NEWS FROM THE LAB - January 2005


Sunday, January 30, 2005

Sober up Posted by Mikko @ 21:24 GMT

A new Sober variant, Sober.J is going around, sending variable emails with English and German content. This one is also known as "Reblin" or "".

We're shipping an update right now.


Happy birthday, weblog! Posted by Mikko @ 08:12 GMT

We started this weblog on 30th of January 2004 - one year ago to the day.

We originally started this just to monitor Mydoom.A and the attack against SCO. We immediatly started getting good feedback, so we've kept the blog going and we're very happy with the results. And we always appreciate feedback via weblog at this domain.

1st post

Of course, when we started, this was the only weblog maintained by a viruslab. We were waiting how long it would take for McAfee or Symantec to follow suit...but they still haven't. The boys at Kaspersky Lab started their own blog in last October.

Nowadays our RSS feed gets over half a million hits a month. Which really doesn't tell us at all how many people really read us.

So, if you're reading this, please click here to help us figure out how many real readers we have. And thanks for reading.

With very best regards,
Viruslab staff


Friday, January 28, 2005

One sentence, one arrest Posted by Ero @ 20:31 GMT

Image copyright (c) Associated Press 2005

Jeffrey Lee Parson, the teenager responsible for a minor variant the Blaster worm has been sentenced to 18 months in prison after he pleaded guilty. More info here

In an unrelated, but worth mentioning case, a Spaniard was arrested on charges of creating and distributing an email worm we detect as Pawur, also known as Tasin. The case has never got too far outside the Spanish speaking world, as that was the language the worm used in its messages.


Thursday, January 27, 2005

Bagle.AY upgraded to level 2 Posted by Katrin @ 09:57 GMT

Due to the increased number of reports we just upgraded Bagle.AY to Radar Level 2.

This worm uses several different icons for the attachments it sends, such as these:



Breakfast with Bagle Posted by Katrin @ 08:11 GMT

Yet another new Bagle variant - Bagle.AY has been found from several different countries early morning on January 27th, 2005 EET. This variant is similar to the last evening Bagle.AX.

Wednesday, January 26, 2005

New Bagle found Posted by Katrin @ 18:58 GMT

We received a new Bagle variant, Bagle.AX. We haven't got too many reports of it so far.

Disinfection tool for Skulls trojan variants published. Posted by Jarno @ 13:24 GMT

Today we published a new disinfection tool for Symbian series 60 phones that is capable of disinfecting SymbOS/Skulls trojan variants from a phone, even if user has rebooted the phone.

Previously disinfecting Skulls infected phone was difficult if not impossible, especially with later variants that killed popular file managers. Basically the only way to disinfect the phone was to use Epocware PC file manager that, which unfortunately did not work with most phones. Or reformat the phone, which of course destroyed all data in the phone.

F-Skulls tool is able to disinfect phone even if the Skulls has locked the phone completely. The disinfection is done by installing the F-Skulls into a memory card with a clean phone. And then inserting the card with F-Skulls into infected phone and booting, during boot up the F-Skulls frees the critical system files so that use can access menu again and install an Anti-Virus for full disinfection.

So the disinfection still requires help of a clean phone, but is much preferable compared to having to reformat the phone.


One particular outbreak a year ago Posted by Sami @ 08:25 GMT

Today is the anniversary of the Mydoom.A outbreak - the worst email outbreak in the history.

This incident, which started on January 26th 2004, bypassed even the Sobig.F epidemic of 2003. At its worst, a major part of all email traffic globally was caused by Mydoom.A. The worm generated over 100 million emails just during the first day of the outbreak.

Mydoom performed a denial-of-service attack on between February 1st and 12th, 2004. This attack, which was arguably the largest DDoS case in history, kept the target website down for weeks.

We first warned about the Mydoom worm on January 26th, at 23:05 GMT by issuing a Radar Level 2 Alert. About four minutes later we shipped detection for the worm. The Radar Level was raised to Radar Level 1 three hours later. This is the highest level we have.

Following Mydoom.A there was the infamous virus war between the Mydoom, Bagle and Netsky.



Tuesday, January 25, 2005

Status update on the new Mydoom.AM Posted by Katrin @ 12:07 GMT

At the moment we are not seeing activity of the new Mydoom.AM. This might change as it was seeded.

New Mydoom outbreak? Posted by Katrin @ 04:57 GMT

Seems a new Mydoom variant (Mydoom.AM) started it's spreading. The first report we got from Australia.

More information will be available later.


Monday, January 24, 2005

Three short mobile news Posted by Jarno @ 11:42 GMT

1. Good news! F-Secure has been selected to receive the 2004 Frost & Sullivan Technology Innovation Award for F-Secure Mobile Anti-virus.

link to award page

2. Marcos Velasco continues presenting in public, this time in The New York Times

article with photo (needs registration)

reprinted in (no registration needed)

3. Our contact in Brazil informed us that actually writing a virus IS illegal in Brazil. We hope that Brazil authorities take action in case Velasco.


Sunday, January 23, 2005

Honestly, judge: the virus ate my homework Posted by Mikko @ 19:32 GMT

We've just heard of another computer crime case where the suspect has taken the "virus did it" defense.

According to local UK media, 33-year old Mark Craney was found guilty on charges related to child porn. Craney admitted there were images of children on his computer, but claimed: "I have got a virus from Broadband."

We've seen this before...cases where the defense claims that either a virus or a trojan has somehow planted the incriminating evidence on the suspect's system.

Indeed, we've operated as an expert in two such court cases lately. Although "virus did it" sounds like a lame excuse, in one of these cases a virus actually really did have something to do with the evidence.


Friday, January 21, 2005

Spammers sue a person who complained about them Posted by Alexey @ 11:22 GMT

We've got information about quite an interesting case: apparently spammers are suing a person who complained about their actions. That person, whose name is Jay Stuler writes on his webpage:

  Since at least April 2003 I have been receiving unsolicited bulk email (spam) from this group.
  As all spam experts will recommend, I complained to the ISP(s) supporting these spammers.
  As spamming is against the Terms of Service of almost every ISP, the spammers found themselves losing their accounts.
  They apparently are angry that spamming has become difficult for them and blame me.
  I believe this is a frivilous lawsuit designed to harass and intimidate.
  If I can be sued simply for complaining about spammers, then anyone can be.

Jay is now collecting money to defend himself against spammers. The court's decision for this lawsuit is important, because if spammers win the lawsuit, the whole fight against them might become a dangerous business.


Thursday, January 20, 2005

MSN worm Bropia.A Posted by Katrin @ 09:24 GMT

A new MSN worm Bropia.A was found. It sends itself as "Drunk_lol.pif", "Webcam_004.pif", "sexy_bedroom.pif", "naked_party.pif" or "love_me.pif". The worm also drops a variant of Rbot.

Wednesday, January 19, 2005

Virus writer who has no shame Posted by Mikko @ 11:06 GMT

Virus writing should be illegal.

And it should be illegal globally.

Mr. Marcos Velasco. Image from
When it's not, we get problems like this: Mr. Marcos Velasco from Brazil is completely openly writing viruses and making them available from his website to anyone, anywhere in the world. Apparently this is not illegal in Brazil.

So any kid, any lunatic, any anarchist anywhere can download all his viruses complete with sourcecode and do whatever they want with them.

And Mr. Velasco has no problem with this. In fact, he has just given an interview about his activities to a Finnish magazine ITViikko. The interview has been published in English on

Writing viruses is wrong. Distributing them is even worse. It should be illegal, too.


Tuesday, January 18, 2005

Porn site fighting back at Mydoom Posted by Mikko @ 18:38 GMT

Latest variant of Mydoom was going around during the weekend.

One of the messages posted by this virus loaded images from a porn site, and made the message look like the infected attachment actually contained info on how to access such a site:


So, we contacted the administrators of this site and explained what was going on. We adviced them to stop using these specific images shown by the virus and replace them with an image with a warning of some kind.

Well, the good admins at have now done just that. The messages sent by Mydoom now look like this:


PS. For something slightly different; today's Washington Post contains an interesting article on phishing by Brian Krebs.

PS2. Kaspersky Lab's weblog just reported the first sighting of Cabir worm in UK.


Zar worm uses tsunami tragedy Posted by Katrin @ 07:34 GMT

A new mass mailer known as Zar.A or VBSun was found. The worm uses the tsunami tragedy. It sends itself in emails with the following content:

Subject line: Tsunami Donation! Please help!
Message Body:Please help us with your donation and view the attachment below!We need you!
Attachment: tsunami.exe

We detect this worm with the updates published on January 16th.


Monday, January 17, 2005

Outrageous Red Cross scam site taken down Posted by Mikko @ 04:00 GMT

A really outrageous scam website operated over the weekend. This one was running at and was trying to cash in on the tsunami disaster by appearing to be a Red Cross donation site. The site asked for credit card donations (it also asked for your credit card PIN code which should be a sure-fire sign to everybody of a scam).

The site is down now. Hopefully the damage was minimal, as the whole domain was registered just two days ago, late in the evening of Saturday the 15th.

Here's a screenshot of the fake site:

Here's the real Red Cross.

In related news, late last week FBI arrested Matthew Schmieder for sending out hundreds of thousands of emails claiming to be raising money for tsunami aid.


Sunday, January 16, 2005

Clarification on the spam book case Posted by Mikko @ 15:55 GMT

Couple of days ago we mentioned how a security book was apparently being advertised on a web forum made for spammers, by spammers.

The publisher of the book contacted us to clarify the situation. We'll print their comment here in it's entirety.

syngress comment


Saturday, January 15, 2005

First Mydoom of the year Posted by Mikko @ 20:42 GMT

Apparently we have a new Mydoom in our hands...sending various different types of messages with EXE, SCR or PIF attachments (31774 bytes) or a ZIP (variable size).

The message bodies we've seen so far include these ones:

The message contains Unicode characters and has been sent as a binary attachment.

Mail transaction failed. Partial message is available.

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment

As well as this one, which is quite different from traditional Mydoom messages:


So far this outbreak doesn't look to bad...but hey, it's a weekend, and sensible people don't read their emails.


Friday, January 14, 2005

Benny interviewed again Posted by Mikko @ 13:21 GMT

Image Copyright (c) CNET
Virus writer Benny - who has apperead several times in our weblog - has apparently again given an interview for international media.

This time he's speaking with Robert Lemos from CNET.

Full article is here.


Thursday, January 13, 2005

Camera phone images stolen by a hacker Posted by Mikko @ 13:00 GMT

A court case will start in USA next month relating to an incident where a Californian hacker infiltrated the network of a mobile phone operator. Once in the system, he had access to various kinds of information, including photos taken with cell phone cameras of the operator's users.

The photos stolen via this route included private snapshots taken by celebrities such as Demi Moore, Nicole Richie, Paris Hilton and Ashton Kutcher.

More details from an interesting article written by Kevin Poulsen.


Wednesday, January 12, 2005

Antivirus vendor suing Posted by Mikko @ 16:39 GMT

There's an ongoing court case in France between Tegam International (French Antivirus vendor) and Guillaume Tena (aka Guillermito). The case is about Mr. Tena finding and publishing possible security vulnerabilities in ViGuard, an antivirus product made by Tegam.

Read both sides of the story; Tegam's version and Mr. Tena's version.

More on the court case at


Tuesday, January 11, 2005

Microsoft's January security updates Posted by Ero @ 18:29 GMT

The first security fixes of the year, MS05-001, MS05-002 and MS05-003 have been released today.

MS05-001, MS05-002 are rated as critical , both fixing Remote Code Execution vulnerabilities. One involving HTML help and another the Icon and Cursor format handling.

The MS05-003 is rated as important and fixes an Elevation of Privilege vulnerability.

The vulnerability fixed by MS05-001 has already been used by the Phel malware. Information about this vulnerability, CAN-2004-1043, can be found here.

Both MS05-001 and MS05-002 might provide new ways for malware to enter the users' computers, so we encourage to apply such fixes as soon as possible.


Would you advertise on spammer's website? Posted by Mikko @ 14:21 GMT

Brian McWilliams has an interesting editorial out at This is about advertising an antispam book on a spammer forum.

And for something completely different: A blog called Search Engine Trend Watcher is following the progress of Santy worm here (thanks, Leigh!).

Image from


Advice from Bluetooth special interest group Posted by Mikko @ 14:07 GMT

Following the release of the source code for the Cabir worm and the Bloover software, Bluetooth SIG has published guidelines for secure use of Bluetooth technology.

The group suggests that users should be alert and use the technology resources to keep devices safe.

The full advisory is available from


Monday, January 10, 2005

New Symbian malware that is both virus and worm Posted by Jarno @ 13:50 GMT

Today we have received a new Symbian malware that combines two spreading tactics, which is common in PC malware but previously unheard of in mobile systems.

Lasco.A spreads itself by searching all SIS installation files in the infected device, and inserts itself as embedded SIS file into them. Thus any SIS file in the device that gets copied to another phone, as frequently happens as people swap software, will also contain a copy of Lasco.A.

In addition to spreading in infected SIS files, Lasco.A will also spread by sending itself directly via bluetooth like Cabir worms do, and Lasco.A will be able to spread from one device to another without a reboot

Lasco.A is detected by F-Secure Mobile Anti-Virus with database build 23. We have no reports of this virus being in the wild. Yet.


Virus Bulletin 2005 call for papers Posted by Mikko @ 10:28 GMT

Virus Bulletin has opened call for papers for the next Virus Bulletin conference. VB is the most important conference for the antivirus industry.

People from our viruslab has presented papers regularily in VB since 1994, and we will be submitting something for this year too. However, we urge all competent readers (you know who you are) to consider to send in your own abstracts, even if the topic is not focusing exactly on viruses alone - it's always refreshing to see new talent in a conference like this.

VB2005 will be held in Dublin in the beginning of October.

Speaker row from Virus Bulletin 2003 in Toronto


Friday, January 7, 2005

Don't fall for tsunami scams Posted by Mikko @ 11:48 GMT

Unfortunately scammers on the internet are trying to cash in on the tsunami tragedy in Asia. We've received some reports of advance-fee fraud cases that are set on this backdrop. These are the typical 419 scams, except instead of talking about a military coups or revolutions they talk about the earthquake and the tsunami.

As there have only been some isolated reports, this is not a huge problem, at least not yet.

Here are some samples of tsunami email scams so you know what to watch out for: case one, two & three.


Thursday, January 6, 2005

More security audio resources Posted by Mikko @ 09:20 GMT

iPod with Bruce Schneier interview from IT Conversations playing
Couple of weeks ago we asked you for sources of data security -related audio. Thanks for the several suggestions!

They included:

NANOG meetings (most of which are available as Real streams)
Rootsecure audio section (available also as Podcast feed)
2600 Off The Hook (with archives of the show starting from 1988!)
Help Net Security (in Flash audio and MP3 formats) (several interesting MP3 files available)

And here's a relisting of the audio resources we mentioned earlier:

IT Conversations
Black Hat Briefings
Vmyths rants


Tuesday, January 4, 2005

Original Cabir source code released too Posted by Mikko @ 13:36 GMT

Cabir source
We've just learned that the 29A virus group has released the original source code of the Cabir.A phone worm.

There's a lot of source code for mobile malware floating around in the underground right now. This might mean even more new variants will pop up in the near future.

Some comments in the Cabir.A source code include:

  Caribe was writted in c++.
  Symbian/nokia is giving us a complete sdk for
  developing applications for symbian operating system.

  Bluetooh is free, and the receiver will be a apropiated target.
  The problem is bluetooth needs to have near the target (10 meters radio).
  Progagation scenaries will be trains,restaurants, etc...


Monday, January 3, 2005

New Skulls variant detected Posted by Jarno @ 13:12 GMT

Skulls animation

We have received a new sample of the Skulls trojan, which affects Symbian Series 60 phones. Skulls.D is quite similar to other Skulls variants.

Original Skulls replaced icons with an image of a skull. Skulls.D goes one step further and shows a full-screen sized flashing skull. This is shown when the phone is rebooted.

Like earlier Skulls variants F-Secure Mobile Anti-Virus was already capable of detecting the Skulls.D with generic detection even before we got the first sample of this from a customer. Skulls is a trojan, so it doesn't spread further from affected phones.

The picture that the trojan shows contains this text: "WARNING!!! Device Have been Attact By Virus".



Sunday, January 2, 2005

Anti-Santy-Worm dying out Posted by Mikko @ 07:40 GMT

Abuse message
We haven't been getting more reports of the Anti-Santy-Worm (aka Net-Worm.Perl.Asan.a), so the outbreak seems to have died out.

There's a lot of PHP activity going around. Once again a Brazilian bot herder group has been active, this time with another Spyki variant (Net-Worm.Spyki.d). This one scans for almost 50 different known PHP weaknesses, vulnerabilities or common coding mistakes in order to find web sites to infect.

Infected machines have an IRC bot installed to them, and will try to connect to channel #perl on a server named "". However, since this morning that address has resolved to So at least this botnet is effectively down for now.

This variant is hosting it's files at, which seems to be an abandoned website now taken over by this group.