From Chrysalis to Caterpillar
Readers are advised to keep an eye cocked for Myba; a Love letter variant. This VB script worm has now been compiled into an .EXE. Infected email has its subject as "My baby pic !!!" with "Its my animated baby picture !!" in the message body. And attached will be MYBABYPIC.EXE. Running this file causes the worm to register itself in the Windows Registry and start mailing copies of itself to the addresses in your Windows Address Book.
Myba also includes a pay load that has been known to toggle on and off the NumLock, CapsLock and ScrollLock keys, send ".IM_BESIDES_YOU_" to the keyboard buffer and try and connect to http://www.youvebeenhack.com to transmit one of these messages "FROM BUGGER", "HAPPY VALENTINES DAY FROM BUGGER" or "HAPPY HALLOWEEN FROM BUGGER." The worm also scans your disk drives to over-write files with .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .PBL, .CPP, .PAS, .C, .H, .JPG, .JPEG, .MP2 and .MP3 extensions.
If you too have embraced the P2P 'revolution', then watch out cos' your days of freedom are past. Napster is on the verge of shutting down free services to go 'legitimate'. And Gnutella, another Napster-style P2P network, has been targeted by a virus.
Skip the rest of this column if you don't have a P2P file-sharing system like Gnutella, Gnotella, BearShare, LimeWire or ToadNode installed. If you don't Mandragore will not infect you. But if you plan to personally become part of the Napster furore, then you must read on.
The Mandragore Worm specifically targets Gnutella users. Actually the virus affects the service and gains an entree to client (user) PCs. As early as May 2000, a researcher found that Gnutella's backbone had security holes, ripe for exploitation. However, since the service is predominantly open source and is more a collection of server providers than a unified commercial entity, plugging the leaks took time.
This information was posted to the bugtraq mailing list. Form where a visitor took the time to program a small worm in Assembly that is about 8192 bytes long. Executing this infector causes it to register itself as an active node on the Gnutella network and intercept all file search requests. For every detected request, Mandragore respond even if the file sought doesn't physically exist on then network. For every request, the worm responds with an .EXE version of the file requested. Since many file archives are in self-extracting (.EXE) forms, this rename often doesn't raise the red flag.
To infect your PC (or node), the worm copies itself as GSPOT.EXE, a system hidden file, to the Windows-startup folder. Every time you boot up, the worm loads. Indications of infection are increase of outgoing traffic and additional consumption of system resources. To avoid infection, avoid opening any .EXE files you haven't solicited or any file that is 8192 bytes in size.
Govind
Menon
[email protected]
Other Articles
ChiefChat
| Mailbox
| ProductGuide
| ProductReview |
SiteScan
Techtalk
| Tips |
VirusWatch
| Webware