Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Virus Alerts [Weekly report on viruses and intrusions - 02/27/04]

Feb 27, 2004 9:41AM PST

Madrid, February 27, 2004 - This week's report on viruses and intrusions
focuses on four worms: Netsky.C, Bizex.A, Nachi.D and Mydoom.F.

Netsky.C spreads via e-mail -in a message with variable characteristics- and through peer-to-peer file sharing applications. This malicious code deletes
registry entries made by several worms including Mydoom.A and Mimail.T. In addition, when the system date is February 26 2004, Netsky.C emits random
noises between 6.00 and 8.59 in the morning.

Bizex.A, on the other hand, spreads through the ICQ instant messaging program. It also downloads and runs a copy of itself by exploiting two recently detected flaws in Internet Explorer.

Bizex.A tries to steal information that users enter in websites of banks or other financial entities as well as information transmitted via HTTPS (HTTP
over Secure Socket Layer) related to the login.yahoo.com and .passport domains. The data gathered is sent to an FTP server.

The third worm we'll look at in this report is Nachi.D, which spreads to computers with Windows 2003, XP, 2000 or NT. In order to spread as widely as
possible it downloads a copy of itself by exploiting three vulnerabilities:
Buffer Overrun in RPC Interface, WebDAV and Workstation Service Buffer
Overrun. This action causes an increase in network traffic through TCP ports 80, 135 and 445.

Nachi.D can uninstall the A and B variants of Mydoom and Doomjuice, terminating their processes and removing any associated files. When the system date is June 1 or later, Nachi.D deletes itself.

Finally, we'll look at the F variant of Mydoom, which spreads in an e-mail message with variable characteristics. This is a destructive worm which
deletes all files with any of the following extensions: AVI, BMP, DOC, JPG,
MDB, SAV y XLS.

Mydoom.F installs a DLL which opens a backdoor and allows antivirus processes to be terminated, which leaves the PC vulnerable to attack from other malware. When the system date is between the 17th and 22nd of any month (and year) this worm carries out a distributed denial of service attack (DDoS) against w w w.microsoft.com and w w w.riaa.com (two out of
three of the attacks are against Microsoft).

In seven out of ten cases, Mydoom.F displays an error message in the infected computer.

For further information about these and other Internet threats, visit Panda Software's Virus Encyclopedia at:
http://www.pandasoftware.com/virus_info/encyclopedia

Discussion is locked