Attacking through the Web

Web-based malware attacks continue to cause concern for computer users around the world, says Brett Myroff, CEO of Sophos distributor, Netxactics.

The top two threats, Mal/Iframe and ObfJS, account for over three-quarters of infected Web pages last month alone, he says.

"This week's roundup of low to medium prevalence threats includes the W32/Rbot-GUA worm, a backdoor worm that is spreading via network shares and chat programs."

It affects the Windows operating system, and has a number of side effects. These include turning off anti-virus applications, allowing others to access the computer, downloading code from the Internet, reducing system security, installing itself in the registry, and exploiting system or software vulnerabilities.

W32/Rbot-GUA contains the following vulnerabilities:

* RPC-DCOM (MS04-012)
* ASN.1 (MS04-007)
* Symantec (SYM06-010)

When first run, W32/Rbot-GUA copies itself to <System>\dllcache\mravsc32.exe and registers a new system driver service named "Distributed Allocated Memory Unit", with a display name of "Distributed Allocated Memory Unit" and a start-up type of automatic, so that it is started automatically during system start-up.

The W32/Agobot-AIZ worm has also made an appearance and, similarly, affects Windows users. It installs itself in the registry and exploits system or software vulnerabilities.

W32/Agobot-AIZ attempts to spread via network shares and by exploiting common vulnerabilities, including PNP (MS05-039) and ASN.1 (MS04-007).

When first run, it copies itself to the Windows system folder, creating a number of registry entries to run W32/Agobot-AIZ on start-up.

W32/Looked-DV is a Windows executable virus and network worm spreading via network shares and infected files. Its side effects include turning off anti-virus applications, downloading code from the Internet, installing itself in the registry and leaving non-infected files on computer.

The virus infects EXE files found on the infected computer and attempts to copy itself to remote network shares.

When first run, the virus copies itself to <Windows folder>\uninstall\rundl132.exe and creates a file <Windows folder>\RichDll.dll, which is also detected as W32/Looked-DV. This file attempts to download further malicious code.

The W32/VanBot-M worm and Troj/Dorf-U Trojan have also been noted this week.

It's essential that companies and individuals alike protect their gateways and inboxes with a secure defence, and think before they open unsolicited e-mails.