NEWS FROM THE LAB - November 2004


Tuesday, November 30, 2004 defaced? Posted by Mikko @ 16:39 GMT

We got a note from a reader of our blog that there was something wrong with the site we mentioned earlier today.

He had visited the site and was greeted with a screen like this:


We checked the site and it was unavailable and unreachable (now it's running normally again).

So, this looks like some kind of defacement, perhaps from a pro-spam group...they definitely would have a motive to attack the site. Or perhaps it was something else. We can't confirm either way.

PS. seems to be blocking visitors from outside USA, again.


Back from the RF shielded lab with more detailed analysis of Skulls.B Posted by Jarno @ 12:32 GMT

I just got back from the RF shielded lab that we use for analysing mobile malware that might use Bluetooth or some other radio link for spreading.

rf_lab_door (13k image)

AVI of the RF shielded Lab door closing

In the lab where I could safely analyse Skulls.B and the Cabir.B that it contains I made an interesting discovery. The Skulls.B installs Cabir.B wrongly in the system, so that while the files are functional the Cabir.B is not able to start automatically.

This means that just installing Skulls.B does not cause Cabir.B outbreak in local area, user would have to manually start the Cabir.B for it to activate and start spreading. Which is still possible but much more unlikely.


Lycos Europe organizing a DDoS attack against spammers Posted by Mikko @ 08:00 GMT
In a surprising move, Lycos Europe has started organizing a distributed denial-of-service attack against web sites run by spammers.

Lycos, via its site, is offering a free screensaver for download. The screensavers make constant http requests to spam websites. The idea is to slow down spam servers by overloading them - ie. by launching a DDoS. Which is illegal in many, many countries.

Although this seems like a good idea, we don't recommend using the screen saver because of possible legal problems.




Monday, November 29, 2004

SCO.COM targeted again Posted by Mikko @ 18:05 GMT
The website of the SCO Group has once again been targeted.

Earlier this year several distributed denial-of-service attacks took offline. Longest of them (launched by Mydoom.A) lasted five weeks.

According to Zone-H, yesterday somebody hacked the server and replaced several pages with modified versions. Including one which claims that "Recently we found parts of our code in almost all Microsoft(R) software. We want to bring an action against Microsoft(R) and our legal department is working on that.".

Front page was changed to read "We own all your code - pay us all your money".

The site is now back to normal.


Skulls.B detected Posted by Jarno @ 14:49 GMT

Today we have received a new variant of Skulls Skulls.B. The basic functionality is similar to Skulls.A but it uses files from different version of Nokia 7610 to replace the ROM binaries and it drops Cabir.B worm on the device.

So while the Skulls.A variant 'only' disables the smartphone functionality, the Skulls.B also infects you with Cabir.

Also we recieved another repack of Cabir.B, which was already detected by F-Secure Anti-Virus for S60.

Detection for Skulls.B is published both for F-Secure Anti-Virus for S60 and F-Secure PC Anti-Virus products


Police raided another virus writer Posted by Mikko @ 12:08 GMT

Image by Ryan McGinley for The New York Times
We've just learned from a Czech site that the Czech police raided the apartment of "Benny" last Thursday. Benny is a well-known virus writer who used to be one the most visible members of the virus-writing group 29A. For example, Benny was interviewed by the New York Times in February 2004.

Apparently the police is investigating Benny in relation to the Slammer internet worm. Slammer, found in January 2003, was the single largest attack against internet, ever.

However, we do not think Benny wrote Slammer.

Another member of the group, known as "Whale", was sentenced few weeks ago in Russia. Two other members, known as "Ratter" and "disk69" have just announced that they are leaving the group.


Friday, November 26, 2004

Slide set from AVAR conference available Posted by Mikko @ 07:23 GMT

I've just finished my presentation in the AVAR conference, and I have to say everything went really well. My slideset is now available for download in PPT and PDF formats.

This presentation covers how virus writers have changed from hobbyists to professionals, who wrote Sobig and how Cabir is spreading more and more.

Also, I actually managed to figure out a way to embed Flash into a Powerpoint file, which is made really hard. Have a look at the animated title on the first slide of the set.

Signing off,


Thursday, November 25, 2004

Greetings from the AVAR conference Posted by Mikko @ 11:17 GMT

Phew! This should be the last conference of the year. AVAR Conference is the second largest confrence for the antivirus industry (between the Virus Bulletin and EICAR conferences). AVAR stands for Association of Anti-virus Researchers Asia, so the conference is organized annually somewhere in Asia or Australia - this time in Tokyo. In addition of the locals, AVAR conference gathers a large amount of international experts too. Just have a look at this years program.

So far, the topics in the conference have ranged from how well SPF will kill off email viruses to whether Microsoft will become an antivirus vendor or not. One interesting presentation compared the differences in amount of variants between closed-source viruses and open-source viruses - with dramatic results. When even the most rapid variants of the Bagle / Mydoom saga only produced a handful of new variants per month, some of the Randex / Gaobot / Sdbot families have produced over 600 variants in a single month. That's two new variants per day, for every day of the month.

AVAR Crowd

And, this being Japan, you can except to see a confusing sign or two.

Somewhere else

Signing off,


Wednesday, November 24, 2004

Improved disinfection instructions for Cabir Posted by Jarno @ 13:59 GMT

We have received reports from people that Cabir infected phone is difficult to disinfect. As Cabir blocks all bluetooth communication excepts it's own, and transfering Anti-Virus or disinfection tool is difficult for people who don't have infrared port in their PC or USB port in their phone.

Thus we made the F-Cabir tool available on, which is special page for mobile Anti-Virus viewable by mobile devices. And made easy instructions how to disinfect your phone.

1. Open web browser on the phone
2. Go to
3. Select link "Removal tool for Cabir"
4. Download the file and select open after download
5. Install F-Cabir tool
6. Go to applications menu and start F-Cabir
7. Select scan and answer yes when tool asks do you want to disinfect

Also we have today got an verification about Cabir infection in Finland, so far countries of which we have confirmed reports of Cabir infections are:

United Arab Emirates
Mainland China


Spam is profitable Posted by Mikko @ 07:40 GMT

This is the problem: Spamming works. Spammers make good money out of it.

Which mean spammers can invest into their operations - making the problem worse.
Jeremy Janes
One of the few spammers ever sentenced, Mr. Jeremy Jaynes (aka Gaven Stubberfield) is a good example on how well this works. This spammer from North Carolina was making excellent money by sending out up to 20 million spam emails a day. Only few hundred of those would actually lead to a sale (reply rate would be just fractions of a percent). However, even that would be enough to create him an income of up to $750,000 a month.

Eventually, Mr. Jaynes built a fortune worth as much as $24 million - including several cars and several houses, with one mansion having 16 separate T-1 data lines connected to it to provide spamming bandwith.

The good news is Mr. Jaynes was arrested, charged and convicted. He's now serving nine years in a jail, which is in fact a surprisingly long sentence. His defense attorney argued that the prosecutors never proved the e-mail Jaynes sent was unsolicited.

The bad news is that there are hundreds of other spammers more than happy to jump in on this lucrative business.

We here at F-Secure also have evidence which would suggest that some spammers have succesfully recruited individual employees from anti-spam software developers. Which is like a plot from a bad sci-fi movie - 'come to the dark side - we'll double your salary'.

People who design antispam software would be the best experts to figure out how to make spam messages get through antispam filters. Spammers are also known to hire linguistics to assist them in developing spam emails that better evade antispam traps.

Such trends are disturbing, of course. What's next? Virus writers hiring anti-virus researchers?


Tuesday, November 23, 2004

New Java vulnerability discovered, time to update. Posted by Jarno @ 08:20 GMT

Finnish security researcher Jouko Pynnonen has found a vulnerability in Sun Java plugin that is used by most web browsers. Using this vulnerability a malicous applet can espace Java sandbox, and do whatever it wants on the system. Java Runtime version 1.4.2_05 and older are vulnerable to this problem.

This vulnerability is particularly interesting since it's Java and thus not limited to Windows & IE combination, according to Jouko the problem also affects Mozilla Firefox both on Windows and Linux systems.

Similar vulnerabilities have been widely used by malicous web sites, so it is recommended to patch the Java runtime, no matter which operating system you are using.

Updated version of Java Runtime and SDK

Original advisory


Saturday, November 20, 2004

Yanz worm Posted by Katrin @ 13:20 GMT

There was some media attention in Asia on the Yanz.A worm. The worm uses as attachment names and in its email subject and body, texts related to the Asian singer Stefanie Sun (Yanzi).

We did not receive reports of this worm. However, we published detection of Yanz,A worm on November 17th in update version number 2004-11-17_01


Friday, November 19, 2004

More info on the new Symbian trojan Posted by Mikko @ 10:05 GMT

We have some isolated reports of users who've been hit by the new Skulls trojan on their phones.

This trojan has been distributed on some Symbian shareware download sites as "Extended Theme Manager" by "Tee-222". If you see it, don't install it on your phone. It will make the smartphone features of your phone useless, so you can still make calls with the phone but that's it, no messages, no web, no applications. Recovery could get tricky, especially if you don't have a third-party file manager software already installed on your phone.

The most obvious symptom of the trojan is that the typical programs on the phone won't work any more, and that their icons get replaced with a a picture of a skull. See below:

Picture of SymbOS/Skulls


Upgrading Sober.I to Radar2 Posted by Katrin @ 09:44 GMT

Due to increased number of reports we just upgraded Sober.I to Radar level 2.

The worm sends e-mail messages with English and German texts. Here's an example of a English message sent by the worm:



New Symbian trojan discovered. Posted by Jarno @ 09:42 GMT

We've received a new trojan that affects the popular new phones running Symbian Series 60 .

SymbOS/Skulls is a malicious SIS file that installs copies of Symbian system components on the C: drive of the device, and includes corrupted AIF (Symbian application info and icon file) for each file.

These installed System files then override the ROM versions in the start order, and prevent any of the symbian system tools being used. Thus rendering all but the phone functions of the phone useless.

We will publish more information and Anti-Virus updates for F-Secure Mobile Anti-Virus for Symbian shortly.


New Sober Posted by Katrin @ 07:39 GMT

We are getting reports of a new Sober.I variant. We have just published detection of it with update: Version=2004-11-19_01

More information will follow.


Thursday, November 18, 2004

Repacked version of Cabir.B found Posted by Jarno @ 08:17 GMT

A repacked version of Cabir.B Symbian worm has been found on Chinese web portal. The repacked sample contains binaries that are fully indetical to original Cabir.B so it's not a new variant. However the new SIS installation file contains different settings as the one created by Cabir.B, which cause it to install the worm into different directory and display pop-up text during installation.

This repacked version is detected by F-Secure Mobile Anti-Virus for Series 60 without any need for database updates.

Thanks for Alex Lucic for notifying us about the repacked version.


Wednesday, November 17, 2004

Another virus writer caught & sentenced Posted by Mikko @ 21:16 GMT

29a website
It's been the best year ever in catching virus writers.

Another virus writer has been convicted, this time in a little-known Russian republic of Udmurtia. Mr. Eugene Suchkov was sentenced for a fine of 3000 roubles for virus writing.

This wouldn't be too interesting, unless Mr. Suchkov wouldn't also be known as a member of 29A, one of the best-known active virus-writing groups. Turns out Mr. Suchkov is also known as "Whale" and author of several viruses he has released as a 29A member, including viruses targeting .NET systems.

As discussed earlier in our weblog, other 29A members have recently been in the headlines too.


National computer security days Posted by Mikko @ 11:30 GMT

Image Copyright (c)
We got a note from a reader that today, the 17th of November, is National Computer Security Day in Ireland. This is the first time Government of Ireland has organized such a day together with various other organizations and companies. For more information, see their website at

Finland had a similar National Data Security Day in February and will have another one in 2005. In addition, we're aware of at least two other countries planning similar events.

The main practical message of these days is simple: Get a firewall! Get an antivirus! Patch your system!

Which of course means that the real target group of these days is not you or us (obviously you're a pretty aware computer user since you're reading our blog). The real target is the grandmamas and the newbies - the great masses of the net users. You really can't go wrong trying to educate them.


Tuesday, November 16, 2004

First virus distributed in Extended MetaFiles Posted by Gergo @ 09:10 GMT

The recently found worm, Aler (A.K.A Golten) was distributed in the form of EMF files as email attachment to a number of email addresses. The emails have the subject "Latest News about Arafat!!!" and come with two attachments, one clean JPEG and an infected EMF.

The clean image looks like this:


The EMF exploits the MS04-032 (EMF) vulnerabilty to install the worm to the system when the attachment is opened. It's worth mentioning that Aler does not propagate through this vulnerabilty. It spreads to random computers using local credentials from the infected host and a list of weak passwords.

Aler comes with a TCP proxy as payload.

Description of the worm has been posted to


Got first snow! Posted by Mikko @ 07:44 GMT

Whoa! This morning we got our first snow this year here in Helsinki.

Take a look:

First snow

This should make Ero Carrera really he relocated from our Helsinki viruslab to California viruslab couple of weeks ago. No snow there.


Sunday, November 14, 2004

Catbert and camera phones Posted by Mikko @ 21:03 GMT
Scott Adams is almost always good. He masters the skill of packing two or three punchlines into one strip where others would have expanded them to several.

However, today's Dilbert is particularily priceless....


Friday, November 12, 2004

Blaster variant author due to be sentenced today Posted by Mikko @ 13:26 GMT

If everything goes according to schedule, Mr. Jeffrey Parson will be senteced today for writing and distributing a variant of the Blaster worm in August 2003. Prosecutors claimed this virus infected over 48000 computers.

Mr. Parson confessed writing the virus in trial in August 2004.


Mr. Parson, who is 19 years old, could face jail time anywhere up to 3 years. He might also be ordered to pay compensation charges. When arrested, Parson had $3 USD in his savings account.

The creator of the original Blaster worm remains a mystery.


Thursday, November 11, 2004

Some MyDooms renamed to Bofra Posted by Gergo @ 13:18 GMT

Even though they seem to originate from the same source code, some samples we called MyDoom earlier have been renamed to Bofra. More specifically this affects MyDoom.AG, MyDoom.AH and MyDoom.AI.

The Bofra family of worms uses a different way of propagation which we explained in this earlier post.

A link page for the Bofra family has been posted to


Wednesday, November 10, 2004

Malware graph posters Posted by Ero @ 18:44 GMT

Ganda virus
Thanks to all our readers for the feedback we received on the malware graphs.

Given your response we decided we will be doing the posters. More info will follow on the weblog.



Phisher caught again Posted by Mikko @ 12:11 GMT

Andrew Schwarmkoff. Photo by Matt Stone /
Today's Boston Herald has an interesting story on Mr. Andrew Schwarmkoff, who's been charged for credit card and identity fraud in Brighton, Boston.

Apparently Mr. Schwarmkoff sent out phishing emails to collect people's credit card and banking details. This alleged members of a Russian mob was arrested with $200,000 worth of stolen merchandise, credit card scanning equipment, more than 100 ID cards with fraudulently obtained information and nearly $15,000 in cash.

Authorities are fighting credit card fraud more and more visibly. Just last week the US Secret Service shut down the and carding sites.

Thanks to Jeremy Wagstaff's excellent weblog for the link to the article.


Tuesday, November 9, 2004

November's Microsoft security update Posted by Ero @ 19:05 GMT

As usual, the second Tuesday of the month like today, Microsoft releases security updates. In this occasion only one update has been released, (MS04-039), fixing a vulnerability in Microsoft Internet Security and Acceleration (ISA) Server 2000 or Microsoft Proxy Server 2.0.

Detailed info from Microsoft is available at TechNet Security .

F-Secure does recommend to the users of products affected by the update to upgrade their system by visiting Windows Update .


More on the new IFRAME worms Posted by Mikko @ 08:30 GMT

Turns out these new Mydoom.AG and Mydoom.AH variants might not be Mydooms at all. Our comparison tools show only around 49% correlation between these and the last Mydooms. So that would explain why the technique is so different.

These viruses are also one of the fastest ever to take advantage of a new security vulnerability. The exploit was only posted publicly on Friday, and the viruses were out by Tuesday.

So the virus spreads in four steps:

1 Infected machine ("predator") sends out tons of emails with a link
2 Recipient on target machine ("prey") follows the link back to a website on the Infected machine
3 Exploit on the web page downloads and runs the virus, turning the prey to another predator
4 Repeat

To make this clearer, have a look at our high-tech illustration:

High-tech illustration


Virus writer Benny/29A hired by a Czech antivirus company? Posted by Mikko @ 07:57 GMT

According to an article in The Register, a Czech virus writer known as Benny has been hired by a Czech software development company, as the main developer of their new antivirus product.

Benny is one of the most well-known virus writers, with a long history in this area, starting from 1999.

This development is really surprising, as obviously any antivirus company would face major credibility problems after doing such a stupid move. Nevertheless, a similar thing happened with the author of the Netsky and Sasser viruses earlier this year.

We here at F-Secure don't hire criminals.


New Mydooms, new exploits Posted by Mikko @ 06:57 GMT

Two new Mydoom variants have been found last night. They are considerably different from previous Mydooms.

They do spread over email, like Mydooms normally do. However, these new variants do not send attachments at all; instead they send emails with links to a website. There are several different emails, for example:

  Congratulations! PayPal has successfully charged $175 to your credit
  card. Your order tracking number is 866DEC0A, and your item will be
  shipped within three business days.
  To see details please click this link

Interestingly, the link points to a website which is actually running on the infected machine that sent the email in the first place. The worm accomplishes this by installing a small web server on port 1639 (or similar) on each infected machine. This technique is a bit similar to what for example Blaster worm does to transfer itself to each infected machine; instead of using a central download server it turns each infected machine to one.

Even more interestingly, the web page uses a brand new IFRAME vulnerability in Internet Explorer to infect the computer. There's no patch for Windows 2000 or XP SP1 yet. Windows XP SP2 is not vulnerable.

However, so far we we haven't seen significant amounts of infections reported to us.

We detect these two new Mydoom variants as Mydoom.AG and Mydoom.AH with our updates published today as 2004-11-09_01.


Monday, November 8, 2004

Bush is back (the site that is) Posted by Mikko @ 08:38 GMT

Just a quick note that after George Bush was re-elected as the US president last week, his official homepage ( was apparently re-opened to be accessible to the whole world. This happened some time during last weekend.

As we reported in our blog last week, the site was not accessible outside USA and Canada, possibly as a precaution against DDoS attacks.

On a related theme, out of all the voting problems reported at Voters Unite, the most interesting is probably a voting computer which was apparently using signed short integers to store the amount of absentee ballots. So after 32768 ballots, it started counting backwards. For details, see their problem tally.


Thursday, November 4, 2004

Greeting from RSA Conference Posted by Mikko @ 21:25 GMT

This time it's the RSA Europe conference 2004, in Barcelona.

Very nice conference! RSA Conference is heavily breaking away from it's roots of encryption-only event and becoming an all-in-one massive security conference. With over 1000 attendees, it's probably one of the biggest security events anywhere.


One major gripe though; I tried entering Bruce Schneier's presentation, and there were way too little seats. Probably a hundred people was standing in the room and many people didn't fit in at all. Many were queueing to see at least something. It felt almost like DEF CON...

Bruce live on stage

Signing off,


Wanted by the FBI - for computer intrusion Posted by Mikko @ 01:42 GMT

Wanted by the FBI

Some of you might remember this case from our weblog in last August.

Mr. Jay Echouafni, the CEO of satellite receiver reseller Orbit Communication was charged for hiring hackers to launch DDoS attacks against their competitors. Their idea was to take down the online ordering systems of other large satellite operators, using hackers from USA and UK.

We just noticed that Mr. Echouafni has skipped bail, and is actually now listed among the FBI's most wanted.

The website of Orbit Communication Corporation has been down now for some months (surprise, surprise). However, we managed to take this screenshot of their welcome page before it vanished:

Screenshot from the old website


Wednesday, November 3, 2004

Jigsaw Piece - 341 Posted by Mikko @ 10:52 GMT


Configuring Macs right Posted by Mikko @ 10:20 GMT

Image Copyright (c) National Security Agency
In the wake of the Opener Mac OS X malware which we reported two weeks ago, fans of either Apple or the National Security Agency will be thrilled by these news: NSA has released a very thorough 100-page guide for configuring security for Apple Mac OS X v10.3.x.

The guide is available for download directly from NSA.

It's unclassified, too.


Tuesday, November 2, 2004

USA votes Posted by Mikko @ 08:11 GMT

Diebold Accuvote-TS, image Copyright � Diebold, Incorporated 1994-2004. All rights reserved.
USA votes for their next president today.

For the first time in history, a major part of this voting is done on voting machines running on top of a general-purpose operating system.

The three largest manufacturers of voting systems (Diebold, ES&S and Sequoia) all run closed-source systems on top of Windows. You would think that voting machines would be a prime example of systems that should be open source, so anybody could verify what exactly happens and how. And there is a long list of known failures so far.

We might also remember that Diebold is one of the largest manufacturers of Windows-based ATMs...and that RPC and LSASS -based network worms have managed to infect such cash machines in several occasions over the last year and a half.

So it will be interesting to see how everything plays out.


Monday, November 1, 2004

Volunteers needed... Posted by Mikko @ 13:07 GMT

The virus statistics page we run is based on real-world virus scanning data submitted to us by our customers.

We're interested in expanding the amount of reporters to make our statistics more accurate. To do this, we're asking for volunteer organizations who could share their virus reports with us. We're especially looking for more reporters from USA, Canada, UK, Germany, France and Italy. Also we'd welcome more participants from Asia and Australia.

For more information on how you can participate please see our Virus stats information page - thanks!



Interesting new antivirus weblog Posted by Mikko @ 13:01 GMT

We've just noticed that our friends at Kaspersky Lab have started their own weblog, which looks very interesting!

Congratulations to Eugene, Costin, David and Aleks for opening the 2nd viruslab weblog in the world!

Unlike ours, Kaspersky's weblog also allows public comments from the readers. We haven't allowed this in our weblog as we didn't want to give an open podium to virus writers. We'll see how well it works out with them.


Some Bagle download sites becoming active Posted by Mikko @ 07:51 GMT

Bagle's sites
The latest Bagle variant, like most of the recent variants, contains a long list of web addresses. Infected machines periodically go through this list and try to download and run a program from there.

The latest site list contains 168 different web sites, located all over the world. We believe many of these sites are actually not hacked or otherwise controlled by the virus writers, but are just put in there as camouflage.

We've been checking the contents of the URLs over the weekend. They were all showing "404" until last night, when two of the URLs become active. We're now trying to shut them down and are analysing what the program that was posted there exactly does.

If you're a sysadmin and would like to filter access to these sites from your network, the domains in question were and