NEWS FROM THE LAB - October 2004


Saturday, October 30, 2004

So, who wrote Sobig? Posted by Mikko @ 13:55 GMT

The Doc
Someone sent us a very interesting document last night.

It's a 48-page technical study on who wrote the infamous Sobig worm which went around the world last year. The study is done by anonymous authors.

The study concludes that author of this worm is a Russian programmer and goes out all the way to name him. Now, we can't confirm this either way. This might as well be a campaign to make someone look bad.

In any case, we've just found out this file has now been posted publicly here and here. So you can have a look by yourself and make your own conclusions.


Friday, October 29, 2004

We call it Bagle day Posted by Alexey @ 15:39 GMT

So let's sum it up what we have at the moment. There appeared 3 new Bagle variants today.

One of the variants was found on a website that was accessed by another Bagle variant. This is most likely a test variant because it gets e-mails from C:\EMAILS\ folder rather then from files on a hard disk (like ITW variants do). We have not seen any reports about this variant from the field. This variant was originally detected by us as W32/Bagle.AU@mm, but we are going to change detection name to W32/Bagle.AV@mm to avoid confusion with another widespread Bagle variant that appeared today (see below).

The second variant of Bagle that appeared today is Bagle.AT. This variant is number 1 in our Virus Statistics.

The third variant of Bagle appeared shortly after the second one and got the name Bagle.AU. This variant has the same functionality as Bagle.AT, but it uses a different CPL stub and it has a 2-byte corruption area in its text resources. This variant is currently number 12 in our Virus Statistics.

The interesting thing about the latest Bagle variants is that they modify themselves before spreading: they search for applications on a hard disk and "borrow" their icons. Then these icons are attached to Bagle's files together with some garbage data (used as a decoy) and then these files are mailed out. So you might see Bagle variants with quite interesting icons...


Third new Bagle Posted by Katrin @ 10:32 GMT

We just got the third new Bagle for today. This one is functionally similar to Bagle.AT. It is also repacked and has a different CPL stub and different application icons. For example:



Another Bagle variant has been found Posted by Alexey @ 10:14 GMT

We have added detection for another Bagle variant (second for today) as 'W32/Bagle.AU@mm'. This variant was found on one of the websites that the previous Bagle variant had referred to. This variant is not reported to be in the wild.

Upgrading Bagle.AT to Radar level 2 Posted by Katrin @ 08:53 GMT

Due to increased number of submissions of Bagle.AT, we are upgrading it to Radar level 2:

New Bagle variant has been spotted in several locations. It sends emails with a smiley ":)" as the message body. Attachment filename starts with "Price" or "Joke" and extension is COM, EXE, SCR or CPL.


New variant of Bagle found Posted by Gergo @ 07:41 GMT

The new worm Mikko just mentioned is apparently W32/Bagle.AT@mm, which was found today.The analysis is underway, we will publish our findings soon.

Detection for this one was published in update version 2004-10-29_01.

This worm uses several different icons for the attachments it sends, such as these:
Bagle.AQ icons


New outbreak starting? Posted by Mikko @ 07:37 GMT

Looks like there's some new email worm outbreak starting right now. We're getting multiple reports of attachments named like Price.exe, Joke.exe and RunMe.exe. This might be a new Bagle variant or something. We'll post more as we look into it.

Internet is international. That's why the call it the internet. Posted by Mikko @ 06:52 GMT

Small world
Looking at the chart of international correspondents below got me thinking:

Don't we have readers from India at all? Or from Russia?

How about Mainland China? Or Poland? Anyone from Greece? Or Turkey? Argentina?

If you are out there, let us hear from you!

Update on 1st of November: We've gotten feedback from 42 different countries so far (although still nothing from Mainland China) - I believe we have all the info we needed. Thanks to everybody who wrote in relating to this!


Thursday, October 28, 2004 site access chart Posted by Jusu @ 09:12 GMT

Since we received a large amount of emails from people around the world relating to our previous blog entry, here is a chart describing the global availability of We will update the list as we get more entries.


Australia  X
Austria  X
Belgium  X
Brazil  X
Czech Republic  X
Denmark  X
Estonia  X
Finland  X
France  X
Germany  X
Greece  X
Hong Kong  X
Hungary  X
Ireland  X
Israel  X
Italy  X
Japan  X
Laos  X
Mexico  X
Netherlands  X
New Zealand  X
Paraguay  X
Russia  X
Slovenia  X
South Africa  X
Spain  X
Sweden  X
Turkey  X
United Arab Emirates  X
Uruguay X
Venezuela  X


About Posted by Mikko @ 07:02 GMT

As you might have read from the news, the official George Bush re-election website is apparently rejecting visitors from outside USA.

This is what the web site looks like to visitors from USA

This is what the web site looks like to others

Now, we have no intention of getting political, but we do find this development interesting from purely technical point of view.

We know we have a very international readership, so we'd like to hear from you. Check out if you can access or not. Then mail the results with your country and IP address you were using (or the IP range) to us here at weblog at our domain

We'll tally the results (without personal info) and post them here.

PS. If you really want to see the site, it seems to be accessible to non-Americans via IP


Wednesday, October 27, 2004

Some new viruses found Posted by Mikko @ 17:24 GMT

We found some new stuff today, including:

Yet another new Mydoom variant, Mydoom.AG (incidentally, Netsky is also at .AG slot right now in our count).

A variant of Agobot (Backdoor.Agobot.VS). We got some reports of this. It drops itself as winl0g0n.exe to the Windows system folder.

A new Zafi variant, Zafi.C. This might be bigger news, as the previous variant of this Hungarian virus, Zafi.B, has been in our Top 20 for the past four months. However, so far we've received few reports of this virus.

Zafi.C launches a DDoS attack against, and - the last one is the home page of the prime minister of Hungary, Mr. Ferenc Gyurcs�ny.

Jarkko, Katrin, Gergo & Alexey


Monday, October 25, 2004

Graphing malware Posted by Ero @ 12:59 GMT

mydoom-s (151k image)
We have got some good feedback and inquiries on the malware graphs and on how we make them.

The tools we use for reverse engineering malware are:

IDA the Interactive DisAssembler
IDAPython, Python extension for IDA
pydot, Python interface to Graphviz utilities

IDAPython and pydot are developed by us and released as open source.

The graphs are done by exploring the code of a malware sample looking for all the functions and the relationships between them (who calls who). This information, together with text references, are then exported using pydot into a format that Graphviz utilities can read.

For more info, readers may be interested in a paper by us recently published in Virus Bulletin 2004 proceedings, the paper can be read here. On it we detail some of the tools and how we use them, together with interesting results on automatic malware classification.

Other examples of malware graphs are the Sobig.F graph. And the comparison of Netsky.V against Sasser.D that can be found in pydot's page.

Some readers also suggested we should create posters out of these graphs. We would like to ask you for your opinion: How many of you would be interested in such posters? Let us know by mailing us at weblog at our domain dot com.


Case Posted by Mikko @ 10:06 GMT

Fake site
During the weekend somebody, using fake registration data, registered domain Which is awfully similar to the official homepage of the Fedora project, which is at Fedora is a free operating system supported by Red Hat linux.

Then somebody did a fairly large spam run, targeting Linux users with a message that claimed a security vulnerability has been found and the fix is available at

Fake site
The file itself (which is offline by now) seems to be a fairly typical rootkit.

Red Hat has posted on advisory on this. At first this seemed weird, as they dated their advisory Saturday 23rd, while the domain was apparently registered only on 24th and the spam headers we've seen show they were sent on 24th.

However, we just got confirmation from Red Hat Security Response Team that there was an earlier, similar spam run on Saturday the 23rd...expect the link in that spam was pointing to a web page on a University server. Apparently the attacker didn't get too good results so he decided to register the website and retry on Sunday.


Saturday, October 23, 2004

Malware for Macintosh OS X Posted by Mikko @ 20:57 GMT

Things have been really quiet on Macintosh-front, virus-wise. In fact, I've had several of my hard-core geek friends migrate to Macintosh over the last years...especially to the nice new laptops they have, running unix-based operating system and all. And of course, no virus-worries.
Well, turns out some real malware for OS X has been found. This one, known as "Opener", is a bash script which copies itself as one of the startup items that copies itself to all mounted drives. It seems to be pretty nasty as it contains destructive functionality, a keylogger, a backdoor etc.

Back then in late 1980s viruses used to be a much bigger problem on Macs than on PCs. Then things changed. We here at F-Secure used to have an antivirus product for Macs for years, but we discontinued it after the macro viruses died out as there was so little market for it.

For more info on Opener, check this thread at Macintouch.


Friday, October 22, 2004

On the differences between Buchon and Netsky Posted by Ero @ 15:56 GMT

As previously mentioned Netsky.AG (aka Baba) was renamed as W32/Buchon@mm .

Probably the worm was originally assumed to belong the Netsky family because of certain text in the messages it sends. A brief look at the code clearly shows that there is not much resemblance among both worms.

The following picture shows Netsky.AD (left) and Buchon (right). Needless to say there is no pattern to be seen.

netsky_ad-buchon (198k image)

As a demonstration of how variants among a family look, these are Mimail.A (left) and Mimail.B (right). The resemblance is quite apparent.

mimail_a_b (268k image)


Renaming Netsky.AG to Buchon Posted by Katrin @ 14:49 GMT

We have just renamed the last night Netsky from Netsky.AG (aka Baba) to W32/Buchon@mm

It was originally identified as belonging to the infamous Netsky family, but there is general consensus that it has not much to do with that family besides some similarities in the emails it sends.


Thursday, October 21, 2004

New Netsky found Posted by Mikko @ 18:54 GMT

Right now we're working on a new Netsky variant which was found this evening.

As the author of the original Netsky family is out of business, these recent Netskies all seem to be hacks made by third parties. Tonight's variant contains two hidden strings: "SoonChunHyang" and "Bucheon".

SoonChunHyang University
Well, turns out there's a University called SoonChunHyang in the city of Bucheon, South Korea. So I'd guess this variant has something to do with South Korea.

We're just about to add detection of this thing as Netsky.AG. It also drops a keylogger which we will detect with some generic name.


DDoS attack against El Reg Posted by Mikko @ 16:47 GMT

El Reg
We've received a report or two from administrators who've spotted weird traffic in their network: machines sending large amounts of data to TCP port 80 at address

Turns out this is the website of one of the premier online publications in the net: The Register. Incidentally, they've been hit by a distributed denial-of-service attack since yesterday.

So far, we haven't been able to secure a sample of the offending piece of malware from the affected computers, but we'll continue investigating. In the meanwhile we urge administrators to check their firewall logs for similar activity. And please pass any suspected programs for our analysis to


Wednesday, October 20, 2004

More goofing with laptop locks Posted by Mikko @ 15:44 GMT

Today we are continuing our practical tests on physical laptop security.

We got a real high-security Kensington cable laptop lock, hooked it up to some laptops and started running away with them.

Here we have Alexey showing the official test position. Notice the Kensington lock and the cable.

We hooked up the cable to table and had Jusu and Jarno hold it down while Alexey played the part of the bad boy.

First we tested IBM Thinkpad 600x. Turns out, the kensington-type security slot in it is made out of plastic. So the hole just got a bit bigger and the lock was removed easily. No sweat. In a real-world situation this could have been done so easily passers-by probably would not have noticed a thing, and the PC stayed in perfect working order.

Next up, IBM Thinkpad 770Z. This one took several tries. Then the laptop casing gave away. This time there was much more damage to the laptop - which would make it harder for a thief to sell it.

Marc Weber Tobias
Also, we found out about a site called (Thanks to Malcolm and Nik for the tip).

This site is run by Marc Weber Tobias and focuses on insecurities of various types of laptop and bag locks.

If you're really interested in the topic, we recommend purchasing access to some of his videos (they cost $2 or $3 each), detailing on how to unlock some of these locks with a pen or a toilet paper roll.

That's it for the day...back to viruses.


Tuesday, October 19, 2004

Goofing around with laptop locks Posted by Mikko @ 04:59 GMT

So, our marketing department asked us to do some testing on marketing giveaways we could brand with F-Secure logo and hand out during fairs etc.

This was kinda relevant, as the giveaways were security-related:

Unsafe lock

- A gizmo you would strap on you, which would automatically lock the computer when you wander too far away from it. Turned out you could break away from the security screen by plugging in a second monitor; the system only locks the primary screen, allowing you to do whatever you want through the second screen. Alternatively, you could hit Ctrl-Alt-Del, select Shutdown and wait for the screenlock program to close, then kill it's process and finally stop the shutdown with SHUTDOWN -A or a similar command.

Unsafe lock

- A laptop cable lock, which you could use to physically lock down your laptop to a table via the standard kensington-type lock hole every laptop has. Except this lock was made out of plastic, so just by twisting it you could break away the cable, unlocking the whole gizmo. In addition, the cable was so thin that Jusu could break it with pliers he had in his pocket without any great effort.

So, we asked our marketroids to search for better quality giveaways...and started thinking about kensington-type security slots in general. So we decided to take some laptops, a real Kensington high-security cable and just try crabbing the laptop anyway - with some surprising results.

We'll post a separate log entry on that in a day or two.


Saturday, October 16, 2004

Mydoom.AE found Posted by Mikko @ 19:11 GMT

We've received some sightings of a new Mydoom variant, which we now detect as Mydoom.AE.

It's pretty astonishing these guys just keep pumping out new variants when they know several people are actively trying to find out who they are (to collect the $250,000 bounty offered for their head).

This latest variant contains a hidden message which comments on hidden comments found from some earlier Netsky variants:

 Lucky's Av's ;P~.
 Sasser author gets IT security job and we will work with Mydoom , P2P worms and exploit codes .
 Also we will attack f-secure,symantec,trendmicro,mcafee , etc.
 The 11th of march is the skynet day lol .
 When the beagle and mydoom loose, we wanna stop our activity <== so Where is the Skynet now? lol.

We don't think this variant is going to become too widespread. Email worms started over a weekend typically don't.



Thursday, October 14, 2004

A virus spreading on floppies? In 2004? Posted by Mikko @ 12:57 GMT

Most of the new viruses we keep seeing nowadays are email worms, with the occasional P2P, filesharing or network exploit -based worms thrown in.

So, it's weird finding a virus which replicates by using floppy disks and CD-ROMs. This is exacly how the Bacros virus replicates. Bacros was already found a month ago but we've started receiving more questions on it lately. This virus will copy itself to all floppies it sees. It also attempts to burn itself to CD-R discs (complete with an AUTORUN file, which will run the virus when the CD-R is inserted to another machine).

BacrosIn addition of this spreading on physical media, the virus also works as a companion virus, attacking TXT files. For example, when the virus finds a file called README.TXT, it will make that file hidden and drop a new file called README.EXE in the same directory. Icon for this file makes it look like a normal text file, and when clicked, it will launch the original text file to hide it's activities.

Bacros is also unusual because it's destructive. We don't see many directly destructive viruses nowadays; most viruses just try to silently take over your machine instead. Bacros overwrites GIF image files with an image that says "KUOLE JEHOVA" (the message is in Finnish as this virus was apparently written in Finland). And on Christmas day, it will try to delete all files from the system.

For full details, see the Bacros description.


Tuesday, October 12, 2004

A bunch of security updates released by Microsoft Posted by Sami @ 18:46 GMT

Microsoft has released several critical updates for both Windows, Exchange and Office. Some of these vulnerabilities allow priviledge elevation (MS04-032). Some allow arbitary code execution via Windows Metafile (MS04-032), Excel workbooks (MS04-033) or zip files (MS-034). There is also update for the patch of the JPG vulnerability (MS04-028).

Further information and complete list of the updates is available at Microsoft's TechNet Security site:

F-Secure recommends users to upgrade their systems using Windows Update .


Saturday, October 9, 2004

Schneier's blog rocks! Posted by Mikko @ 20:00 GMT

Bruce Schneier, author of some of the most important books in security field (Applied Cryptography, Beyond Fear etc) has started his own weblog.

Now, Schneier is not a virus expert. But he has a holistic view on what security is and how it works. And this applies not just to computer security but security in general. In fact, I dont always agree on all of his views (for example, on national ID cards), but he does have a gift of turning his ideas into highly readable and enjoyable text.

In fact, Bruce's monthly Crypto-Gram newsletter is one of the few things I still print out to paper to take with me and read later with thought.

Bruce's blog is available here in web and here in RSS... go read. Now.

PS. Thanks to Forgey for spotting this!


Friday, October 8, 2004

Picture of F-Cabir tool in action Posted by Jarno @ 08:15 GMT

We got some queries on what our F-Cabir tool looks like from people who don't have a Symbian Series 60 phone to check it out. Here's a picture of F-Cabir in action.

Disinfecting Cabir


Wednesday, October 6, 2004

Disinfection tool for Cabir published. Posted by Jarno @ 14:01 GMT

As the Cabir (Caribe) worm is now in the wild, we have created an disinfection tool that will remove the worm from infected phone. The F-Cabir tool is available from our public FTP site. disinfection tool and instructions
f-cabir.sis disinfection tool
f-cabir.txt instructions


Tuesday, October 5, 2004

Renewed notice on the GDI+ JPG vulnerability Posted by Mikko @ 23:09 GMT

We've posted another notice on the JPG vulnerability, trying to get people to patch before it's too late.

Couple of notices on this vulnerability:

- Filtering files with .JPG extension won't protect you much. Bad JPGs can be renamed to .BMP or even .ICO and they still work fine

- To update Word, Excel and other Office tools, most users need to visit - but keep your Office installation CD handy!

- In some cases, Internet Explorer will run into the vulnerability before it has saved the offending JPG file to the IE cache folder - which means most workstation antivirus products won't have a chance to scan it before it's too late. Gateway-based antivirus scanners (like F-Secure Internet Gatekeeper) take care of this problem

- However, exploiting Internet Explorer with this vulnerability seems to be particularily hard. Exploiting Windows XP's EXPLORER.EXE while viewing local JPG files is much easier and several toolkits to create JPGs like this exist. This reduces the likelyhood of appereance of a massmailer worm using this vulnerability

- Finally, if you scan JPGs with this exploit embedded in them, F-Secure Anti-virus will detect them

For more, see our description.


Sunday, October 3, 2004

Cabir in Singapore Posted by Mikko @ 22:31 GMT

We've received a report of the mobile phone virus Cabir being sighted in the wild in Singapore. In August, we received several unconfirmed reports of Cabir being seen in the Philippines.

It's more than likely Cabir will find it's way to other continents as well. All it takes is someone to board a plane with an infected phone in his pocket.


Friday, October 1, 2004

Greetings from Virus Bulletin 2004 Posted by Gergo @ 23:46 GMT

Katrin, Mikko, Ero and Myself have attended this year's Virus Bulletin conference in Chicago. Virus Bulletin is the largest antivirus conference which attracts some hundred delegates from antivirus companies and other organizations interested in the computer virus problem.

VB2004 had some good talks on broad range of topics. In the techie track quite a few talks circled around the topic of using virtual machines and virtualisation for different purposes. In the corporate track some other taks covered topics like the true cost of computer viruses and criminal aspects of virus writing. This year's conference was the first to include a spam-focused track as well.

The conference has now come to an end and Chicago is waiting to be explored before we head home...

vb2004 (65k image)


Lmir.rz Posted by Sami @ 08:50 GMT

The F-Secure Anti-Virus had a false alarm with a component of Real Player, RJBDLL.DLL. This file was detected as Lmir.rz.

This false alarm was fixed in the update 2004-10-01_01.