[SECURITY-L] Worm targets security software

Daniela Regina Barbetti daniela em ccuec.unicamp.br
Sex Jan 4 16:25:08 -02 2002 

----- Forwarded message from Nelson Murilo <nelson em pangeia.com.br> -----

From: Nelson Murilo <nelson em pangeia.com.br>
Subject: [S] Worm targets security software
To: seguranca em pangeia.com.br
Date: Thu, 3 Jan 2002 18:49:56 -0200

[http://news.cnet.com/news/0-1003-200-8334809.html]

By David Becker
Staff Writer, CNET News.com 
January 2, 2002, 11:55 a.m. PT 

A destructive new worm that destroys antivirus software on infected
computers was slowly spreading Wednesday.

The Maldal.D worm, also known as ZaCker, was written and distributed
Dec. 29, according to antivirus software maker Symantec, prompting
fears the worm could sneak past security software that wasn't updated
over the holiday break.

"We always worry when something comes out at the end of the week or
over a holiday, when nobody's in their office," said Steve Trilling,
director of research at Symantec's Security Response division, which
rated Maldal.D as a moderate threat.

Maldal.D appeared to be spreading slowly and mainly outside the
corporate networks that can turn an infection into an epidemic.

"We have seen a bit of an upsurge in submissions today, but most of
them are from consumers," Trilling said. "That leads us to believe
that a lot of corporations updated their software right away."

E-mail screening service MessageLabs reported intercepting about 150
copies of Maldal.D by 11 a.m. Wednesday, placing the worm at the
bottom of the company's list of the Top 10 most active viruses.

Maldal.D spreads itself as a file attached to an e-mail with the
subject "ZaCker." The body of the message consists of one of several
dozen cryptic sentences, such as "nowadays, there is no womanhood!!  
:P"

If the file is opened, the activated worm attempts to delete files
associated with popular antivirus applications, including programs
from Symantec, McAfee and Zone Labs. The worm also deletes files with
common extensions such as .exe, .doc and .jpg, which could destroy
enough critical files to render an infected PC unstable or unusable.

The worm spreads itself by e-mailing copies of itself to all addresses
in the infected PC's Microsoft Outlook address book.

Attacking security software is an old trick, Trilling said, noting
that the recent Goner worm employed similar tactics. Such efforts are
unlikely to work, however, if the security software is running as it's
supposed to.

"If the software is running all the time in the background, it can't
easily be deleted," Trilling said.

Business and home PC users were advised to download the latest updates
for antivirus software to catch Maldal.D and to reinstall security
software to PCs already infected.




----- End forwarded message -----

Mais detalhes sobre a lista de discussão SECURITY-L