First appearing as on May 22nd, 2004, we've seen 14 versions in the past month, with four being reported by TrendMicro between June 17th and June 20th. Though prolific in version releases, Korgo has not been very successful infecting in the wild.
Microsoft made their Windows XP Service Pack 2 release candidate 2 publicly available June 15th on the TechNet web site. The new XP service pack, while not supported by Microsoft yet, has some new security features that may be of interest to early adopters. See our Windows vulnerability and update section
Keeping spyware and adware at bay is a daunting task for most users. Last week, we showed how you could improve your browser security by defining trusted sites. This week, we show how, using a free utility, you can set up your restricted site list to block web sites that are known to drop spyware on your machine, hijack your browser or track your surfing. See our tips section for more information.
Top Threat W32/
Executive Summary
Name: W32/
Affects: Windows XP/2000/ME/9x, Windows Server 2003
What it does: The worm is a moderately destructive worm that may cause antivirus and security products to stop working. propagates through multi-lingual e-mail and P2P file sharing networks. When it infects, it copies itself into folders it identifies as shared. It harvests e-mail addresses from a victim's computer and uses its own SMTP engine to send itself out. It also may overwrite executables of installed security products. Zafi also disables RegEdit, MSconfig and the Task Manager and may also launch a DoS attack against several Hungarian web sites.
How to prevent it: Keep your antivirus updated. Do not open attachments. If you use P2P file sharing, do not download any files called "winamp " or "Total Commander "
Infection removal: All antivirus vendors we checked had protection for the worm with their latest updates. Symantec has a removal tool, and you could also use these free online scanners. Trend Micro's free online scanner, Housecall, McAfee's Stinger tool, or Panda Software's ActiveScan. F-secure has a removal tool available in several formats.
Fact file
Name: W32/ [Symantec], [Trend Micro], W32/@MM [McAfee],.B [Kasperski],
Type of virus: Windows 32 executable
Main Executable file: Random name
Executable size: 12,800 bytes
Date Discovered: June 10, 2004
Country of Origin: Hungary
Systems affected: Windows XP, 2000, NT, ME, 9X, Server 2003
Systems not affected: DOS, Windows , Linux, Mac, OS/2, Unix
Details
W32/ arrives at a user's machine through an e-mail or an infected shared file. E-mails messages are either English or in the local language if the domain is one of the following:
.hu .sp .ru .dk .ro .se .no .fi .lt .pl .pt .de .nl .cz .fr .it .mx .at
The e-mail has the basic format:
From: <spoofed>
Subject: <Blank>
Attachment: <random file name with .com, .exe, or .pif as extension>
Message: <random>
For a comprehensive list of the possible messages in various languages, see F-Secure's analysis . The e-mail attachment usually features a .PIF extension, but occasionally shows up with .exe or .com. Unlike some other viruses that use P2P propagation that create dozens of attractive but infected files, only puts one of two files, "winamp " or "Total Commander " into folders that have "share" or 'upload" in their names. searches drives C: through H: for shared folders.
When infects, it creates a mutex called "_Hazafibb" to insure only one copy of the virus is running in memory. It puts a randomly named .EXE and a .DLL file containing a copy of the virus into Windows System folder. It also creates other randomly named .DLL files for internal use and storing harvested e-mail addresses. To insure it runs when the computer boots, Zafi adds the registry key/value:
Key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
value:
"_Hazafibb"="%system%\<random file name>.exe"
Where the <random file name > is the one dropped in the Windows System folder. also adds the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\_Hazafibb
The virus will scan drives C through H on the victim's machine looking for files with specific extensions on . It will send copies of itself to all but ones that contain specific
strings. According to Symantec, () opens Internet Explorer and randomly opens a web page using what it finds in the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs
The virus will also confirm a live Internet connection by attempting to connect with .com and .com.
If the connection is successful, launches a DOS attack against four Hungarian web sites:
.
.hu
.hu
.hu
When it runs, will prevent a user from running Regedit, Task Manager, and MSConfig (Windows startup configuration utility), programs that can be used to clean worms and viruses. According to F-Secure, the virus will terminate any applications with the words "virus" or "firewall", and overwrite the executable with a copy of itself. Symantec notes that the virus overwrites all executables in their Norton or Symantec folders, and TrendMicro also reports may overwrite executables at random.
To remove W32/
Because may disable or overwrite existing antivirus products on infected machines, users may need to use one of the removal utilities or scanners mentioned above. If your antivirus has been overwritten, you will need to reinstall it when your system is free of Zafi.
The main infection is removed by deleting files in the Windows system folder and removing registry entries. If you're not familiar with the Registry editor, you should probably use one of the removal tools mentioned above. While we highly recommend that you back up your registry before editing, you should be aware that the backup you make contains entries associated with . Since the files are deleted, you may get errors if you restore from the backup at a future date. Once your system has been cleaned, and is operating properly, you may want to delete the backup that has entries in it.
Turn off System Restore if you're using Windows ME or XP. When you make changes to your system, Windows does a restoration checkpoint. If it does this while the system is infected, it may come back to re-infect later.
Restart the computer in Safe Mode. Since the worm creates running processes, and Windows doesn't allow you to delete files connected with running processes, restarting is necessary. Using Safe mode prevents Windows from loading drivers and auto run entries so your system boots relatively clean. In addition, blocks the use of Regedit which is required below.
Run a full system scan with an updated antivirus scanner (or one of the online scanners mentioned above). If your scanner does not remove everything, follow the next few steps.
IMPORTANT: Your antivirus software should, during detection, produce a list of files associated with the W32/ or W32/Erkez virus (depends on scanner). The files will be copies of the worm stored in the Windows system folder and shared folders mentioned above. You should set your antivirus to delete them. If not, delete them manually.
Make a backup of the registry before you edit. Delete the Run entries associated with from the registry. These will be:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
and delete the key:
"_Hazafibb"="%system%\<random file name>.exe"
Also delete the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\_Hazafibb
Exit the registry editor.
Re-enable System Restore, reboot machine.
Re-scan to be sure all files are clean.
The following are lists used by
File extensions used to harvest e-mail addresses
htm
wab
txt
dbx
tbb
asp
php
sht
adb
mbx
eml
pmr
Strings that avoids when contained in e-mail messages
win
use
info
help
admi
webm
micro
msn
hotm
suppor
syma
vir
trend
panda
yaho
cafee
sopho
google
kasper
Top 10 Threats for Monday June 22th, 2004
Here are the top ten threats as listed by McAfee, Panda, and Trend Micro antivirus companies.
McAfee
Regional
Virus Info last 24hrs
Panda
Active
Viruses
Trend Micro
Top Threats
1
W32/@MM
2
.exe
3
VBS/Redlof@M
4
W32/@MM
5
W32/@MM
6
7
W32/
8
Downloader-LE (no link)
9
.C
10
W32/@mm
Top 5 Vulnerabilities as Reported by Threat Focus
June 22th, 2004
Date
Title
Severity
6/16/2004
Cisco [IOS
Malformed BGP packet causes reload resulting in DoS]
High
6/17/2004
Sun
[Vulnerability in SunForum Involving the Protocol]
Medium
6/12/2004
[cvs - multiple remote compromises]
Medium
6/13/2004
[apache - possible denial of service in mod_proxy module]
Medium
6/18/2004
Red Hat
[Kernel packages fix local DoS and other vulnerabilities]
High
Security Watch Tip: Block known spyware sites
Spyware and adware have become more than a nuisance, threatening privacy and opening users to identity theft. Though there are a lot of anti-spyware products on the web, IE-SpyAD is a quick, inexpensive fix.
Last week, we showed you how to put URLs into the trusted zone to exempt them from security settings. Microsoft Explorer also has the built-in capability of putting web sites into a restricted high security zone, which by default has scripting and ActiveX use disabled. Uncovering spyware serving sites on your own is difficult, at best. The good news is that IE-SpyAd has done the work for you. This is a collection of known spyware purveying web site URLs bundled into a .REG registry entries file. When this file is merged with the registry, it loads the list of sites into IE's restricted site security zone. Loading these URLs into the restricted zone does not block them from appearing, but keeps them from downloading ActiveX or running malicious scripts on your system. The file is maintained by author Eric L. Howes and is built from information culled from anti-spyware vendors and web sites.
You can download IE-SPYAD as a self extracting executable or as a zip file. To use the file, run the .exe or extract the files to a folder. Close any open Internet Explorer windows. Navigate with Windows explorer or My computer to the IE-SPYAD folder where you extracted the files into. The IE-SPYAD setup comes with a command-line batch file that you can run, or you can just double click on the main "" file. This will automatically load the file into the registry. To check whether the file uploaded correctly (it's quick and doesn't give a lot of feedback), open Internet Explorer, click on Tools/Internet Options and select Security. Click on the Restricted Sites icon and click on the Sites button. You should see a full list. If there are any URLs that you don't want to be in the restricted zone, then select the URL and click the Remove button.
The archive is free under the GPL license and also comes with a readme file that explains, in depth, how to use the files.. While it won't block pages completely, it does help prevent a rogue site from downloading some spyware to your system.
Security updates and vulnerabilities
We've been hearing a lot about the still-in-beta Windows XP service pack 2, but until recently, it has been difficult for users outside the beta program to check out. Microsoft made the RC 2 version (Release Candidate 2) publicly available on June 15 on their TechNet site. It can be downloaded either in its entirety (264mb for the English version), or by using the new Windows Update v5 Preview.
Windows XP SP2 supposedly offers better network, memory, e-mail and browser security, as well as a re-vamped Windows Firewall. The Windows XP service pack 2 RC 2 is currently unsupported, so you install at your own risk. If you do try it, backup your data, or use a non-critical machine. Microsoft's SP2 RC2 information page has links to newsgroups and other resources to help you with the update.
Last week, we reported a new cross-scripting vulnerability that could exploit a fully patched version of Microsoft Internet Explorer. This week Secunia is reporting a non-critical vulnerability that could cause browser crash. The vulnerability is in the "save target as" file downloading portion, and is triggered by a specially formed URL. To successfully exploit the flaw, the malicious site needs to get a user to right click on a link and select "save target as". The technique is often used to save movie or PDF files to disk without invoking a browser plug-in. The vulnerability has been seen in fully patched versions of Internet Explorer 6, and the current work around is to not use "save target as" on un-trusted links.
Jargon Watch
A .Reg file is a Registry Entry file that contains registry keys and values that can be loaded in bulk to the Windows registry.
The GPL is the GNU Public License from the Free Software Foundation. It is also known as the "copy left" license. The GPL is defined by FSF as "the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users.", and restricts the commercial usage of the software. For more information see the link above.
A Release Candidate is the last step in a software testing process. It usually implies a version of the software that the company thinks is complete and free enough of bugs to release for distribution.
Security Watch Story Feed
FTC Shows Common Sense with 'No' on Spam List
eWeek June 16,2004
World's First Mobile Virus Is Not Lethal, Yet
eWeek June 17, 2004
This Week's Top 10 Spammers
eWeek June 18, 2004
Windows XP SP2 RC2 Rolls Out
PC Magazine June 16, 2004
Akamai DDoS Attack Whacks Web Traffic, Sites
eWeek June 15, 2004
Questions, comments, tips about potential viruses, worms, vulnerabilities? Send them here:
Recent Editions:
