Your browser is obsolete!

The page may not load correctly.

  • add to favourites
    Add to Bookmarks

Malware without borders

Read: 15782 Comments: 2 Rating: 11

Monday, December 18, 2017

It’s common to hear people express the opinion that things where they live are bad, while people living elsewhere have it made. But what do unbiased statistics say about that? You probably know about the Dr.Web Anti-virus service (or perhaps you even use it). It’s been adopted by virtually all ISPs in Russia, and it’s quite popular in other countries too.

Providers use this service to deliver low-cost anti-virus protection to their subscribers on a subscription basis.

Dr.Web servers gather statistics about the malware that has attempted to infect service subscribers' machines. Here, for instance, is information from a single ISP from Spain:

  1. Trojan.Click.33849
  2. SCRIPT.Virus
  3. Trojan.PWS.Steam.10729
  4. Trojan.Proxy2.764
  5. Trojan.DnsChange.8206
  6. JS.DownLoader.1225
  7. W97M.Melissa
  8. Trojan.Starter.7394
  9. ACAD.Bursted.16
  10. Trojan.Siggen6.37501

W97M.Melissa occupies an honourable seventh place. Let's recall what this is about:

W97M.Zerg.A, W97M_ZERG.A, Virus.MSWord.Zerg, W97M/Zerg.A@mm, W97M/Melissa, W97M/Zerg.gen@MM, Virus:W97M/Melissa.AZ, W97M.Melissa.A, W97M/Bench.E@mm, W97M/Melissa.a@MM, W97M.Melissa.AK@mm, W97M/Melissa.AE@mm, W97M.Mellisa.NW, W97M/Melissa.i@MM, Virus.MSWord.Bench.e, W97M.MELISSA.J, W97M_PING.F, W97M.Melissa.O, W97M_MELISSA.O, W97M/Melissa.BP, VBS_GENERIC.009, W97M/Ping.C@mm, W97M/Melissa.k@MM, W97M/Ping.W@mm, W97M.Melissa.W, W97M/Zerg.A, W97M_MARKER.BD, Virus.MSWord.Ethan, W97M/Ping.T)

The number of names is quite impressive. Did this malware appear in the news?

On Friday, March 26, a new malicious program was discovered on the Internet. Users in many countries experienced serious problems with their email because of the malware outbreak. This macro virus was dubbed Melissa. It was discovered in several popular newsgroups. The virus spreads through email messages that have malicious Microsoft Office 97 or Office 2000 documents attached to them.

Shortly after its discovery in Western Europe, Melissa emerged in America. The word "Melissa" and "Kwyjibo" (the author's alias) were discovered in the virus’s code.

On Saturday, March 27, the virus was spreading on an epidemic scale. The operation of mail servers belonging to several large companies was disrupted in many countries. It has already infected hundreds of thousands of computers.

Melissa's infection routine triggers an outburst of malicious messages. As a result, mail servers experience a spike in their workload, and message processing slows down significantly or, in some cases, temporarily stops.

On Sunday, March 28, for the first time in years, the FBI’s NIPC (National Infrastructure Protection Center) issued a public warning about the Melissa threat.

On Monday, March 29, the virus continued its rampage and, according to some researchers, reached Russia.

Some estimates indicate that the damage caused by Melissa runs into the billions of dollars.

A week after the outbreak began, New Jersey police and FBI agents determined that the virus was released into the wild from an AOL address belonging to 30-year-old David L. Smith.

On Saturday, the FBI issued a warning about a new virus spreading via email. On Friday, the virus had been sent in the guise of a prospective job applicant’s resume to human resource managers at a number of US corporations.

It operates similarly to ILOVEYOU. It is attached to emails in the guise of a document. Should a user try to open it, the malicious program is launched. It emails copies of itself to all the addresses in the user's address book and deletes all the numerous important files and directories on its list. To operate and perform its destructive tasks, the virus requires that Microsoft Outlook be present in the system.

Currently, anti-virus developers are cooperating with the FBI to create a program that will detect and delete the new virus. Users are recommended to refrain from opening messages with the subject "Resume Janet Simons”, and disable the Executive Summary feature in Microsoft Outlook to make sure that attached files aren't previewed automatically.

Eighteen years have passed and the virus is still roaming in Spain.

#malware #email #worm #security_updates

The Anti-virus Times recommends

To reduce their operational costs, companies continue to use obsolete systems as long as they work. But there are consequences:

  1. Old computers are unreliable. Their outdated hardware can't run modern security software. And in the absence of timely updates, the machines become even more vulnerable.
  2. Older operating systems aren't secure either. Developers no longer maintain them, and security updates aren’t released for them. As a result, their vulnerabilities (discovered after support has been discontinued) remain permanently unpatched and can be exploited by anyone.
  3. Do you know that definitions for the earliest malicious programs are never removed from anti-virus databases? That's why Dr.Web still supports DOS and OS/2.

And let's get back to the first news post once again. How can a system be protected from threats of this kind?

If the system did get infected, ADinf and ADinf32 (beta) users will receive a danger warning because all current ADinf versions register changes in OLE2 instructions. If the virus has infected a computer, ADinf32, for instance, will warn the user that a virus may have infected NORMAL.DOT.

And, of course, a subsequent virus database update for the Dr.Web scanner has enabled it to detect Melissa as well as the Papa virus which operates similarly to Melissa but compromises Excel documents.

That's nostalgia!


Tell us what you think

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.