Latest news
Tanatos - A Worm with a "Trojan" In Its Pocket
Posted on 01.10.2002
A new multi-component virus gathers steam
Kaspersky Labs, an international data-security software developer, announces the detection of a new Internet worm called Tanatos, which is currently spreading via email and local are networks and is busy hijacking confidential information from infected computers. Presently Kaspersky Labs has already received confirmation of Tanatos infections in the UK and other countries.
Tanatos is a Windows attachment about 50 KB in size (it is packed by the UPX compression utility) and written in Microsoft Visual C++. The worm is spreading via email attachment files with differing headings, body texts, file attachment names and even formats, all of which make it harder to identify infected email messages from their external properties. Infected messages consistently have plain text or HTML format. With the plain text version users must actively open the attached file, thereby letting the worm loose. With the HTML version, after the worm arrives in the inbox of potential victims, Tanatos waits for its email message to be read (for example, in the preview window), once this occurs, by exploiting the "IFRAME" vulnerability in the Windows Explorer's security system, it secretly launches itself and infects the machine.
To spread over local area networks, the Tanatos worm goes through all network access resources and searches for the Windows system auto-run directory where it copies itself so that it will execute the next time the infected computer is booted. This function can only work if there is a general write permission enabled for the directory.
After activation, "Tanatos" registers itself in the system registry auto-run key so that its malicious code will activate each time Windows is booted. Tanatos also contains a Trojan horse feature that makes it an exceptionally dangerous program by creating a system breach and exposing confidential data. In part, "Tanatos" sets a keyboard "bug" that records all keyboard actions, including system passwords, to a specified file (KEYLOGGER.DLL) in the Windows system directory. Another interesting particularity of this worm is its attempts to close active processes, especially anti-virus programs and personal firewalls.
Full control over infected computers: on infected machines those who control the "Tanatos" worm can dictate file downloading, transferring, copying, deleting, executing and can also force processes to abort etc. To carry out these operations "Tanatos" secretly opens the HTTP server and presents its "master(s)" a Web interface with which to control an infected system.
Potential victims of Tanatos are computers hosting the Klez worm, as both worms exploit the "IFRAME" vulnerability in the Windows Explorer security system. "When taking into account the fact that Klez, to this day, still maintains first place in the list of most widespread virus programs, it is possible to expect "Tanatos" to do its share of damage as well", commented Denis Zenkin, Head of Corporate Communications of Kaspersky Labs.
The defense against Tanatos has already been added to the Kaspersky Anti-Virus databases. Please update your anti-virus software.
The patch for the Internet Explorer IFRAME Security System vulnerability is available at
http://www.microsoft.com/windows/ie/downloads/critical/q290108/default.asp
Kaspersky Labs, an international data-security software developer, announces the detection of a new Internet worm called Tanatos, which is currently spreading via email and local are networks and is busy hijacking confidential information from infected computers. Presently Kaspersky Labs has already received confirmation of Tanatos infections in the UK and other countries.
Tanatos is a Windows attachment about 50 KB in size (it is packed by the UPX compression utility) and written in Microsoft Visual C++. The worm is spreading via email attachment files with differing headings, body texts, file attachment names and even formats, all of which make it harder to identify infected email messages from their external properties. Infected messages consistently have plain text or HTML format. With the plain text version users must actively open the attached file, thereby letting the worm loose. With the HTML version, after the worm arrives in the inbox of potential victims, Tanatos waits for its email message to be read (for example, in the preview window), once this occurs, by exploiting the "IFRAME" vulnerability in the Windows Explorer's security system, it secretly launches itself and infects the machine.
To spread over local area networks, the Tanatos worm goes through all network access resources and searches for the Windows system auto-run directory where it copies itself so that it will execute the next time the infected computer is booted. This function can only work if there is a general write permission enabled for the directory.
After activation, "Tanatos" registers itself in the system registry auto-run key so that its malicious code will activate each time Windows is booted. Tanatos also contains a Trojan horse feature that makes it an exceptionally dangerous program by creating a system breach and exposing confidential data. In part, "Tanatos" sets a keyboard "bug" that records all keyboard actions, including system passwords, to a specified file (KEYLOGGER.DLL) in the Windows system directory. Another interesting particularity of this worm is its attempts to close active processes, especially anti-virus programs and personal firewalls.
Full control over infected computers: on infected machines those who control the "Tanatos" worm can dictate file downloading, transferring, copying, deleting, executing and can also force processes to abort etc. To carry out these operations "Tanatos" secretly opens the HTTP server and presents its "master(s)" a Web interface with which to control an infected system.
Potential victims of Tanatos are computers hosting the Klez worm, as both worms exploit the "IFRAME" vulnerability in the Windows Explorer security system. "When taking into account the fact that Klez, to this day, still maintains first place in the list of most widespread virus programs, it is possible to expect "Tanatos" to do its share of damage as well", commented Denis Zenkin, Head of Corporate Communications of Kaspersky Labs.
The defense against Tanatos has already been added to the Kaspersky Anti-Virus databases. Please update your anti-virus software.
The patch for the Internet Explorer IFRAME Security System vulnerability is available at
http://www.microsoft.com/windows/ie/downloads/critical/q290108/default.asp
Spotlight
The security of WordPress plugins
Posted on 18 June 2013. | Checkmarx’s research lab identified that more than 20% of the 50 most popular WordPress plugins are vulnerable to common Web attacks, such as SQL Injection.
Information security executives need to be strategic thinkers
Posted on 17 June 2013. | George Baker, the Director of Information Security at Exostar, talks about the challenges in working in a dynamic threat landscape, offers tips for aspiring infosec leaders, and more.
Large orgs in denial about own security breaches?
Posted on 14 June 2013. | Over two thirds (66%) of large organizations said they either had not experienced a security incident in the last 12-18 months or were unsure if they had.
Vulnerability scanning with PureCloud
Posted on 12 June 2013. | nCircle PureCloud is a cloud-based network security scanning product built upon the companies' vulnerability and risk management system IP360.
Reactions from the security community to the NSA spying scandal
Posted on 11 June 2013. | Read on for comments on this scandal that Help Net Security received from a variety of security professionals and analysts.
Daily digest
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
Weekly newsletter
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
