[ISN] Worm targets security software

From: InfoSec News (isnat_private)
Date: Wed Jan 02 2002 - 22:11:13 PST

  • Next message: InfoSec News: "re: [ISN] India declares war against Pak in cyberia"

    By David Becker
    Staff Writer, CNET News.com 
    January 2, 2002, 11:55 a.m. PT 
    A destructive new worm that destroys antivirus software on infected
    computers was slowly spreading Wednesday.
    The Maldal.D worm, also known as ZaCker, was written and distributed
    Dec. 29, according to antivirus software maker Symantec, prompting
    fears the worm could sneak past security software that wasn't updated
    over the holiday break.
    "We always worry when something comes out at the end of the week or
    over a holiday, when nobody's in their office," said Steve Trilling,
    director of research at Symantec's Security Response division, which
    rated Maldal.D as a moderate threat.
    Maldal.D appeared to be spreading slowly and mainly outside the
    corporate networks that can turn an infection into an epidemic.
    "We have seen a bit of an upsurge in submissions today, but most of
    them are from consumers," Trilling said. "That leads us to believe
    that a lot of corporations updated their software right away."
    E-mail screening service MessageLabs reported intercepting about 150
    copies of Maldal.D by 11 a.m. Wednesday, placing the worm at the
    bottom of the company's list of the Top 10 most active viruses.
    Maldal.D spreads itself as a file attached to an e-mail with the
    subject "ZaCker." The body of the message consists of one of several
    dozen cryptic sentences, such as "nowadays, there is no womanhood!!  
    If the file is opened, the activated worm attempts to delete files
    associated with popular antivirus applications, including programs
    from Symantec, McAfee and Zone Labs. The worm also deletes files with
    common extensions such as .exe, .doc and .jpg, which could destroy
    enough critical files to render an infected PC unstable or unusable.
    The worm spreads itself by e-mailing copies of itself to all addresses
    in the infected PC's Microsoft Outlook address book.
    Attacking security software is an old trick, Trilling said, noting
    that the recent Goner worm employed similar tactics. Such efforts are
    unlikely to work, however, if the security software is running as it's
    supposed to.
    "If the software is running all the time in the background, it can't
    easily be deleted," Trilling said.
    Business and home PC users were advised to download the latest updates
    for antivirus software to catch Maldal.D and to reinstall security
    software to PCs already infected.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Thu Jan 03 2002 - 09:48:21 PST