Weekly Virus Report - BugBear.B, Sobig.C, Redisto.B, Festival and Naco.D Worms
Posted on 08.06.2003
This week's virus report looks at five worms: Bugbear.B, Sobig.C, Redisto.B, Festival and Naco.D. Among them, the variant "B" of Bugbear stands out particularly as, in the last few hours it has caused one of the largest epidemics over the last few months.

Bugbear.B is a dangerous a worm that spreads quickly via e-mail and across shared network drives. This worm automatically activates when the message carrying it is viewed through the Outlook Preview Pane. Bugbear.B does this by exploiting a vulnerability in Internet Explorer (versions 5.01 and 5.5), which allow e-mail attachments to be automatically run. This vulnerability exploit is known as Exploit/iFrame.

The actions that Bugbear.B carries out include the following:

- It infects a large number of files.

- It disables the security programs installed on the affected computer.

- It opens port 1080, which allows hackers to gain remote access to the affected computer.

- It logs the keystrokes entered in a file. By doing this, hackers that accessed this file would be able to obtain confidential data such as passwords for accessing certain Internet services, bank accounts, etc.

Redisto.B is a worm that spreads rapidly via e-mail and P2P (peer-to-peer) file sharing programs. After infecting a computer, Redisto.B ends active processes in the affected computer. As a result, some applications will stop working. Redisto.B also saves confidential information belonging to the user of the affected computer and then sends it out via e-mail.

The third worm we will look at in this report is Sobig.C, which spreads via e-mail (in a message that reads "Please, see the attached file"), and across networks. Once it has infected a computer, Sobig.C looks for e-mail addresses in all the files it finds on the affected computer with the following extensions: "TXT", "EML", "HTM", "HTML", "DBX" and "WAB". It then sends a copy of itself to all these addresses.

The fourth worm in today's report is Festival, which spreads quickly via e-mail, shared network drives, and through KaZaA, a P2P (peer to peer) file sharing program. When it spreads via e-mail, Festival is easy to identify, as the message carrying the worm always has the subject "Where are you?".

Redisto.B, Sobig.C and Festival create several files in the affected computer and insert various keys in the Windows Registry.

Finally, Naco.D is a worm with a Trojan component that allows an attacker to gain remote access to certain resources on the affected computer. As a result, a hacker could carry out the following actions, among others, open and close the CD-ROM tray, switch the mouse button functions, etc. This worm also sends an e-mail message containing information on the affected computer to a certain address. The information it sends includes the operating system installed, number and type of drives installed, etc. Finally, Naco.D disables the security programs installed on the affected computer.





Spotlight

How to talk infosec with kids

Posted on 17 September 2014.  |  It's never too early to talk infosec with kids: you simply need the right story. In fact, as cyber professionals itís our duty to teach ALL the kids in our life about technology. If we are to make an impact, we must remember that children needed to be taught about technology on their terms.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Sep 19th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //