NEWS FROM THE LAB - September 2004


Wednesday, September 29, 2004

Bagle.AS riding pretty high Posted by Mikko @ 07:49 GMT

We took Bagle.As to Radar Alert Level 2 last night as we started getting more reports of it.

Right now it's already at 3rd place in our virus statistics. However, we do believe it will calm down pretty quickly. Bagles usually do.

The worm itself is a typical Bagle variant, with a built-in spam proxy.


Tuesday, September 28, 2004

New Bagle.AS Posted by Katrin @ 20:47 GMT

We have several submissions of a new Bagle variant - Bagle.AS. This one is functionally similar to Bagle.AN and is detected with update Version=2004-09-29_01

Monday, September 27, 2004

JPEG exploits Posted by Mikko @ 21:33 GMT

According to a post on the Bugtraq mailing list, somebody has been trying to post JPG images with the exploit code in them to adult usenet newsgroups. Do note that these JPGs did not replicate, so this is not a virus - although the post in Bugtraq is misleadingly titled "GDI virus". Apparently they tried to use these JPGs to download trojans to vulnerable computers...but the download sites should be down by now.

Things are heating up. Unfortunately I have a nasty feeling we might sooner or later see a massmailer worm using a JPG image as the attachment.


Saturday, September 25, 2004

Group picture of us... Posted by Mikko @ 15:57 GMT

The antivirus research team had a nice photo opportunity last week when we had our US lab visiting us here in Finland.

So here's our current line-up:

The F-Secure Viruslab team

Top row, from left: Jarkko, Ero, Sami, Ceco, Jarno, Gergo, Jussi, Jusu and Alexey
Bottom row: Mikko, Lu the monkey and Katrin

This would also be a good opportunity to introduce the two latest additions to the team: Jarkko Turkulainen and Tzvetan "Ceco" Chaliavski. Both of them work on researching binary viruses.

Photo taken by Jussi Kallio.


Thursday, September 23, 2004

JPG vulnerability exploit Posted by Gergo @ 14:27 GMT

As we reported earlier, a vulnerability, which allows code execution, has been found in Microsoft's GDI+ JPEG decoder. Microsoft has posted detailed information on the vulnerability and affected systems in MS04-028.

A proof-of-concept exploit which executes code on the victim's computer when opening a JPG file has been posted to a public website.


For anybody with unpached systems it is time to patch now.


Tuesday, September 21, 2004

Greetings from Redmond Posted by Mikko @ 22:34 GMT

I've had an interesting day at Microsoft today. In addition of some meetings, we did a live webcast for the "Security360" series. It's impressive to see how a really big company like Microsoft works. The amount of persons involved to get out just one webcast is impressive.

You can see the final result from the MS webcast site.

Live on stage

Here's a picture taken during the webcast session. From left: Mike Nash, Vice President of security at Microsoft, Robert Taylor, CIO at Fulton County and me.

Signing off,


Spam uses Drag and Drop vulnerability Posted by Katrin @ 17:42 GMT

A spam message containing link that leads to "click here to remove" page has been distributed largely.

In addition to the fact that it sends the user's email address to the spammers it also points to a web page that asks to scroll it. This page uses Drag and Drop vulnerability in Internet Explorer so when the page is scrolled, the exploit runs a proxy backdoor. Currently it downloads and runs Backdoor.Win32.Agent.ce but since it is controlled by the spammers it could be changed.


New Java Applet Trojan that uses vulnerability in Sun Java Runtime Posted by Jarno @ 11:03 GMT

Today we found a new type of malicious Java applet. Unlike Java Applet trojans that we have seen
previously, Java/Binny.A uses exploit in Sun Java Runtime, and is thus capable of affecting any web browser that uses Sun Java Runtime for executing Java Applets.

This means that also those who use Mozilla or Opera are also in danger, not just users of Microsoft Internet Explorer.

If you are using Sun Java Runtime that is older than 1.41_04 please update it.

Sun Alert notification about the Java Runtime vulnerability


Monday, September 20, 2004

Mikko on Microsoft's web casting on September 21 Posted by Katrin @ 14:10 GMT

Mikko from our team is currently visiting Microsoft in Redmond. He will be doing two live webcasts while there. You can check them out on Tuesday by visiting the Microsoft webcast center. See the links here.

Saturday, September 18, 2004

Sasser author hired by a software company Posted by Mikko @ 16:19 GMT

Securepoint logo

Sven Jaschen, the author of 30 different variants of Netsky and four different variants of Sasser worm, has been hired. German security company Securepoint hired him to work as a developer for security softwares such as firewalls.

I'm sure most people have serious doubts about a security company hiring a virus writer - and for a reason. No doubt Securepoint will have to explain their decision over and over again.

But in a way I'm happy Sven gets a second chance. After all, we really should try to rehabilitate criminals to enter normal working life again and to became a productive part of the society. Just like in real life many companies avoid hiring ex-convicts but everybody agrees somebody should do it. So in that sense we should be glad that Securepoint is doing this. I guess.

Of course, we here at F-Secure wouldn't hire him.

And we should remember that although Sven Jaschen was bad, he wasn't that bad. He apparently really saw himself as some kind of Robin Hood: writing viruses to attack other viruses written by professional viruswriters working with spammers. Sven's viruses removed viruses like Bagle and Mydoom and uninstalled spam proxies such as Mitglieder from infected computers. But of course, his viruses also caused huge amounts of damage - such as Sasser taking down X-Ray machines in hospitals in Sweden.

So, we believe Mr. Jaschen was more clueless than malicious.


Friday, September 17, 2004

Fascinating post on visualizing virus & spam traffic Posted by Mikko @ 06:07 GMT

Copyright (c) Raymon Chen
I ran into an interesting post by Raymond Chen at Microsoft's blog site Unlike most of us, Raymond has saved every spam & virus-infected email he has received since 1997.

So what do you do with them? You plot a nice graph out of them, that's what!


Thursday, September 16, 2004

New day, New Mydoom Posted by Mikko @ 14:43 GMT

Yet another Mydoom variant has been found. This one is mostly detected as Mydoom.AB. It sends itself in email attachments with various file names, including "photo08.jpg                                      .pif".

The new Mydoom.AB is capable of spreading through Kazaa, ICQ and the LSASS vulnerability, the remaining characteritics are almost identical to previous variants.


Wednesday, September 15, 2004

Mydoom.Y contains a virus description of Mydoom.Y Posted by Mikko @ 13:06 GMT

In a weird twist, the latest variant of Mydoom (which was found last night) drops two files to the system: one of them is the mugshot of Sven Jaschan, author of Netsky. The other is a file called About_Mydoom.txt, which contains a description of the virus itself.

For full details, see our virus description.

 Posted by Katrin @ 07:58 GMT

The F-Secure Anti-virus database update we published on September 14th 2004 (2004-09-14_02) had a false alarm on file U2FHTML.DLL which is part of Crystal Reports. The file was detected as

This false alarm was fixed in the next update 2004-09-15_01.


Tuesday, September 14, 2004

The JPG vulnerability Posted by Mikko @ 18:51 GMT

It's the second Tuesday of the month and Microsoft has issued the latest security patches.

The most important vulnerability this time is a JPEG buffer overrun found from IE, Outlook, Office and many other products. With this, an attacker could post a picture to a website or mail it to a user, and could get his code executed as soon as the page was viewed with IE or read with Outlook.

Patch now.


Omega day Posted by Mikko @ 18:40 GMT

Yesterday was the 13th anniversary of my personal antivirus career. On 13th of September, 1991, I made my first virus analysis. Or actually, started doing it. I'm sure it took several days to finish.

Back then finding a new virus was a big thing. It's hard to imagine that nowadays, with our labs receiving dozens of samples every day. I remember starting to research this 440 byte long virus, reading through reference manuals, interrupt lists and assembly manuals. We didn't even have separate testing machines at the time, so I couldn't just run the virus and monitor what it does. I ended printing out the assembly code of the binary and going through line by line.

Eventually I figured out how the virus replicates. I also noticed the virus would print out something on Friday the 13th. Based on my analysis, it would print out one character - ASCII code 151. I looked it up, and 151 seemed to be the code for the Omega character (Ω). So I named the virus Omega, and wrote a short description for it. My name stuck, and eventually other antivirus vendors started using it. Which was cool.

Six months later we set up our first real lab with isolated test machines. So I changed the date on one of the machines to Friday the 13th and infected it with Omega. I was reliefed to see it indeed did print out the Omega character.

Nowadays we have a tradition at F-Secure that once you've been ten years at the company, you get an Omega watch...

Omega Seamaster


Friday, September 10, 2004

A virus that speaks Posted by Mikko @ 13:41 GMT

We've received some questions on the Amus (yeah, we know) email worm. Specifically, on the speech properties of this virus.

This worm will use the Windows Speech Engine (built-in to Windows XP) to speak the following message when run:

  How are you. I am back. My name is mister hamsi. I am seeing you. Haaaaaaaa.
  You must come to turkiye. I am cleaning your computer. 5. 4. 3. 2. 1. 0. Gule. Gule.

To find out what the message sounds like, listen to this audio file:


Another new Mydoom variant discovered Posted by Alexey @ 13:13 GMT

Today there appeared another Mydoom variant, the fourth one during last 2 days. This variant, Mydoom.X, is similar to 3 yesterday's variants, but is lacking the "We searching 4 work in AV industry" text. Today's Mydoom.X downloads a newer variant of the Surila backdoor.

Thursday, September 9, 2004

Three new Mydoom variants discovered Posted by Alexey @ 14:08 GMT

Today there were found 3 new Mydoom variants: Mydoom.U, Mydoom.V and Mydoom.W. All these variants are very similar to each other. All of them download and activate a backdoor called 'Surila'.

Also, there's a hidden text inside all these Mydoom variant files: "We searching 4 work in AV industry.". Yeah, dream on, boys... antivirus industry does not hire virus writers.


Wednesday, September 8, 2004

Author of Netsky and Sasser charged with sabotage Posted by Mikko @ 17:07 GMT

Image (c) Stern

Sven Jaschan, 18, has today been charged with computer sabotage in German court.

Mr. Jaschan confessed in May to creating the Sasser computer worm and the family of Netsky massmailers. Netsky is among the most common viruses in the world still today.

In Germany, computer sabotage carries a maximum sentence of five years in prison.

Authorities say his motive was to gain fame.

No trial date has been set for Jaschan.


About botnets and spam zombies Posted by Mikko @ 08:41 GMT

Latest USA Today has a thorough article on botnets by Byron Acohido and Jon Swartz:
- Are hackers using your PC to spew spam and steal?
- Going price for network of zombie PCs: $2,000-$3,000

Animation from


Tuesday, September 7, 2004

Case Nyxem/Blackmal/Mywife Posted by Mikko @ 16:07 GMT


We've received some questions on the new Nyxem variant (also known as Blackmal, Mywife, Blackworm, Blueworm and probably something else too).

We have some reports of this virus from the field (enough to make it into top 30 of our virus statistics). However, it's not even near outbreak levels at the moment...and probably won't make it there any more. The worm itself is your typical massmailer which tries to remove different antivirus and security products.


Sunday, September 5, 2004

More Russian phishers arrested Posted by Mikko @ 20:10 GMT

Two Russian citizens have been arrested in Australia. They are suspected for running phishing scams against Australian banks, reports Jeremy Wagstaff's blog. Apparently Westpac and Suncorp Metway were targeted.

The case sounds similar to the series of arrests of Russian, Lithuanian and Ukrainian phishers in UK in late May this year.


Friday, September 3, 2004

New variant of Mydoom has been found Posted by Alexey @ 14:30 GMT

Today we got a sample of a new Mydoom worm variant. This variant is detected as 'W32/Mydoom.T@mm' and as 'I-Worm.Mydoom.gen' with the latest FSAV updates (2004-09-03_02). The worm is similar to previous variants. It spreads in e-mails with different subject and body texts, to Kazaa P2P (peer-to-peer) file sharing network and also drops a backdoor component that listens on port 5422. Additionally the worm can perform a DDoS (Distributed Denial of Service) attack against Microsoft's website.

Thursday, September 2, 2004

Oracle issues Posted by Mikko @ 04:24 GMT

Oracle has put out a public alert on several new security vulnerabilities. Some of them could allow a remote attacker to execute arbitrary code on an affected system. Ie somebody could write a network worm infecting Oracle database servers that are online.

Remembering that Slammer worm (which was the largest attack against the internet, ever) targeted MS SQL Server database servers, this thought is probably not too far-fetched.

Then again, Slammer was based on public exploit code. Such code is not available for most of these new Oracle vulnerabilities. At least yet.


Wednesday, September 1, 2004

Renaming the trojans from the last night Posted by Katrin @ 11:32 GMT

In order to synchronize with other vendors naming, last night we decided to use Bagle name for the two trojans that have been spammed. Due to the fact that these are not Bagle variants but droppers that belong to a new family we are renaming them to Glieder.H and Glieder.I.

Bugbear.L was found Posted by Gergo @ 07:43 GMT

A new variant of the Bugbear (a.k.a Tanatos) virus family was found and got the variant letter L.

The virus is under analysis, more information will be posted later.


One more Bagle distribution Posted by Katrin @ 00:33 GMT

Shortly after Bagle.AK has been found, another slightly modified and recompiled version of it has been spammed. This one uses cacl.exe instead of foto.exe. The accompanying foto.htm file is simple and just runs the exe file.

We've published detection for this malware in update Version=2004-09-01_01