Sunday, May 30, 2004

New papers Posted by Mikko @ 22:01 GMT

Here's links to two interesting virus-related papers released recently:
"A worst case worm", by Nicholas Weaver and Vern Paxson (and Stuart Staniford) - these are some of most respected researchers on worm spreading theory.

In this paper they speculate that a worst-case worm could cause $50 billion or more in damage by attacking Microsoft Windows systems and carrying a destructive payload.
"Is Microsoft a threat to National Security? The effect of technology monocultures on critical infrastructure", by a Gorman, Kulkarni, Schintler and Stough at the George Mason University.

To balance the previous paper, this research shows that while Windows worms can be really expensive, they don't necessarily take down the world.


Friday, May 28, 2004

Korgo keeps going Posted by Mikko @ 21:44 GMT

The Korgo network worm keeps spreading actively, and it's aggressively stealing user information from infected machines. It does this via a keylogger which specifically collects user logins for online banks (the ones which do not use one-time passwords). It also logs everything the user types to any web form - this will collect lots of credit card numbers, passwords etc.

If you've been infected by Korgo, change your passwords and cancel your credit cards. Especially the ones you've used during last week. This is not a joke.


One more bust! Posted by Mikko @ 06:31 GMT

One more bust. This time it's Mr. Wang An-ping how was arrested Kaohsiung. Which is in Taiwan.

Mr. Wang is being charged for writing and distributing the Peep backdoor. Peep is a remote access trojan, similar to Netbus and Back Orifice. It consists of client and server parts.

Client part is graphical, and operates in Chinese:

Main window of Peepviewer

So over the last three weeks we have:

- Several arrests in Germany on Sasser,
- Several arrests in Germany on Agobot
- One arrest in Canada on Randex
- One arrest in Taiwan, on Peep

...and we are aware of at least one virus investigation against an active virus group.

Heck, if things continue at this pace, we can soon retire.

According to the China Post Magazine, "Wang, a bachelor, said he spent most of his free time on designing software programs and surfing the Internet. He had intended to sell the 'Peep' system but couldn't find a buyer."

Wang, who is 30 years old, was arrested last week by CIB, The Taiwan Criminal Investigation Bureau.
Criminal Investigation Bureau


Thursday, May 27, 2004

Virusbusting weeks continue Posted by Mikko @ 05:49 GMT

Good news. In addition of the recent Sasser arrests and Agobot arrest in Germany, the Royal Canadian Mounted Police has yesterday arrested a 16-year old Canadian, charging him for creating the Randex worm family.

Suspect's name is not released under the Canadian Youth Criminal Justice Act.

This should be interesting, as Randex-generated proxy networks have been known to be resold to spammers for spamming purposes. This was proved in February by two C'T researchers who went underground and actually purchased such networks.


Wednesday, May 26, 2004

Antivirus defense-in-depth guide Posted by Mikko @ 07:35 GMT

Microsoft has released a thorough public document titled Solutions for Security - The Antivirus
Defense-in-Depth Guide
. This is a 90-page document detailing the current threats and background, how to deploy antivirus protection for corporate use and how to control virus outbreaks. It's a pretty good document (yeah, we helped review it).

The file is available for download from Microsoft Technet. I just can't figure out why a PDF file has to be installed before it can be viewed.


Monday, May 24, 2004

Both Korgo worm variants are detected Posted by Alexey @ 16:14 GMT

F-Secure Anti-Virus detects both Korgo worm variants with the latest (2004-05-24_02) updates. The worm variants are detected as 'Worm.Win32.Padobot' and 'Worm.Win32.Padobot.b'.

Sunday, May 23, 2004

Another LSASS worm Posted by Mikko @ 22:12 GMT

Yet another new worm using the LSASS vulnerability has been found...but this one doesn't seem to be spreading much. Known as "Korgo", this one tries to connect all infected hosts to IRC channels for remote control.

Friday, May 21, 2004

New Mydoom variant found Posted by Alexey @ 15:57 GMT

We have received a new Mydoom worm variant - Mydoom.K. Detection will be added shortly.

New Netsky variant that drops a Bugbear's keylogger found Posted by Alexey @ 14:42 GMT

Despite the arrest of the Netsky's worm author, new worm variants keep coming. We have received a sample of a new Netsky.AD worm variant.

Even more interesting is the fact that the new Netsky drops a keylogger used by the Bugbear worm to an infected system.


More on the Bobax worms Posted by Mikko @ 11:51 GMT

There's now four different versions of the Bobax worm. All of them are used by spammers and controlled through a handful of websites. Some of the variants now even do bandwidth testing to find the most useful machines for spammers to send their spam from.

Also, later variants in the family spread also through the RPC DCOM hole (135/TCP) in addition of the LSASS hole (445/TCP) - and they fingerprint target systems through UPnP (5000/TCP).

Fragment from Bobax body


Wednesday, May 19, 2004

New password stealer being spammed Posted by Mikko @ 12:30 GMT

We've received some reports of a new password stealer being spammed around the world. This one doesn't spread further, so it's not a virus. Once the user opens the attachment, a password stealer and a backdoor is installed to the system.

The emails look like this:

   From: [random email address]
   Subject: Important news about our soldiers in IRAQ!!!
   To: [random email address]

   Seven officers was lost today,
   follow the link to get the full story.


The mail links to website, which has nothing to do with the whole case.


Tuesday, May 18, 2004

The weird traffic is generated by two worms Posted by Mikko @ 03:22 GMT

Turns out the Bobax worm also generates port 5000 traffic.

Unlike the SdtBot aka Kibuv worm (which is based on the SdBot family), Bobax does not try to infect machines through this port. It just uses it to fingerprint the target system.

Bobax is yet another spammer-related worm, creating networks of proxy machines that spam gangs can use to send unsolicitated bulk email.

Right now we can't determine which of these two worms is generating more of the 5000/TCP traffic. Nevertheless, more than 400,000 IP addresses have been seen scanning for this port over the last days.


Monday, May 17, 2004

Port 5000/TCP traffic peaking Posted by Mikko @ 20:09 GMT

Port 5000 traffic has risen considerably over the past 24 hours. This port is used by the Universal plug-n-play service of Windows 98, Windows Me and Windows XP.

We're not sure if all of this traffic can be attributed to a new worm known as Kibuv or StdBot, but this new worm does scan for several known vulnerabilities, including the UPnP hole and the Sasser FTP server hole.

The traffic increase is pretty obvious in this graph from

Copyright (c)


Sunday, May 16, 2004

Bobax worm found Posted by Katrin @ 15:23 GMT

The Bobax worm has been found today. We published detection of it in update Version=2004-05-16_01.

More reports on Sober.G from Europe Posted by Katrin @ 11:10 GMT

We have seen increased numbers of Sober.G worm during the weekend. It sends emails in both German and English with varying content. The attachment is an executable or a zip archive.

Saturday, May 15, 2004

Sober.G is not intended Posted by Alexey @ 21:48 GMT

We got a few reports about Sober.G spreading in the wild. After comparing samples from the worm's messages and the sample that we had originally received and described, we found out that our conclusions about Sober.G being intended were incorrect. It happened because the sample that we originally got was taken from an infected computer's Windows System folder and not from an e-mail message. Sober worm has a "feature" of modifying its executable file that it drops to a hard drive. It changes a byte at offset 0xA0 to 0x60 when its file is installed to a system. However, the file that the worm sends out in e-mail messages has this byte value zeroed. So the sample we originally received did not install itself properly and it did not create MIME-encoded files for spreading because the worm "thought" it was already installed. Failure of the worm to install itself properly and create files necessary for its spreading drove us to the conclusion that the worm was intended. We are sorry for confusion. The description of the worm will be updated shortly.

Friday, May 14, 2004

Worm-Eat-Worm Posted by Gergo @ 14:12 GMT

As we have posted earlier, a vulnerabilty has been found in the Sasser worm's FTP server. A new worm that exploits the vulnerability has appeared shortly after. Dabber spreads to computers which are already infected by the Sasser worm.

As a payload Dabber disables several different worms and installs a backdoor to the infected computer.


Thursday, May 13, 2004

New SDBot kills Sasser and installs security patches Posted by Alexey @ 16:30 GMT

It is quite a surprise to see that the latest SDBot.MD backdoor we received kills 3 Sasser variants and installs KB835732 security patches for Windows 2000 and XP. However it still remains a backdoor because it allows remote access to an infected computer.

New SdBot variants Posted by Katrin @ 14:35 GMT

New SdBot variants were found in the wild today. They use different exploits including the LSASS exploit (MS04-011)to spread to vulnerable computers. One of the side effects is that the infected computer reboots.

Run Windows Update to patch your systems now!


New Bagle variant discovered Posted by Alexey @ 10:41 GMT

We have received a new Bagle variant: Bagle.AC. This is a minor variant of Bagle.X and it only drops a newer Mitglieder proxy trojan variant.

Tuesday, May 11, 2004

Wallon worm is spreading Posted by Katrin @ 18:18 GMT

We received several reports of Wallon worm this evening (mostly from Europe). Wallon sends HTML emails that contain a link to a web site. In order to spoof the real web location, it uses the Yahoo redirection service.


A new minor varint of Sasser Posted by Sami @ 10:59 GMT

A new slightly modified and repacked variant of Sasser has been found - Sasser.F.

Cycle: The new MS04-011 (LSASS) worm Posted by Gergo @ 07:56 GMT

A new wom exploiting the MS04-011 (LSASS.EXE) vulnerabilty has been found. It got the name W32/Cycle.A.

The analysis is underway and more detailed information will be posted soon.


Monday, May 10, 2004

Sasser exploit Posted by Gergo @ 15:22 GMT

The FTP server in the Sasser worm family has an apparent buffer overflow vulnerability. A small program has appeared on the InterNet that exploits this vulnerabilty and opens a remote shell on TCP port 530 (by default).

The idea behind the exploit is unknown considering that computers infected with the Sasser worm are most likely vulnerable to MS04-011 already. On the other hand exploiting a vulnerabily in a virus is quite unusual.


Sasser.E screenshot Posted by Gergo @ 09:36 GMT

Unlike previous variants, Sasser.E displays a message two hours after the infection:

Sasser.E message


Sunday, May 9, 2004

Time lapse between Sasser.E and the arrest Posted by Mikko @ 19:44 GMT

We reported earlier that the first known case of Sasser.E was reported roughly 10 hours after the arrest of the author. After this several users have contacted us and reported seeing the worm even before that.

The arrest was done in Germany on Friday the 7th of May 2004 at 13:00 GMT (14:00 German time).

The earliest report of spotting Sasser.E we now know of was 3 hours and 45 minutes later, on Friday the 7th of May 2004 at 16:45 GMT (this was in east coast USA, with infection coming from Sweden).

However, since Sasser spreads really fast, there must be even earlier spottings...or Sasser.E was not released by the apprehended virus writer (Mr. "SJ").


Netsky and who's behind it Posted by Mikko @ 05:19 GMT

We here at F-Secure viruslab were surprised by the development where it appears that the group behind Netsky, "SkyNet antivirus Team from Russia", turned out to be one guy from Germany.

Lets go back and look at some of the texts embedded inside Netsky variants:

We want to destroy malware writers business, including MyDoom & Bagle.
This is the last version of our antivirus. The source code is available soon.

Thanks to the S*k*y*N*e*t alias *N*e*t*S*k*y* crew for the sourcecode.
We have rewritten *N*e*t*S*k*y.Our group will continue the war.
We are greeting all russia people!

We are the only SkyNet, we don't have any criminal inspirations.
and we aren't children.
Best regeards, the SkyNet Antivirus Team, Russia 05:11 P.M

Netsky is Skynet, a good software, Good guys behind it.
Thanks To all people in cz and russia.

Thanks to russia, and thanks to CCC for support. 09:34 A.M, Russia

etc, etc...

So, if all Netsky variants really were coming from a single source, all the discussion about a "team" and references to Russia and Czech were just left there as misdirection. Which is nothing new. However, in this case there was also other circumstancial evidence pointing towards several different authors.

Apparently the caught teenager is co-operating with the German police. Hopefully we will hear the full story behind the whole saga eventually.


Phatbot author is also arrested Posted by Mikko @ 04:59 GMT

The Sasser arrest has been big news, of course. However, there was another, important arrest in Germany on Friday too: a 21-year old unemployed man linked to creating Phatbot / Agobot (or variants) was apprehended too. This was in Loerrach, Germany.

There seems to be no link between this guy and the Sasser author. Regardless of that, both arrests were synchronised to happen on Friday at 14:00 local time.

As reported here before, the source code of Phatbot has been floating around in the underground, so this arrest probably won't directly stop the flow of new variants. Indirectly it might have an effect, though. Hopefully the pressures among the virus writers are growing.


After the arrest, a new variant of Sasser found Posted by Mikko @ 04:49 GMT

New variant of Sasser has been found, even after the author has been apprehended. The first known case of Sasser.E was reported roughly 10 hours after the arrest.

We believe Mr. "SJ" (who has confessed to writing all the Sasser and Netsky variants) had distributed this version shortly before his arrest. He has been released on bail, but this was only after first reports of this new variant were in.

The E variant does not appear to be hack done by someone else. For one, it tries to remove the Bagle worm, unlike earlier Sassers but just like many Netsky variants.


Saturday, May 8, 2004

The end of NetSky and Sasser saga? Posted by Ero @ 09:40 GMT

According to recent news, a 18 year old boy has been arrested in northern Germany in relation to the Sasser worm:

The Australian
Google News

This may also be related to the creator/s of NetSky, as messages in the latest version of this worm claimed Sasser was created by the same group responsible for NetSky.

NetSky worms had launched DDoS attacks against German and Swiss educational and medical sites.

Image Copyright (c) AFP
TV Crew shooting home of the Sasser worm author (AFP)


Thursday, May 6, 2004

Links to the weblog Posted by Gergo @ 13:13 GMT

It is now possible to statically link to our weblog articles. All the article titles in the archives have been changed to links which can be copied for linking.

The archives are located at They are also accessible from the the bottom of this page through the [ Older News >> ] link.


Wednesday, May 5, 2004

Sasser hits more sites Posted by Mikko @ 14:11 GMT

More and more news on organizations that have been hit by Sasser is coming out.

According to the sources quoted below, there have been Sasser-related problems in organizations and companies all over the world, including:

- County hospital in Lund, Sweden (5000 computers and X-ray equipment offline)
- European Commission in Brussels (1200 machines offline)
- Coastguard in UK (19 regional offices offline)
- British Airways in UK (flights delayed)
- Westpac Bank in Australia (offices and call centers closed)
- Post Office systems in Taiwan (1600 machines offline, 400 offices affected)
- Heathrow airport in UK (computers at one terminal offline)
- Public courts in Cantabria, Spain
- Hong Kong government systems
- State hospital of Hong Kong
- Suntrust Bank in USA
- American Express in USA
- Nova University in USA,0,126738.story,2000061744,39146543,00.htm


Patching, patching and patching Posted by Mikko @ 13:22 GMT

Microsoft's update server was slowed down on Monday and was even briefly offline as massive amounts of users tried to get the latest patches to protect against the worm, reports Netcraft.

Microsoft update site performance, Image Copyright (c) Netcraft

Microsoft itself reports that almost four times more users are downloading security patches now than in autumn 2003. Which is great.


Tuesday, May 4, 2004

The Netsky-Sasser Connection Posted by Ero @ 17:12 GMT

In a previous entry, it was mentioned the claim by the NetSky.AC authors that they had also created Sasser. As a proof it was mentioned the similarity of some common code, specifically of the FTP function, between NetSky.V and Sasser.D.

We took a look into it, and came up with the following visual example. The following graphs represent the code of functions (Control Flow Graphs) in the worms' code. The text within the graph's nodes represent calls to other functions and references to text strings.

The following image shows the Install function in both Sasser.D and Netsky.V.

install_function (42k image)
Install functions

PDF versions of both graphs are available here for NetSky.V Install function and here for Sasser.D Install function

The following image shows the FTP function in both Sasser.D and Netsky.V. The main difference is that in NetSky.V, this function is called once and in Sasser.D is a thread. Therefore it is invoked differently and the initialisation is not the same. However, after this code, most of the function is basically identical. (It can be seen clearer in the PDF files, Sasser.D FTP function and NetSky.V FTP function.

ftp_function (45k image)
FTP functions


Sasser.D tool and workaround Posted by Gergo @ 13:15 GMT

The Sasser disinfection tool has been updated to remove Sasser.D. The tool is available from the description page.

If the tool finds an active infection it implements a workaround to prevent the constant reboots that make patching really difficult.

One sideffect of Sasser worm's spreading is that it crashes LSASS.EXE which forces Windows to reboot. This makes it rather difficult to fetch and install the required security patch.

A simple workaround can be implemented to prevent LSASS.EXE from crashing. The following file must be created with Read-Only attribute set:


where %SystemRoot% is the Windows Directory (typically C:\WINDOWS or C:\WINNT).

Since the MS04-011 vulnerability is in a debug print code, if the debug log file can not be opened the vulnerable code part will not be executed.

As said, the F-Sasser tool now creates this file automatically when run.


Loveletter birthday Posted by Mikko @ 09:53 GMT

Today it's been exactly four years since the outbreak of the Loveletter (aka ILOVEYOU) email worm. Together with the Melissa worm, Loveletter was among the first massive email virus outbreaks.

Back then email worms were a new concept and people were happily doubleclicking on any attachments. In fact, many still are...anyway, this was way before any network worms (like Sasser) was found.


Monday, May 3, 2004

Sasser traffic Posted by Mikko @ 20:03 GMT

It's hard to figure out how much of the 445/TCP port traffic is created by the Sasser outbreak, as this is a pretty busy port always.

In any case, the amount of computers scanning the net with this target port has risen over the last days from half a million to over 1,2 million, according to this graph from

Copyright (c) SANS


Info on Sasser.D Posted by Mikko @ 19:42 GMT

Another Sasser variant has been found, this one is known as Sasser.D. Main difference between Sasser.D and the earlier variants is that the main worm file is now named SKYNETAVE.EXE instead of AVSERVE.EXE or AVSERVE2.EXE.

Sasser.D is detected with our latest updates (2004-05-03_03), released two hours ago.


Disinfection tool for Sasser Posted by Gergo @ 12:28 GMT

The Sasser disinfection tool has been updated to disinfect Sasser versions A to C.

The tool is available from the the desciption pages.


Sasser rumours Posted by Mikko @ 11:12 GMT

In August 2003, Blaster worm outbreak disrupted bank systems as well as air and train traffic.

This seems to be happening all over again. According to the sources quoted below, there have been Sasser-related problems in at least three large banks. RailCorp rail traffic was halted in Australia on Saturday, leaving 300,000 travellers stranded - CEO of the company is quoted saying a virus might be the reason. Also, according to several sources, Delta Airlines had their planes grounded in USA on Saturday for several hours, because of a "computer glitch"...but this case has not been confirmed to be related to Sasser.



The Netsky Connection Posted by Mikko @ 05:18 GMT

New variant of Netsky (Netsky.AC, the 29th variant) was found last night. Nothing new in there.

However, this variant contains this text embedded in the code, which we will be posting publicly although we normally don't do this:

 Hey, av firms, do you know that we have programmed the sasser virus?!?.
 Yeah thats true! Why do you have named it sasser?
 A Tip: Compare the FTP-Server code with the one from Skynet.V!!!
 LooL! We are the Skynet...


About Sasser.C Posted by Mikko @ 05:00 GMT

Unlike we said earlier in the weblog, there are functional differences between Sasser.C and earlier Sasser variants: it starts up 1024 processes to scan for new vulnerable hosts instead of 128. This should make this variant spread faster. However, right now Sasser.B seems to be the biggest problem.

Also, Sasser.C was not based on A but B variant, ie. the filenames it uses are AVSERVE2.EXE and WIN2.LOG.


Sunday, May 2, 2004

Sasser situation Posted by Mikko @ 16:59 GMT

We've received some reports of large corporations being hit in their internal networks. Otherwise things are still relatively calm. The main assumption remains that monday morning will decide how bad this is going to get. We've talked to several large companies, and most of them had succesully installed the needed Windows patches before this weekend. Good news.

In the meanwhile, a minor repacked variant of Sasser.A has been found. For now, we detect it as Sasser.A, but it will be renamed later to Sasser.C. There are no functional differences in this version.

Microsoft has posted an ActiveX scanning tool on their Sasser infopage, which you can use to easily check online if you're infected or not. Then again, if you are infected, you might not make it to that page before you're machine is rebooted again.

If you find yourself infected, you can use our Free F-Sasser Tool to clean the worm from your machine. You also need to install the Windows patches to prevent you from getting reinfected.

Also, about the rebooting problem: Windows XP users with the constant rebooting problem might want to try the "shutdown -a" Command Prompt command to abort an active reboot countdown.

In other news, we've also sent out a public alert on the situation.

People will be starting their working day in Sydney in five hours from now...


Sasser.B Posted by Mikko @ 06:25 GMT

We're now getting reports of both Sasser.A and Sasser.B.

The B variant was also found during yesterday. This is when got the first reports of these variants:
- Sasser.A around 02:00 GMT on May 1st
- Sasser.B around 16:00 GMT on May 1st

Both are detected by current F-Secure Antivirus updates, but the most important thing right now is to get the latest patches from Microsoft.

Sasser.B is a minor variant of Sasser.A, with identical length and functionality. The binary image looks different and the dropped filename has been changed from AVSERVE.EXE to AVSERVE2.EXE. Also the logfile name is now WIN2.LOG instead of WIN.LOG.

Microsoft has posted information on the case, with step-by-step mitigation instructions:


Jigsaw Piece - 157 Posted by Mikko @ 06:25 GMT


Saturday, May 1, 2004

Sasser is not out of control Posted by Mikko @ 09:39 GMT

You would expect a new automatic network worm like Sasser to hit even harder than it seems to be hitting right now. Of course, it's weekend time, but most infected machines would be home computers, many of which are turned on and online always.

Sasser could be compared to the Blaster/Lovsan outbreak in last August in many ways. Both are automatic network worms affecting Windows 2000 and XP users, scanning random IP addresses and using FTP (or TFTP) to transfer the actual worm file to infected host.

Also, both worms cause unpatched machines to start to reboot. With Sasser, users typically seem something like this:


Blaster was a massive case, partly because the patch was only available for 32 days before the outbreak started - and that was during best holiday season. With Sasser, the time difference between the patch and the worm was just 18 days.

But the bottom line is that although Sasser starts several threads which constantly scan random addresses with minimal time delay, we aren't seeing massive amounts of infections. Not yet anyway.


More info on Sasser Posted by Mikko @ 07:29 GMT

We now detect this worm with our latest updates (2004-05-01_01).

The vulnerability used by Sasser is caused by a buffer overrun in the Windows' Local Security Authority Subsystem Service, and will affect all machines that are:

- Running Windows XP or Windows 2000
- Haven't been patched against this vulnerability
- Are connected to the internet without a firewall

It scans random IP addresses, targeting TCP port 445.

After infection it opens a shell that listens on TCP port 9996.

And then downloads the actual worm code through a FTP connection at TCP port 5554.


Sasser Internet worm is spreading Posted by Katrin @ 07:02 GMT

A new Internet worm Sasser is spreading through the LSASS vulnerability without user assistance. There is no detection yet, but one sign of infection seems to be the existance of a file named C:\WIN.LOG on the target system.

See the Microsoft Bulletin for more info on the vulnerability, and run Windows Update to patch your systems now.