected shared resource, according to antivirus software vendor Symantec. Some of the backdoor capabilities include the retrieval of information relating to the computer and operating system type, the logging of keystrokes, and the examination of e-mail.

For technical details, visit this Symantec page.

Worm_Purol.A Creates Copies of Itself as Files

This worm propagates via peer-to-peer (P2P) file-sharing networks by dropping copies of itself under various file names in the P2P shared folders. Upon execution, it creates copies of itself as the following files:

LORUPSCR.SCR in the C:\Windows folder
WINSTART32.EXE, which is set as Hidden in attribute in the C:\Windows folder
HWINFO32.COM, which is set as Hidden in attribute in the C:\Windows\System folder
Messenger Plus!  Setup.exe in the Windows Temp directory

(NOTE: The worm specifically searches for the path C:\Windows. If it does not find the path, the files above are not created and the worm proceeds with its other routines.)

The worm also has backdoor capabilities, which are manifested by its copying of random files from hard-coded directories in the affected system to a P2P network-shared folder. As a result, system and user files become downloadable via the shared folder without any user consent.

It has a payload of creating and printing a README.txt file, which contains certain text strings. View them and other information at this Trend Micro page.

Worm_Agobot.F Acts as Bot Program to Launch DoS Attack

This worm propagates via the Kazaa peer-to-peer file-sharing network and via network shared drives. It attempts to connect to an Internet Relay Chat (IRC) server and act as a bot program that can be used to launch a Denial of Service (DoS) attack against other users.

Worm_Agobot.F is designed to have backdoor server capabilities that allow remote users to access and manipulate infected systems. This worm runs on Windows 95, 98, NT, 2000, ME, and XP.

For technical details, visit this Trend Micro page.

QDel379 Delivers Deletion Payload

The QDel379 Trojan is written in Visual Basic and delivers a file deletion payload when run on the victim machine.

Upon execution, it attempts to delete various system files from the C:\WINDOWS directory (directory path is hardcoded in the Trojan). Target files include:

C:\WINDOWS\WIN.INI
C:\WINDOWS\SYSTEM.INI
C:\WINDOWS\CHARMAP.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\SYSTEM
C:\WINDOWS\COMMAND
C:\WINDOWS\SETDEBUG.EXE
C:\WINDOWS\SCANDSKW.EXE

More details are available on this McAfee page.

Compiled by Esther Shein.

 
  • Vericept Adds Fraud, Identity Theft Protection
  • 802.11 Has DoS Vulnerability
  • Securing your Storage Assets
  • Sophos Small-Business Suite Fights Viruses, Spam
  • 8/6: Lovgate-F a Mass-Mailing Worm
  • Feds Bag Warez Convictions
  • Outlook Express Bug; MSN IM Worm Detected
  • 6/28: Rbot-CA Allows Remote Access
  • 'Critical' Office 2003 Patch Released
  • IM Threat Center Formed
  • 1/24: Sdbot-TV Worm Lets Hackers In
  • Security Camera Price