- and IRC -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com
Madrid, October 3, 2004 - This week's report will focus on two worms
-Noomy.A and Bagle.BB-, and a Trojan called HardFull.A.
Noomy.A spreads via email and IRC. In order to spread via email it sends
itself out to all the addresses it finds in the files with a .dbx, .htm,
.html or .php extension, except to those that contain certain strings. In
order to spread across IRC, Noomy.A installs its own HTTP server and sends
messages to several hard-coded IRC channels, as well as links that try to
persuade users to connect to the HTTP server on the affected computer. When
the user accesses these links, a web page is opened, from which copies of
the worm can be downloaded.
The propagation and payload of Noomy.A vary depending on the date it is run
and the type of Internet connection used. The actions that this worm can
carry out on affected computers include the following:
- End the processes belonging to security tools, such as antivirus and
firewall applications, leaving the computer vulnerable to attack from other
- Launch Denial of Service attacks by pinging several websites, including
- Connect to a website in order to send information about the compromised
computer, such as the system date and time, whether MSWINSCK.OCX is used and
the SMTP server and user name that Outlook uses.
When it is run, Noomy.A displays an error message on screen, making it easy
to know if it has infected the computer.
The second worm in today's report is Bagle.BB, which spreads via email in a
message with variable characteristics, and through P2P (peer-to-peer) file
Bagle.BB opens TCP port 81 and listens in on the communications for a remote
connection. Through this connection, the worm will allow remote access to
the affected computer. This would allow a remote user to carry out actions
that could compromise the confidentiality of user data or impede the tasks
Bagle.BB ends the processes belonging to security tools, such as antivirus
applications, leaving the computer vulnerable to attack from other malware.
Bagle.BB also deletes the entries created by several variants of the Netsky
worm in the Windows Registry, preventing them from being run when the
computer starts up.
We are going to finish this report with HardFull.A, a Trojan that does not
spread automatically using its own means, but requires intervention from the
attacker. The means of transmission it uses include, floppy disks, CD-ROMs,
email messages with attached files, Internet downloads, etc.
HardFull.A creates a file that fills itself with the text Win32.Delf.du_Ful,
increasing its size until it uses up all the hard drive space available and
causing the computer to slow down or even block. This Trojan also disables
the Windows Registry editing tools, and the Run and Find options in the
For further information about these and other computer threats, visit Panda
Software's Encyclopedia at:http://www.pandasoftware.com/virus_info/encyclopedia/
- Payload: The effects of a virus.
- Windows Registry: This is a file that stores all configuration and
installation information of programs installed, including information about
the Windows operating system.
More definitions of virus and antivirus terminology at:http://www.pandasoftware.com/virus_info/gl...ry/default.aspx
NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the