Posted on 06/02/2005 10:51:00 AM PDT by infocats
The latest variants of the Bagle worm have alarmed antivirus companies because of the multiple-stage process they use to attack PCs.
The variants, which Computer Associates International has given a new name--Glieder--because it says they are so different from previous Bagle worms, combine several elements in a way not seen before. In this staged approach, viruses seed their victims, then disarm them, and then finally exploit them.
"We've seen blended threats before where a virus uses several methods to spread, but not like this" said Chris Thomas, a Computer Associates Australia security architect.
The Win32.Glieder worm spreads using a common mass-mailing method, relying on people to click on an attachment so it e-mails itself on to names in the address book. "This is the beachhead," said Thomas. "The whole point is to get to as many victims as fast as possible with a lightweight piece of malware." On Tuesday, CA saw eight variants released.
As well as e-mailing itself, the mass-mailer downloads a Trojan called Win32.Fantibag to the infected machine, which is designed to block antivirus software updates. It also blocks Microsoft's update site, windowsupdate.microsoft.com, said Thomas. "This stops the machines (from) protecting themselves," he added. "It means that software can’t get updates, that victims can't go for help and that effectively infected PC users are isolated."
The final part of the triumvirate is a second Trojan, called Win32.Mitglieder, which disables firewalls and antivirus software, further lowering the shields, and then hijacks the infected PC for use as part of a botnet. Botnets are groups of networked machines, often numbering in the thousands, that are hired as spam relays, for tracking users' behavior and for identity theft.
"There is a commodities market for victimized PCs," Thomas said. "Recently we’ve seen spammers and criminals engaged in fraud, paying approximately five cents per machine for compromised PCs."
The latest attack has been very effective. "The stats we have seen show it is still spreading quickly," said Thomas.
Thomas said the virus does not appear to block access to Computer Associates' virus patch update site, but could not offer an explanation as to why this had been missed off the list.
bump
No. Lost of win32's are a normal part of windows.
I hate when typos make a word.
Better alert your Linux buddies of all these new vulnerablities announced the last few days too. 6 in the Red Hat distro yesterday and today.
http://lwn.net/Alerts/
My wife got one yesterday, I got one today. An infected email.
The title is something like.
Finally, Osama Bin Laden caught!
Then goes on to say that the news hasn't hit the media yet but if you want to see some screen captures, open this little .zip file.(Trend Micro caught it )
Duh!!
Bet a zillion people fall for it.
The title is something like. Finally, Osama Bin Laden caught!
Then goes on to say that the news hasn't hit the media yet but if you want to see some screen captures, open this little .zip file.(Trend Micro caught it )
Everyone...Keep your anti-viral signatures up to date
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.