Keane Insight

Updates

A compilation of the latest information about viruses and worms, security issues and patches to rectify the same

Symantec reports W97M.Antiprod and SymbOS.Commwarrior.E

W97M.Antiprod is a macro virus that endangers security. The virus is triggered when an infected document is opened. When W97M.Antiprod is executed, it infects the Normal.dot file. Once this file is infected, the virus will then infect other Word documents the user opens.

SymbOS.Commwarrior.E is a worm that runs on Nokia’s Series 60 mobile phones. It attempts to spread using Bluetooth and Multimedia Messaging Service (MMS) messages as a randomly named .sis file. When SymbOS.Commwarrior.E is executed, it displays a dialog box to warn the user that the application may be coming from an untrusted source and may cause potential problems before the .sis file is installed. If the user clicks ‘yes,’ the device will prompt the user to install the threat.

It searches for Bluetooth-enabled devices and attempts to send a randomly named copy of the .sis file to all devices that it finds, repeating this action every minute. It also selects a contact phone number from the device’s phonebook at random and sends an MMS message containing the Codec.sis file as an attachment.

Sophos reports W32/Dref-L

W32/Dref-L is a mass-mailing worm and parasitic virus with IRC backdoor functionality for the Windows platform. The virus will attempt to infect SCR EXE and RAR files, then e-mail itself as an attachment to e-mail addresses harvested from the infected computer. When first run W32/Dref-L copies itself to <System>\Duel_v2.exe and creates the file <Windows>\Duel.log. On the 29th day of each month, W32/Dref-L will also attempt to destroy files with the following extensions: WMV, ACE, JPG, ISO, MP3, PDF, MPG, AVI, MDB, PPT, XLS, ZIP and DOC.

Trend Micro reports TROJ_EXPONNY.A

TROJ_EXPONNY.A is a Trojan that arrives on a system as a dropped file of other malware. Upon execution, it drops a copy of itself as HOST.EXE in the %System%\drivers folder. It uses the Microsoft folder icon and also displays a fake error message written in Japanese characters in order to trick the user into thinking that it is not installed on the affected system. It then creates a file which contains a list of files found on the affected system’s fixed local drives. The action exposes the files to users who are able to access the system.

Moreover, it modifies the SYSTEM.INI file found in the Windows folder by adding several lines. The said file initialises settings for the system such as the keyboard, fonts, language and various other settings. Therefore, modifying the said file may prevent the affected system from functioning normally. This Trojan also drops the configuration file UPFOLDER.TXT in the Windows folder.

For affected systems installed with the peer-to-peer (P2P) application Winny, this Trojan replaces the configuration files in the file UPFOLDER.TXT found in the Winny installation folder. It may also add other folders in the said configuration file if the folder names contain any of several strings. The said configuration file may also contain folder names written in Japanese strings. Moreover, it may add a folder in the configuration file if the said folder contains a file with several extension names.