Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


This week's report on two worms

  • Please log in to reply
1 reply to this topic

#1 thatman


  • Members
  • 121 posts
  • Local time:01:16 PM

Posted 03 October 2004 - 04:32 AM

Hi all

- and IRC -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, October 3, 2004 - This week's report will focus on two worms
-Noomy.A and Bagle.BB-, and a Trojan called HardFull.A.

Noomy.A spreads via email and IRC. In order to spread via email it sends
itself out to all the addresses it finds in the files with a .dbx, .htm,
.html or .php extension, except to those that contain certain strings. In
order to spread across IRC, Noomy.A installs its own HTTP server and sends
messages to several hard-coded IRC channels, as well as links that try to
persuade users to connect to the HTTP server on the affected computer. When
the user accesses these links, a web page is opened, from which copies of
the worm can be downloaded.

The propagation and payload of Noomy.A vary depending on the date it is run
and the type of Internet connection used. The actions that this worm can
carry out on affected computers include the following:

- End the processes belonging to security tools, such as antivirus and
firewall applications, leaving the computer vulnerable to attack from other

- Launch Denial of Service attacks by pinging several websites, including
Microsoft's website.

- Connect to a website in order to send information about the compromised
computer, such as the system date and time, whether MSWINSCK.OCX is used and
the SMTP server and user name that Outlook uses.

When it is run, Noomy.A displays an error message on screen, making it easy
to know if it has infected the computer.

The second worm in today's report is Bagle.BB, which spreads via email in a
message with variable characteristics, and through P2P (peer-to-peer) file
sharing programs.

Bagle.BB opens TCP port 81 and listens in on the communications for a remote
connection. Through this connection, the worm will allow remote access to
the affected computer. This would allow a remote user to carry out actions
that could compromise the confidentiality of user data or impede the tasks
carried out.

Bagle.BB ends the processes belonging to security tools, such as antivirus
applications, leaving the computer vulnerable to attack from other malware.
Bagle.BB also deletes the entries created by several variants of the Netsky
worm in the Windows Registry, preventing them from being run when the
computer starts up.

We are going to finish this report with HardFull.A, a Trojan that does not
spread automatically using its own means, but requires intervention from the
attacker. The means of transmission it uses include, floppy disks, CD-ROMs,
email messages with attached files, Internet downloads, etc.

HardFull.A creates a file that fills itself with the text Win32.Delf.du_Ful,
increasing its size until it uses up all the hard drive space available and
causing the computer to slow down or even block. This Trojan also disables
the Windows Registry editing tools, and the Run and Find options in the
Start menu.

For further information about these and other computer threats, visit Panda
Software's Encyclopedia at:

Additional information

- Payload: The effects of a virus.

- Windows Registry: This is a file that stores all configuration and
installation information of programs installed, including information about
the Windows operating system.

More definitions of virus and antivirus terminology at:

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the

BC AdBot (Login to Remove)


#2 curly1880


  • Members
  • 59 posts
  • Local time:07:16 AM

Posted 11 October 2004 - 07:39 PM

thanks for the information

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users