NEWS FROM THE LAB - August 2004


Tuesday, August 31, 2004

More details on Bagle.AK Posted by Alexey @ 21:48 GMT

The e-mail that Bagle.AK was spammed in contains an archive named FOTO.ZIP. Inside there's an HTML file and an EXE file named FOTO.EXE. This EXE file is a dropper. It drops and activates a DLL file that kills processes belonging to updating components of several anti-virus programs.

After this it tries to connect to 131 different websites and to download a file named B.JPG from them. The URLs are hardcoded in the program's body. So far we have not been able to get the contents of that file for investigation. The sites are either down or the file is simply not there.
The sites


New Bagle.AK has been spammed Posted by Katrin @ 21:07 GMT

A new Bagle dropper and downloader has been spammed. It arrives in email with subject and email body "foto" and attachment called

We've published detection for all components of this malware in update Version=2004-08-31_03


Happy Birthday, Internet! Posted by Mikko @ 09:30 GMT

Internet will be 35 years old tomorrow.

Or, in fact, ARPANET will be.

And ARPANET isn't actually exactly the same thing as internet...

It wasn't even using TCP/IP but NCP (TCP/IP had not yet been invented, of course).

But Happy Birthday, anyway!

For more, see an article at CircleID.


Monday, August 30, 2004

How to protect you Series 60 phone from Cabir Posted by Jarno @ 10:23 GMT

Cabir is able to send infected files only to devices that have their bluetooth in discoverable (visible) mode. So simply setting you phone into non-discoverable (hidden) mode is enough the prevent Cabir from tying to send you infected caribe.sis files.

Do note that we have no reports of Cabir spreading outside Philippines - and even those reports have not been confirmed

cabir_bt_hidden (36k image)

Image of Nokia 6600 with Cabir safe settigns.


Friday, August 27, 2004

New information about how Cabir spreads. Posted by Jarno @ 13:31 GMT

As seen from the previous blog entries we have received second-hand reports of Cabir being spotted in the Philippines.

So we decided to go into a high-security RF shielded area and do extensive study on how Cabir replicates. And what we found is interesting and changes predictions on how Cabir would spread if it's in the wild.


Operation of Cabir Worm is fully independent from the GSM side of phones based on Symbian Series 60. The worm actually starts spreading even when phone is just started and user has not entered PIN code yet.

However the Cabir worm is capable of sending infected SIS files to only one phone per activation. So when Cabir is installed for the first time or the is phone restarted, the worm will look for the first Bluetooth device it can find and keeps sending repeated messages to that, effectively locking on to that phone.

When Cabir infects another Series 60 phone, this newly infected phone will start sending messages back to the phone that sent it the SIS file, even when the phone is not in range. Thus forming a 'tar pit' so that both infected phones wont look new targets before they are rebooted.

This means that the only scenario where Cabir can spread is that the phone that sent infected SIS file to new target is out of Bluetooth range before user activates the Cabir on the new phone (answers "Yes" to the installation query). This would happen, for example, in a busy street where people walk past
and are out of range before the user of the phone who received Cabir activates it.

Cabir will also try replicate to a new host every time the phone gets rebooted. So SymbOS/Cabir is capable of spreading - but not very quickly.

Cabir can infect only phones that are in discoverable mode, so setting your phone into hidden mode in Bluetooth settings will protect you from Cabir worm.


Online criminals caught Posted by Mikko @ 07:10 GMT

The news announcment from US Department of Justice from last night makes a fascinating read.

The DOJ has finished a three-month operation, during which they investigated a wide range of online crime, from phishing cases to DDoS extortion, botnet operations and spamming.

Some sample cases:

Orbit Communications homepage)
- Case Calin Mateias aka "Metal". A Romanian hacker who hacked Ingram Micro's online ordering system to steal hardware worth over $10 million

- A Ukrainian hacker, who was selling stolen credit card numbers by the thousands over IRC chats

- A Romanian gang selling non-existing goods in online auctions

- Mr. Jay Echouafni, the CEO of satellite receiver reseller Orbit Communication was charged for hiring hackers to launch DDoS attacks against their competitors. The idea was to take down the online ordering systems of other large satellite operators.

Things like these are really happening out there. In fact, we're currently aware of one DDoS attack apparently arranged by a company specializing in clip-art graphics (of all things) against their competitor.


Thursday, August 26, 2004

No signs of E-Jihad so far Posted by Mikko @ 11:38 GMT


As we forecasted yesterday, there has been no major internet-wide incidents today (so far).

We will be continuing monitoring, but most likely the boasting about "E-Jihad" attacks this Thursday were just hot air.

Unbelievable as it is, we actually got two queries asking if we saw any connection with the two plane crashes in Russia and with these rumoured E-Jihad attacks. No, we did not see any connection.


Wednesday, August 25, 2004

Internet attack on Thursday? Posted by Mikko @ 11:33 GMT


Kaspersky lab has been quoted during a conference to forecast a major internet attack ("E-Jihad") to happen tomorrow.

At this press conference, Kaspersky cited the fact that a number of Arabic and Hebrew language websites contained an announcement of an 'electronic jihad' against Israel, to start on 26th August 2004.

We don't think anything really major will happen. Why would anybody announce an attack like this beforehand?

So we'll see. Most likely we won't see much.


Monday, August 23, 2004

Cabir possibly in the wild Posted by Mikko @ 08:07 GMT

We've heard rumours from two different sources that the Cabir mobile phone virus would be in the wild.

We've been unable to confirm this so far, but in any case we're recomming users of all mobile phones with a Symbian Series 60 operating system to keep their Bluetooth in non-discoverable mode. If you don't understand what this means, just turn off Bluetooth.

This includes phones from manufacturers such as Nokia, Siemes, Panasonic and Sendo.

Animation from

Cabir is the first mobile phone virus in history. It was originally discovered in the middle of June 2004, but it has never been seen in the wild. It attempts to spreads over Bluetooth connections to compatible phones nearby.

Cabir live

For more information, see the Cabir description.


Thursday, August 19, 2004

Alternative data streams on your drive? Posted by Mikko @ 13:19 GMT

We've received some questions from users on why they are seeing new streams in their files lately. Alternative Data Streams (aka ADS) are hidden data areas that can be attached to any file on a NTFS drive. They are accessed via a filename like normal-file.txt:hiddenstreamdata.

Turns out SP2 for Windows XP changes the way how Internet Explorer and Outlook tag files when you download them from the internet and save to your hard drive. They create a new stream called Zone.Identifier to the file.

Typical content of such stream would be:


You can find streams from your files with tools like /> LADS from Heysoft.


Another common stream you're likely to find is called AFP_AFPINFO. Also some picture tools like to create streams to image files.

Streams are used by many viruses, too. This includes Potok, Stream and several variants of Dumaru and Afcore trojan.


Jigsaw Piece - 267 Posted by Mikko @ 13:19 GMT


Wednesday, August 18, 2004

"T-Virus" on your phone? Posted by Mikko @ 22:41 GMT

If you've received SMS text messages to your phone talking about a "T-Virus", relax. This is not a new mobile phone virus, but a goofy marketing campaign for the new Resident Evil game. Ignore it.



Description of T-Virus hoax:


Payload deactivated Posted by Mikko @ 10:46 GMT

We've received confirmation that the two websites used by Mydoom.S ( and have been cleaned and can't be used by the worm any more.

This means that when Mydoom.S infects system, it will still be able to spread further via email...but it will fail in downloading a spam proxy to the infected systems. Then again, if you we're hit by this proxy trojan already, you wouldn't be reading this anyway, as it blocks access to from the infected computers.

Rich, the webmaster for emailed us last night and confirmed he had taken down the files Mydoom.S downloads from his server. He was also surprised that no-one else had contacted him and warned him that his site was taken over. We discussed how the files might have ended there in the first place.

Our guess before that had been that the bad boys had gained access to and via vulnerabilities in the web-based guestbooks they were running, as some of the files had been planted to paths such as /guestbook/temp/.

So, when Rich confirmed that he was running a guestbook called "Achims Guestbook", we visited the homepage for this software:

Achim website

So I guess we've found out how the spam proxy files were planted.

Mydoom.S won't install proxies anymore, but it still continues to spread...until next Friday. The email-spreading function will expire on August 20th, 2004.

In other news: Netsky.P is no longer the most common virus. It dropped to #2 slot in our virus statistics some time last night...getting replaced with Zafi.B. Netsky.P possessed the "most common virus in the world" title for over four months, from early April 2004.


Tuesday, August 17, 2004

Mydoom.S went to top 10 Posted by Mikko @ 13:26 GMT

Yesterday's spam run with Mydoom.S proved to be fairly effective in distributing the virus. It's currently ranked as number 3 in our virus statistics.

However, we get fairly little amount of support requests on the worm, so this outbreak is not out of hand. We expect it to die out within a week or so.


Monday, August 16, 2004

New Mydoom variant being spammed *right now* Posted by Mikko @ 07:16 GMT

There's a fairly large and global spam run going on right now, seeding out a new variant of the Mydoom email worm.

The spammed emails always seem to look like this:

 From: random-email-address
 To: random-email-address
 Subject: photos
 Attachment: photos_arc.exe

The source addresses of the spams appear to be from DSL and cable modem pools, suggesting that the Mydoom gang is using a botnet created with earlier Mydoom variants to send this one out. They've also carefully checked that none of the common antiviruses detect this new variant. We're now detecting this as Mydoom.S with F-Secure Anti-virus.

Also, if you're a sysadmin, you might want to block access to domains and from your network for a while. This variant tries to download components from these addresses (but the sites themselves have nothing to do with the virus group).


Thursday, August 12, 2004

Jigsaw Piece - 262 Posted by Jusu @ 14:54 GMT


Serious new bluetooth vulnerability discovered Posted by Jarno @ 12:09 GMT

A company called Pentest has released an advisory about a major vulnerablity in widespread bluetooth software, used both on Windows PCs and PocketPC handhelds.

This vulnerability in WIDCOMM Bluetooth Connectivity Software allows arbitrary code execution with priviledges of the user that is currently logged in. Which means that in theory, using this vulnerability it would be possible for a malicious party to write a wireless worm that spreads between PCs or PDAs using Bluetooth over the air. Worms like this could spread very fast, especially in an environment like a seminar or a conference.

This vulnerability is fairly serious since WIDCOMM software is very widespread and seems to be used in most Bluetooth dongles and Bluetooth-enabled computers.

WIDCOMM has not yet released a software update that would fix the vulnerability, so in the meanwhile users are recommended to set their Bluetooth-enabled devices into non-discoverable mode and keep bluetooth switched off when you don't need it.

widcomm_blutooth (6k image)


Blaster.B author confesses Posted by Mikko @ 10:50 GMT

Yesterday in federal court in Seattle, 19-year old Jeffrey Parson pleaded guilty to writing the B variant of Blaster worm. The confession came almost exactly a year after the virus was originally spread, on 13th of August 2003.


Parson (aka "Teekid") admitted hearing about the virus in news, then downloading a copy, modifying it and unleashing it from 50 computers he had previously hacked. Blaster.B infected tens of thousands of computers around the world - but wasn't nearly as big a problem as Blaster.A was.

Parson now faces between 18 months and over three years in jail and could be ordered to pay massive compensations to affected companies. He was tracked down by FBI and Secret Service fairly quickly after the outbreak, largely because Mr. Parson had instructed the worm's backdoor to connect back to himself via his own personal website,

T33kid website

The original author of the Blaster worm remains at large, with Microsoft offering $250,000 bounty for information leading to his arrest.


Wednesday, August 11, 2004

About the "Mosquitos" Symbian dialer trojan. Posted by Jarno @ 07:18 GMT

Copyright (c) Ojom

There have been some reports about a trojanized version of "Mosquitos" game for Symbian phones that secretly sends SMS messages to premium rate numbers.

We detect this case as Trojan.Mquito. Actually, it's not a trojanized version of the game, unlike many reports state. Turns out the hidden SMS functionality was put in the game from the beginning by the original manufacturer.

This functionality was supposed to be some kind of a copy-protecting technique, but it didn't work right and the whole functionality backfired.

According to the manufacturer, the premium rate contracts for the phone numbers have been terminated, so although old versions of the game still send hidden SMS messages, it only costs the nominal fee of sending the message itself.

Current versions of this game no longer have this hidden functionality, but "cracked" versions of Mosquitos still float in P2P network — and they still send these messages.


Tuesday, August 10, 2004

Blaster - One Year Later Posted by Mikko @ 15:42 GMT

The Blaster (aka Lovsan) Internet worm outbreak happened a year ago, on the 11th of August, 2003. Together with Welchi, a related worm which was found few days later, this was a massive outbreak. Blaster is among the three largest Internet worm outbreaks ever (the other two being Slammer and Sasser).

Blaster also launched a DDoS attack against Result: was taken down by Microsoft, and it's still down today (but works). Blaster is still in the net, scanning for vulnerable hosts. It will continue to be there for years.

Blaster's outbreak was massive, and affected Windows PCs started rebooting continuously. Many organizations were hit badly, including several banks and airlines. The seriousness of this case was probably one of the reasons why Microsoft put so much effort into SP2 for Windows XP… which was released almost exactly on the anniversary of the outbreak.

To get some impression on how serious Blaster was, read this snippet taken from the web page of CSX, one of the largest railroad operators in the USA:



Yet another new mass mailer W32/Cali.A Posted by Katrin @ 08:16 GMT

Yet another new mass mailer W32/Cali.A has been found.

Monday, August 9, 2004

Bagle.AL Posted by Mikko @ 19:47 GMT

This new Bagle is really going around...although it's hard to say at this stage whether it has just been spammed a *lot* or if it's really spreading fast.

In any case, we now detect it as Bagle.AL.

We also took it to Radar Level 2 Alert.

The trick in this Bagle is that when user opens the attached ZIP archive, this is what he sees:


...and many users would then wrongly assume that the HTML file is just a web page and safe to click at...after all, there are no dangerous EXE files in sight. Well, that's because it's in the PRICE folder, and the PRICE.HTML will just load and run it.

Repeat after me: HTML files on your local hard drive are not safe to click at. The same file might be perfectly safe when you access it over the web (ie. surf to http://something/somefile.html) and horribly bad when you click on it locally (assuming a typical Windows user with default settings).


New Bagle spam run Posted by Mikko @ 18:31 GMT

It looks like the Bagle gang has spammed a new variant of Bagle widely an hour or two ago. The emails contain a ZIP archive as an attachment with a name like,, etc.

The archive has a HTML file and a hidden EXE file inside.


SP2 is here Posted by Mikko @ 15:35 GMT

Microsoft's Service Pack 2 for Windows XP is ready and the update will soon be available to end users. Which is great.

SP2 is by far the largest service pack we've seen (it's over 250MB in size and quite a download). What's more important, this SP centers around security features only.

From the antivirus point of view, the three most important features in SP2 are:

- Stack & heap protection: this will make it much harder to generate exploits for buffer overflows, such as those used by automatic network worms like Slammer, Blaster and Sasser. We had a look at how Microsoft actually implemented this, and it looks good.

- Built-in firewall. Which is enabled by default, and running right from the boot-up. It will not only prevent access from the outside but it will also warn users when local applications start to listen on specific ports. It won't warn when local applications send data to the internet, though.

- Patched versions of IE and Outlook. As these are the most common tools to access the net, it's important to have them up-to-date.

The end result will be that once patched XPs become commonplace, it will be much harder to create large network worm outbreaks. User-assisted viruses (like email worms) won't go away...and the bad boys will eventually find ways around the safeguards. But nevertheless, this is a big improvment.

As XP is already the most common operating system on the internet, this Service Pack is very important. We hope majority of XP users will apply it soon. This would benefit everybody on the internet.


Thursday, August 5, 2004

Brador description updated Posted by Jarno @ 19:30 GMT

Description of WinCE.Brador has just been updated.

Also detection for F-Secure Anti-virus for PocketPC has been published.


About WinCE.Brador Posted by Mikko @ 17:39 GMT

Name of the new PocketPC backdoor is WinCE.Brador.

As as far we know, it hasn't been seen in the wild. However, you can check if your PocketPC device is affected by checking if you have a file called "svchost" in your StartUp folder. Alternatively, you can run our antivirus.

brador photo)


New backdoor for PocketPC devices found Posted by Mikko @ 14:30 GMT

pocketpc devices

We've just received information about a new backdoor. This one seems to run on ARM-based PocketPC devices.

The logic is that when an affected PDA or phone goes online, it will announce itself back to author, allowing him remotely and secretly to access the handheld device.

We will have more information later.


Wednesday, August 4, 2004

Mydoom vs Evaman Posted by Mikko @ 20:51 GMT

The Mydoom and Evaman virus families are related and are likely coming from a single source. The Mydoom.Q variant we we're fighting last night is actually detected as Mydoom by some antiviruses and as Evaman by others.

We categorize it as Mydoom for now, but this might change.


Tuesday, August 3, 2004

Damn Mydoom Posted by Mikko @ 20:49 GMT


We are urging anyone who knows the party behind Mydoom variants to contant the authorities, let them know who's behind it and to collect $250,000. Microsoft offered this public bounty reward on Mydoom on March 11th. It's still valid.

If you have information on the origin of Mydoom, you're most likely connected to spamming in one way to the other (as Mydoom is used to create spam proxies). So you should be able to appreciate money. $250,000 is a lot of money. Think about it.

Report all information on the whereabouts of the virus writers behind Mydoom via the forms at Internet Fraud Complaint Center or FBI. Remember to mention that you're interested in collecting the Microsoft bounty. Feel free to report via a remailer using a fake identity and leave an E-Gold account. As long as you report. Do it now.

If you're uneasy about filling forms and sending them to FBI, just contact us. We will work with you. You can reach us at



Yet another evening, another new Mydoom Posted by Katrin @ 19:51 GMT

A new UPX packed variant of MyDoom worm - Mydoom.O (aka Mydoom.Q), was found. This one uses Yahoo People Search to search for more email addresses.

So far this search service seems to be up and running fine (unlike Google which was crashed by Mydoom.M last week).


Monday, August 2, 2004

More from DEFCON Posted by Mikko @ 14:09 GMT

Two groups presented interesting antenna hardware in DEFCON last weekend. The Shmoo group premiered a gun-like WLAN antenna with a scope, dubbed "Sniper Yagi". The thing is supposed to be powerful enough to enable connecting to WLAN networks over 15km away. It also makes you look like a madman with an M16.

Sniper Yagi. Sorry for the fuzzy image.

The Flexilis team presented a similar device for Bluethooth connections. With it, it should be able to connect to Bluetooth phones even if the owner of the phone is standing over a kilometer away.

Do note that antennas resembling assault rifles might be challening to get through airport security nowadays...