A Hungarian teenagers has been senteced today to two years probation for writing the Magold virus. The virus writer said he just wanted to prove himself after failing four subjects in hight school, reports the hungarian daily N�pszabads�g.
This virus was fairly widespread in central europe in the summer of 2003. The virus has various spreading mechanisms, one of which is sending itself in email attachments, claiming to be a screen saver showing pictures of the Hungarian Maya Gold porn star.
For more information, see the article in The Register.
I think we've seen more virus writers caught during year 2004 than during last five years combined.
A new arrest was announced today: the Finnish Central Criminal Police is pressing charges against a Finnish man in his twenties. The man, who lives in the city of Tampere, is accused of writing and distributing the VBS/Lasku virus in the end of January 2004.
VBS/Lasku is an unremarkable virus which keeps crashing when it tries to spread. The virus displays a quote taken from Tolkien's "Lord of The Rings" and deletes data.
VBS/Lasku tries to replicate by sending email messages written in Finnish - which is quite rare.
We are investigating a case called "RFI - Russian IIS Hacks?" by Sans.org.
Some of the files at the hacked sites have been modified - a trojan downloader known as Scob has been appended to end of the files, causing Internet Explorer to execute it.
There are number of other files one of which is a new variant of Padodor.W.
We have received another new Korgo (aka Padobot) variant: Korgo.U. It is very similar to previous variants discovered during the last few days. Detection is already available.
According to The Register the Beastie Boys CD called "To the Five Boroughs" installs a software without user's permission. If this is true, the software could be a trojan. We haven't seen a sample of the installer yet so we can not confirm.
According to other source, NewScientist.com news service, the suspicions have been denied by the music company.
There appeared 5 new Korgo/Padobot variants lately. At least two of them caused infections of numerous of computers in several companies. These variants are Korgo.P and Korgo.Q. They are detected since 17th and 21st of June respectively. Also there appeared 3 more Korgo/Padobot variants since 21st of June. These variants are detected as Worm.Win32.Padobot.i, Worm.Win32.Padobot.j and Worm.Win32.Padobot.k.
A new variant of Korgo has been found. While we have not received any direct reports of it from the field, an update 2004-06-17_03 with detection has been released earlier today.
Today we received another variant of Cabir trough sample exhange from other vendor. It seems that Cabir author has sent different versions of the worm to different AV vendors.
We have named this new variant as Cabir.B, even as it may have been sent before the sample that we call Cabir.A. Cabir.B seems to be functionally identical to Cabir.A except that it shows different text on activation.
We have tested the Cabir worms on all Symbian Series 60 devices that we have got access to, it seems to be able to infect any Series 60 device we have tested it on, regardless of the manufacturer.
Neither of the variants have been found in the wild so far.
Cabir.A infection on a mobile phone will display the following screens.
Please note that Caribe worm can reach only mobile phones that support bluetooth, have bluetooth switched on, and are in discoverable mode.
When user clicks on the caribe.sis in phone messaging inbox the phone will display a warning dialog
If user clicks yes the phone will ask normal installation question
If user clicks yes the Cabir worm will activate and show a dialog that contains the name that virus author wants to give to the worm and the authors initialias and group initial 29A
Ten years ago, to the date, we set up a new service to our web site. We decided it would be cool to have an online database of virus descriptions so that anybody could browse them over the internet. Back then, this was a brand new idea, and such service did not exist anywhere. So we launched our Online Virus Description Database on 13th of June, 1994.
Quickly it became one of the most visited services on our site - and now, ten years later, it still is. Even the original address still works: http://www.datafellows.com/v-descs/ (although we've changed the company name from Data Fellows to F-Secure since)...
Back then, the web looked a bit different. Here's a screenshot of the service as it looked like 10 years ago (screenshot from Lynx, the text-based browser):
Although this was the first ever online virus description database, offline versions had existed long before. Our original database was based on the descriptions written by Fridrik Skulason of the F-PROT fame, starting somewhere around 1989 or 1990. Other products had virus descriptions too. Dr. Solomon's Anti-Virus Toolkit product box even came with a separate book of descriptions, and some antivirus programs, such as Central Point Antivirus (CPAV) had a built-in hypertext database (some of you might remember that CPAV was the basis of Microsoft Antivirus v1.0, which was discontinued few years later).
There was even a DOS-based shareware hypertext application called VSUM, made by Patricia Hoffman. Haven't seen that for a while, though.
Anyway, this is what the front page of our site looked like 10 years ago:
You can find more info on ancient web history from our Webtennial pages.
We got a new Sober variant this evening - Sober.H. This Sober is not a worm but a spamming trojan. Instead of spreading its code, Sober.H mass-mails political statements, apparently trying to affect the EU parliament elections which are currently underway in most European countries".
Sober.H trojan is responsible for the spam that flooded Germany and other European countries since yesterday
A new variant of Zafi worm is spreading. While the original Zafi.A uses only Hungarian, the new Zafi.B speaks more languages such as English, Italian, Spanish, Russian, Swedish etc.
Spying against on-line bank users is becoming popular. Recently the Padodor backdoor collected information about certain banks. Montp trojan is even more powerful using a large list of banks and utilizing stealth techniques.
Ok, the situation with Korgo is a bit confusing, let me try to explain what's going on.
- Most variants of Korgo are spreading worldwide. The numbers are not big when compared to outbreaks like Sasser, but it's definitely out there.
- Korgo does include a backdoor
- But Korgo does not include a keylogger, nor any code to steal banking info etc.
- It seems that the Hangup Team (virus group behind the worm) is actively installing a backdoor with password stealing capabilities known as Padodor to the infected computers. This is done via the backdoor left by Korgo.
- Padodor collects anything typed to any web forms, and specifically logs bank logins for users of some international banks
This gets pretty confusing, as "Padobot" (not Padodor) is one of the aliases of the Korgo worm.
So, not all machines infected by Korgo have the Padodor backdoor, and the Padodor backdoor can be found from machines which are not infected by Korgo. But they are both written by the same virus group.