Antivirus News

Panda Software�??s weekly report on viruses and intruders looks at the Gagar CC and Mitglieder.LX Trojans, and the RaHack.BB worm.

Gagar CC is a Trojan that connects to a certain IP address and downloads another Trojan called Alanchum.MU. The latter, in turn, downloads the following malware onto the infected computer:

* Duel.A: This worm uses specific techniques in its code in order to hide while it is active.

* Nuwar.B: This Trojan spreads via email and downloads another Trojan, Gagar.CB, onto the infected computer.

* Spammer.ER: This is a Trojan that provides the email addresses to which to send Nuwar.B.

The second Trojan we are looking at this week is Mitglieder.LX. This malicious code downloads a file from several web pages and runs it on the computer. The downloaded file is a variant of the Bagle worm. It passes itself off as a crack (a tool for removing protection from original software) for a certain program.

RaHack.BB is a worm with no destructive effects. Its main purpose, as with all worms, is to spread to other computers. It can infiltrate computers which have the Radmin remote-administration application by exploiting weak passwords. Similarly, if the compromised computer is part of a network, RaHack.BB will try to access shared resources on the network and copy itself to them.

All users that want to know whether their computers have been attacked by these or other malicious code can use ActiveScan, the free, online solution. This allows users to thoroughly scan their computers if they suspect they have been infected.

Gagar CC is a Trojan that connects to a certain IP address and downloads
another Trojan called Alanchum.MU. The latter, in turn, downloads the
following malware onto the infected computer:

* Duel.A: This worm uses specific techniques in its code in order to
hide while it is active.

* Nuwar.B: This Trojan spreads via email and downloads another Trojan,
Gagar.CB, onto the infected computer.

* Spammer.ER: This is a Trojan that provides the email addresses to
which to send Nuwar.B.

The second Trojan we are looking at this week is Mitglieder.LX.  This
malicious code downloads a file from several web pages and runs it on
the computer. The downloaded file is a variant of the Bagle worm.  It
passes itself off as a crack (a tool for removing protection from
original software) for a certain program.

RaHack.BB is a worm with no destructive effects.  Its main purpose, as
with all worms, is to spread to other computers. It can infiltrate
computers which have the Radmin remote-administration application by
exploiting weak passwords. Similarly, if the compromised computer is
part of a network, RaHack.BB will try to access shared resources on the
network and copy itself to them.

All users that want to know whether their computers have been attacked
by these or other malicious code can use ActiveScan, the free, online
solution available at: www.pandasoftware.com/activescan. This allows
users to thoroughly scan their computers if they suspect they have been
infected.

Madrid, December 29, 2006 �?? PandaLabs has detected the presence of emails containing Nuwar.B, a new variant of the Nuwar family of worms. This malicious code uses the New Year as a ruse to infect computers. However, oddly enough, this is not a malicious code designed to cause an epidemic or damage computers but to artificially drive up certain prices on the stock market.

Nuwar.B reaches computers in a message with the subject Happy New Year!. The message text is blank, and includes a file with the name postcard.exe, which contains the worm. Also, in order to gain credibility, it spoofs the sender�??s address, pretending to come from various users.

If the target user runs the attached file, Nuwar.B copies itself to the system. However, instead of massively sending itself out like most email worms, it downloads a copy of the Spammer.EN Trojan to the computer. The Trojan then connects to certain email servers in order to send out spam to the addresses it finds on the affected system. This spam contains publicity trying to convince users to buy certain stocks to increase their price rapidly.

Everything seems to indicate that the creator(s) of Nuwar.B have sent out the worm as spam, manipulating certain email servers in an attempt to distribute it as quickly as possible. The proactive TruPreventTM Technologies have detected Nuwar.B without prior identification, so computers that have them installed have been protected from the outset

According to Mikel Perez, Director of the Malware Detection Department of PandaLabs, �??This is just another turn of the screw in the field of cyber-crime. In this case we see how an email worm, a type of threat clearly in decline as a result of the new financial motivation behind the actions of malware creators, is also being used to make money. Most probably this is a criminal that has bought stocks at a low price, and has endeavored to increase their price and obtain large benefits by spreading Nuwar.B�?�.

The absence of large-scale virus epidemics has, once again, been the most notable characteristic of the year. In fact, the list of frequently detected viruses during 2006 has varied little throughout the year. This does not mean, however, that there is a lower risk of infection. What is happening is that the attacks have become more silent and more specific, as they are increasingly motivated by financial gain rather than simply gratuitously attacking users�?? computers. A report produced by PandaLabs in the third quarter of 2006 revealed that 72 percent of Internet threats were financially motivated (http://www.pandasoftware.com/about/press/viewnews?noticia=8071).

So, malware is just as prevalent as always, if not more so, and more pernicious, if that were possible, than before, as today’s attackers are after your money. �??Despite what people may think,�?� explains Luis Corrons, director of PandaLabs, �??the risk of virus infection is greater than ever. Firstly, due to the strategy of simultaneously distributing numerous variants of a malicious code, as was the case with Bagle or Gaobot, thereby increasing the chances of infection, and secondly, because the majority of attacks are now financially motivated, and are therefore more discreet.�?�

As mentioned, the large-scale threats are disappearing, but there has still been a series of particularly virulent attacks which merit our close attention. With this in mind, Panda Software has published the Top Ten of the viruses most frequently detected in 2006.

In first place, for the second successive year, is Sdbot.ftp.  This malware first appeared in 2004 and six months later occupied first place in the ranking of our Top Ten.  Since then it hasn’t budged. The severity of this worm is classified as “medium” and there have been several variants all with the same MO of attacking random IP addresses, exploiting system vulnerabilities and downloading copies of the worm via FTP. In 2006, Sdbot.ftp was responsible for 2.62 percent of all infections.

Another veteran in the ranking of viruses detected by ActiveScan, which came second overall in 2006, is Netsky.P. This worm, detected in 1.22 percent of positive cases first appeared in 2004 and spreads via email and P2P file-sharing applications. Interestingly, this worm exploits the Exploit/iframe vulnerability in Internet Explorer for which a fix has been available for some time now. In third place this year is Exploit/Metafile. Responsible for just over 1 percent of infections, this malicious code is designed to exploit a critical vulnerability in the GDI32.DLL library in Windows 2003/XP/2000.  If a computer is vulnerable, Metafile allows the code to be executed which can then be used, for example, to download and run spyware.

Tearec.A. is in fourth place. This worm, which spreads via email and computer networks, can disable and terminate certain antivirus programs. Fifth place is occupied by the Q.host.gen Trojan, which was found to be the culprit in 0.76 percent of infected computers. The remaining places in the ranking are occupied by Torpig.A, a Trojan that steals passwords saved by certain Windows services, Sober.AH.worm!CME-681, a worm that terminates several processes, including some belonging to security tools; Parite.B, a virus that infects PE files with EXE or SCR extensions; Gaobot.gen, a generic detection for the Gaobot family of worms which exploits software vulnerabilities, and Bagle.pwdzip, a detection of the notorious Bagle family.

Virus                % of infections
W32/Sdbot.ftp         2.62
W32/Netsky.P          1.22
Exploit/Metafile      1.08
W32/Tearec.A          0.79
Trj/Qhost.gen         0.76
Trj/Torpig.A          0.69
W32/Sober.AH          0.67
W32/Parite.B          0.62
W32/Gaobot.gen        0.55
W32/Bagle.pwdzip      0.54

Other conclusions that can be drawn from this year�??s ranking include:

- The continuing threat of financial fraud: Sdbot holds, for the second year running, first place in our Top Ten. This is a typical bot/worm designed to exploit system vulnerabilities for financial gain, highlighting the growth of this type of attack. Similarly, threats like Exploit/Metafile or Torpig.A, which are also high up the list, demonstrate this increasingly prevalent trend.

- Variations of worms: Hackers are now tending to launch different variants of the same type of malware in a very short period of time in order to increase the probability of computers being infected. This is the case with Q.host, Gaobot or Bagle. Sdbot, the first in the ranking, has also undergone significant variations over recent months.

- Infections: In 2005, the first nine threats on the list were all responsible for more than 1 percent of infections, while in 2006, only the first three reached that percentage. This should not be understood as an indication that there is less malware, on the contrary, it suggests that there is actually more malware in circulation.

All users that want to know whether their computers have been attacked by these or other malicious code can use ActiveScan, the free, online solution available at: www.pandasoftware.com/activescan. This allows users to thoroughly scan their computers if they suspect they have been infected.

More information about these and other threats is available in Panda Software�??s Encyclopedia at http://www.pandasoftware.com/virus_info/encyclopedia/

MADRID, December 26, 2006

Panda ClientShield with TruPreventTM Technologies, Panda�??s security solution designed to protect workstations from Internet threats, has obtained certification by ICSA Labs, an independent division of Cybertrust, in the Anti-Spyware for Windows XP Professional category.

The test conducted by ICSA Labs laboratories provides a dual-perspective analysis. On one hand, it focuses on the capacity to block the entrance of spyware and, on the other, examines the detection of this type of software once it has become installed on the computer. Subject to different tests during the analysis, Panda ClientShield with TruPreventTM Technologies passed 100% of the test attacks, thereby obtaining the above-mentioned certification.

ICSA Labs certifications formally acknowledge the effectiveness of the software analyzed against Internet risks and threats, in addition to its user protection capacity. Therefore, the Panda Software product certified by these laboratories is guaranteed to protect against spyware both before and after it has installed on a computer.

Spyware detection, category in which Panda ClientShield with TruPreventTM Technologies has obtained certification, is becoming increasingly important due to the fact that this type of malicious software is one of the greatest risks posed by the Internet. Spyware programs gather data relative to the affected user�??s web surfing habits and preferences.

Panda ClientShield with TruPreventTM Technologies is aimed at workstations in corporate environments. With its low resource consumption and high performance level, this security software is capable of protecting against virus, worms, Trojans and all kinds of malware, in addition to filtering spam, blocking the use of spyware, dialers and other tools normally used by hackers. Administration is simple and fast thanks to the solution�??s integration in the AdminSecure console, which considerably reduces update time and, therefore, the risk of your corporate computers becoming infected.

Panda ClientShield includes TruPreventTM Technologies. These technologies, developed by Panda Software, block all types of attacks from unknown viruses and intruders, even when the antivirus hasn�??t yet been updated.

This certification of Panda ClientShield comes in addition to those received by other products, both corporate and consumer, with respect to detection of viruses and Trojans. In fact, prior to this, Panda ClientShield with TruPreventTM Technologies had already obtained certification in the Client/Server Antivirus for Windows XP Professional and Windows 2003 category. For more information on the characteristics, certifications and awards given to this product, please visit the following website:
http://www.pandasoftware.com/products/clientshield.

PandaLabs has reported the appearance of a new spyware program:

- Appeared: 12/21/2006

- Name of the new program: Adware/MalwareAlarm (Alias: Win32/Adware.SpySheriff)

- Type: Spyware; Subtype: Adware

- Means of propagation: Download from malicious web pages.

- Distribution: Low.

- Effects: Informs users of the existence of false (non-existent) threats on their computers. This is a strategy to get users to buy a security application that supposedly eliminates these non-existent threats.

- Other features. The spyware goes resident in the computer and, from time to time, shows an on-screen message informing that the system is infected and needs disinfecting.

- Detected by Panda Software solutions: Yes, by the signature file dated 12/21/06

Panda Software will publish updated information about this threat in the Virus Encyclopedia at http://www.pandasoftware.com/com/virus_info/encyclopedia/

Always use effective security solutions to combat spyware. Panda Software products incorporate one of the best anti-spyware technologies on the market, as acknowledged by such prestigious publications as PC World USA or PC Magazine. Also, Panda Software solutions that incorporate the TruPrevent(tm) proactive protection technologies can detect unknown spyware through behavioral analysis, with no need for updates. More information about Panda Software’s anti-spyware technologies at http://www.pandasoftware.com

Once again, Panda Software has published its annual list of those malicious codes. Happily there were no Code Reds in the bunch. None of them were severe enough to have caused any serious epidemics. But without further ado, here are this year’s ‘winners’:*The most moralistic — This award goes to the spyware Zcodec which, among other actions, monitors whether users access certain web pages with pornographic content. This may simply be a way of determining whether the user is a frequent visitor to these types of pages in order to send personalized advertising. On the other hand, perhaps the author of this spyware just has voyeuristic tendencies.

*The worst job applicant — The Eliles.A worm sends out CVs all over the place. It even sends them out to users’ cell phones. It would seem that it has little confidence in its own job prospects.

*The most sensationalist — Sensational headlines have always made an impact; now they are even being used by viruses. Of all those that appeared in 2006, Nuwar.A wins hands down with its declaration of the start of the Third World War.

*The most tenacious — They say that all good things come to an end. It’s a shame that the creators of the Spamta worms haven’t heard the saying. Otherwise, they might have stopped sending wave after wave of almost identical variants of this malicious code.

*The most competitive — Once the Popuper spyware has installed itself on a computer, it runs a pirated version of a well-known antivirus application. Far from trying to do the user a favor, it is actually trying to eliminate any possible rival from the computer. It seems that the fight for supremacy has also reached the world of Internet threats.

*The most diligent — In general, phishing messages are aimed at gathering confidential information such as credit card numbers or account access details in order to steal money. However, this isn’t the case with BarcPhish.HTML, which goes much further, collecting information including expiry dates, CVVs (Card Verification Value), last names, membership numbers, five-digit codes, account numbers, etc. No doubt the creator was thinking “better too much than too little.”

*The biggest snooper — In this case, it was not a difficult choice. WebMic.A is a malicious code that can record sounds and images, using a microphone and WebCam connected to the computer. Of course this is not the sort of uninvited guest you would like to have on your PC.

*The most mischievous — Nedro.B is a worm that seems to get bored after it has infected a computer. Perhaps that’s why it decides to change icons, prevent access to tools, hide file extensions, delete options from the Start menu… and basically cause chaos. Maybe this seems entertaining to someone, but it certainly isn’t for the users.

*The most chaste — Malicious codes that spread across P2P networks use enticing filenames in order to get users to download them voluntarily on to their computers. For this reason, many of these names have pornographic connotations. However, among the more than 37,000 different names used by FormShared.A, none of them make any reference to sex. That’s some kind of record.

*The most archaic — Seemingly there are still some retro virus creators around. Whoever created the DarkFloppy.A worm appears not to have heard of e-mail, instant messaging or P2P systems, as the propagation method they’ve chosen to spread this malicious code is — floppy disks.

*The most promiscuous — This title goes without a doubt to Gatt.A. This malicious code can infect any platform that it is run on: Windows, Linux, etc.

*The most deceitful — SafetyBar supposedly offers security information and anti-spyware downloads. However, the problem is that once downloaded, these programs then warn the user that the computer is infected by non-existent threats.

Panda Software advises users to ensure they have reliable anti-virus software installed and kept up-to-date daily.

The new solution from Panda Software, Panda Internet Security 2007, has been given a five-star rating from the Spanish edition of PC World magazine. The publication also awarded the product its �??Recommended Product seal of approval. The magazine highlighted how �??Panda engineers have made a huge effort in terms of process automation and ease of use �?�.

The article describes the Panda Internet Security 2007 interface as easy-to-use and intuitive. �??We discovered that the virus detection tools are both rapid and intuitive. It is easy to understand both the mechanism and structure of its interface for detecting and eliminating malicious programs�?�. The magazine also highlighted the importance of updates against the propagation of new malicious code. �??Panda offers daily updates which can be downloaded from the Web or directly from the application�?�.

�??We also saw that the level of precision of its antispyware has been enhanced, as has the solution�??s personal firewall, �?� explains the magazine. �??From this tool, port management can be configured simply and clearly to provide secure Internet use and prevent intrusions �?�.

The article underlines the importance of the ant-phishing features, i.e, the protection of personal data. �??What most concerns Panda when it comes to making computers secure is protecting, to the highest level, users personal data. To achieve this they have developed a complete tool focused exclusively on this function and which is included in the suite. Panda Identity Protect is a technology designed to counter personal data theft, which is one of the main fears of users when making Internet transactions �?�.

Panda Internet Security 2007 is a complete security suite for protecting computers against all Internet threats. It not only incorporates technologies to combat all types of viruses and spyware, but also includes anti-spam, anti-phishing, parental control, firewall and specific technology to prevent online identity theft: Identity Protect. This technology is especially designed to prevent personal and confidential data theft, giving users maximum security in Internet transactions.

The new security suite from Panda Software combines and integrates both proactive and reactive technologies, and includes the award-winning TruPreventTM Technologies, which act automatically against new, previously unknown threats, blocking them without the need for user intervention. Panda Internet Security 2007 has also been designed especially to avoid impact on the normal operation of the computer. It is not only optimized to reduce system resource consumption, but also to adapt to the characteristics of the PC on which it is installed and to the specific security requirements of the user.

Panda Internet Security 2007 has already received certification from the most widely respected organizations in the sector, such as ICSA Labs or West Coast Labs.

More information about Panda Internet Security 2007 is available at http://www.pandasoftware.com/products/antivirus2007.htm.

About Panda Software

Make sure your computer is free from viruses, spyware and other Internet threats using the free online solution Panda ActiveScan http://www.activescan.com http://www.activescan.com/.

Panda Software (www.pandasoftware.com) is a leading developer and provider of integrated security solutions to combat viruses, hackers, Trojans, spyware, phishing, spam and other Internet-borne threats. With the revolutionary TruPreventTM Technologies, Panda Software�??s innovative solutions offer a greater return on investment, keeping clients protected even against new threats that have yet to be identified. PandaLabs, the fastest laboratory in the industry to provide complete updates to users, offers a worldwide response to malware 24 hours a day, 7 days a week, all year round.

Panda Software�??s centrally-managed security solutions protect servers, and gateways and all network entry points, ensuring a straightforward and highly effective line of defense against Internet threats for large organizations, SMBs and consumers. Panda solutions are backed by a team of expert support technicians in all countries where the company is present. Tech support services are available 24 hours a day, seven days a week.

For more information and evaluation versions of all Panda Software solutions, visit our website at: http://www.pandasoftware.com/

For more information:
Yolanda Ruiz
communication@pandasoftware.com
Tel. +34 91 806 37 00

GLENDALE, Calif., Dec. 14 /PRNewswire/ — Panda Software has announced the compatibility of its product line with the new Microsoft Windows Vista operating system. It has launched the “Windows Vista Information Center” where users will find information about the compatibility of Panda Software products with the new operating system.

New users will be able to download beta versions and final versions of Panda Software products that support Windows Vista. Existing users of Panda Software’s 2007 consumer line will automatically get the new versions compatible with Windows Vista for free as soon as the final release versions are available.

Currently, users can download Windows Vista-compatible beta versions of Panda Antivirus 2007, the fast and light antivirus for home users, and Panda ClientShield, Panda Software’s solution for protecting corporate workstations.

Panda Antivirus 2007 is the lightest antivirus in Panda Software’s consumer product line. This new easy-to-use solution offers complete protection against known and unknown Internet threats, with a minimal use of system resources. The new Panda Antivirus 2007 is aimed at home-users whose use of the Internet does not require a complete security suite. It has been designed to install and forget, protecting the system automatically from the moment it is installed.

Panda ClientShield with TruPrevent(TM) Technologies is a global protection solution for workstations in corporate environments. With its high- performance, low-consumption solution, it protects against viruses, worms, Trojans and all types of malware. It can also filter spam and block the use of spyware, dialers and other hacking tools. Administration is quick and simple due to the integration with the AdminSecure console, considerably reducing update time and therefore the risk of infection for corporate workstations. It also includes TruPrevent(TM) Technologies to protect workstations from unknown viruses and threats.

About Panda Software, USA

Panda Software (www.pandasoftware.com) is a world-class developer and provider of integrated security solutions designed to neutralize viruses, hackers, Trojans, spyware, phishing, spam and other pervasive Internet threats. With Panda Software’s revolutionary TruPrevent(TM) Technologies, the company’s innovative products are on the leading-edge of intelligent security solutions, ensuring clients are protected even against new threats that have yet to be identified. PandaLabs, the most rapid response laboratory in the industry, delivers comprehensive updates to users, providing a worldwide response to malware 24 hours a day, 7 days a week, all year round.

For further information, please visit www.pandasoftware.com.

According to the Deloitte�??s 2006 Global Security Survey, 49 percent of companies suffered some type of security problem in 2005.  Of these, 31 percent were affected by malicious code. However, the most significant data is that 28 percent witnessed attempted attacks from inside the network, and 18 percent had data stolen also from inside the network.

The solution to this problem is to install perimeter security devices, such as the Panda GateDefender range of appliances, which protect against unauthorized access from outside the network, as well as against sensitive information from being sent out of the company either intentionally or accidentally.

Panda Software perimeter security solutions include content filter modules with a series of functions and benefits including controlling information that leaves the network:

-Protection of the most commonly used protocols in order to filter outbound information in e-mail and news (SMTP, IMAP4, POP3, NNTP) and file transfers (FTP/HTTP)

-Filtering by predefined keywords (for example: results, balance�?�) in the subject, name or text of an email, in nested messages and/or in attachments.

-Filtering by number of recipients. The maximum number of recipients can be defined for inbound, outbound or inbound and outbound mail.

-The option to block outbound messages and/or compressed files that are encrypted or password protected.

A series of content filtering rules:  

-by file type or extension, e.g, spreadsheets or encrypted compressed files.

-by size, e.g, preventing files over a certain size from leaving.

-Compressed files: attachments over a certain size or with a large number of files.

-Dangerous MIME types, defined in a list of importable and exportable files.

-Files whose MIME type does not match its extension.

-ActiveX controls and Applets. White lists and blacklists of senders and domains with control.

Actions on items filtered with the content filter:

-Actions referring to messages and the attachments

-Delete the message and/or attachment.

-Redirect or move the message. The message will be forwarded to a mailbox defined by the user.

-Just report, leaving the message to reach the recipient.

Actions referring to HTTP and FTP file transfers:

-Block the file transfer or delete the filtered file.

-Just report, allowing the file to be transferred.

Panda Software offers the following perimeter security solutions with the content filter to adapt to the needs of all companies.

Panda GateDefender Performa is a highly scalable appliance that combines high-performance hardware and software to provide maximum protection at the Internet gateway, blocking malware, spam and inappropriate content before they can even enter the enterprise. Its �??connect and forget�?? simplicity, and complete and constantly updated protection make Panda GateDefender Performa a powerful solution with a low total cost of ownership. With a range of three models and native load-balancing, this solution adapts to the needs of any company, from SMBs to large enterprises or ISPs.

Panda GateDefender Integra is a hardware device installed between the corporate network and the Internet providing centralized preventive perimeter protection against all types of both known and unknown Internet-borne threats through a wide range of functions: Firewall, VPN, Intrusion Prevention System (IPS), anti-malware protection, content filtering, anti-spam protection and web filtering in a single device, which the administrator can enable, disable and configure through an easily managed, remote-access web console. Once installed, it requires minimum maintenance and simply involves extracting automatic reports on system activity.

More information about Panda GateDefender is available here.

For more information:
Yolanda Ruiz Hervas
communication@pandasoftware.com
+34 91 806 37 00