This week's report on two worms

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Important Announcement: The winners of the BC Million Post contest have been announced. You can read who the winners are at this post.

- BleepingComputer Management

BleepingComputer.com > Security > AntiVirus, Firewall and Privacy Products and Protection Methods

This week's report on two worms, Noomy.A spreads via email and IRC

Options

thatman View Member Profile	Oct 3 2004, 04:32 AM Post #1
Member Group: Members Posts: 121 Joined: 29-May 04 Member No.: 604	Hi all - and IRC - Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com) Madrid, October 3, 2004 - This week's report will focus on two worms -Noomy.A and Bagle.BB-, and a Trojan called HardFull.A. Noomy.A spreads via email and IRC. In order to spread via email it sends itself out to all the addresses it finds in the files with a .dbx, .htm, .html or .php extension, except to those that contain certain strings. In order to spread across IRC, Noomy.A installs its own HTTP server and sends messages to several hard-coded IRC channels, as well as links that try to persuade users to connect to the HTTP server on the affected computer. When the user accesses these links, a web page is opened, from which copies of the worm can be downloaded. The propagation and payload of Noomy.A vary depending on the date it is run and the type of Internet connection used. The actions that this worm can carry out on affected computers include the following: - End the processes belonging to security tools, such as antivirus and firewall applications, leaving the computer vulnerable to attack from other malware. - Launch Denial of Service attacks by pinging several websites, including Microsoft's website. - Connect to a website in order to send information about the compromised computer, such as the system date and time, whether MSWINSCK.OCX is used and the SMTP server and user name that Outlook uses. When it is run, Noomy.A displays an error message on screen, making it easy to know if it has infected the computer. The second worm in today's report is Bagle.BB, which spreads via email in a message with variable characteristics, and through P2P (peer-to-peer) file sharing programs. Bagle.BB opens TCP port 81 and listens in on the communications for a remote connection. Through this connection, the worm will allow remote access to the affected computer. This would allow a remote user to carry out actions that could compromise the confidentiality of user data or impede the tasks carried out. Bagle.BB ends the processes belonging to security tools, such as antivirus applications, leaving the computer vulnerable to attack from other malware. Bagle.BB also deletes the entries created by several variants of the Netsky worm in the Windows Registry, preventing them from being run when the computer starts up. We are going to finish this report with HardFull.A, a Trojan that does not spread automatically using its own means, but requires intervention from the attacker. The means of transmission it uses include, floppy disks, CD-ROMs, email messages with attached files, Internet downloads, etc. HardFull.A creates a file that fills itself with the text Win32.Delf.du_Ful, increasing its size until it uses up all the hard drive space available and causing the computer to slow down or even block. This Trojan also disables the Windows Registry editing tools, and the Run and Find options in the Start menu. For further information about these and other computer threats, visit Panda Software's Encyclopedia at: http://www.pandasoftware.com/virus_info/encyclopedia/. Additional information - Payload: The effects of a virus. - Windows Registry: This is a file that stores all configuration and installation information of programs installed, including information about the Windows operating system. More definitions of virus and antivirus terminology at: http://www.pandasoftware.com/virus_info/gl...ry/default.aspx NOTE: The addresses above may not show up on your screen as single lines. This would prevent you from using the links to access the web pages. If this happens, just use the 'cut' and 'paste' options to join the pieces of the URL.

curly1880 View Member Profile	Oct 11 2004, 07:39 PM Post #2
Member Group: Members Posts: 59 Joined: 5-October 04 Member No.: 3,349	thanks for the information

« Next Oldest · AntiVirus, Firewall and Privacy Products and Protection Methods · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 22nd November 2008 - 07:46 AM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Malware Removal Guides