Slashdot Mirror

← Back to Stories (view on slashdot.org)

LovSan Clone Let Loose

Posted by CowboyNeal on from the coming-around-again dept.

JMullins writes "According to Kaspersky Labs the LovSan virus has been re-released in a new form that has changed the appearance of the worm. It looks like the outbreak continues to get worse and worse, with no real end in sight until people can patch their systems. Net slowdowns are expected over the weekend when both versions of the virus start their attack."

8 of 631 comments (clear)

  1. Already slow as hell, so just in case... by Anonymous Coward · · Score: 3, Informative

    Kaspersky Labs, a leading expert in information security, has identified a new modification of the notorious Lovesan worm (also know as "Blaster").

    Kaspersky Labs' experts anticipate that in the short run a repeated outbreak of the global scale may occur. This is because the two versions of "Lovesan" exploit the same vulnerability in Windows and may co-exist on the same computer. "In other words, all computers infected by the original "Lovesan" will soon be attacked by its revamped versio," commented Eugene Kaspersky, Head of Anti-Virus Research for Kaspersky Labs, "Taking into consideration that the amount of infected systems is now reaching 300,000 the return of the worm will imply a doubling of this number and lead to unpredictable results." In the worst case scenario the world community might face a global Internet slow-down and regional disruption of access to the World Wide Web: just as it happened in January 2003 due to the "Slammer" worm.

    Technologically, the new modification of "Lovesan" is a copycat of the original. Slight changes were made only to the appearance of the worm: a new name of the main worm-carrier file (TEEKIDS.EXE instead of MSBLAST.EXE), a different method of code compression (FSG instead of UPX), and new "copyright" strings in the body of the worm abusing Microsoft and anti-virus developers.

    Users of Kaspersky(R) Anti-Virus can be sure that this new worm will not harm to their computers. All Kaspersky Labs products effectively detect both modifications of "Lovesan", without requiring an update.

  2. Blaster.B and Blaster.C by SimplexO · · Score: 4, Informative
    This post is about what Symantec calls W32.Blaster.C.Worm. Don't forget that there is also a W32.Blaster.B.Worm.

    B:
    Adds the value: "windows auto update"="penis32.exe" to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run so that the worm runs when you start Windows.


    C:
    Adds the value: "Microsoft Inet Xp.."="teekids.exe" to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run so that the worm runs when you start Windows.


    The new C means that the scan that we use to get the original out of the registry has to be modified so we can find this C variant.
    --
    Get Firefox!
  3. MS Releases Network Scanning Tool by MacrosTheBlack · · Score: 5, Informative

    Microsoft have released a tool to scan your local network (or the whole net if u really wanted to).
    Download
    Network admins have fun.

  4. Re:Ugh, lazy patchings by wfberg · · Score: 4, Informative

    Today I noticed that every morning our couple XP computers at work send out a few uPnP related packets to 239.255.255.250:1900. They're going beyond our lan and out through our gateway to the internet. It's probably not worth the effort to investigate further and correct, but it bugs me a little.

    Your network is misconfigure. 239.255.0.0/16 is a local scope multicast address. (RFC2365) The message sent is to let other uPNP devices know your computer is there.

    --
    SCO employee? Check out the bounty
  5. Re:It's a little fishy by heli0 · · Score: 4, Informative

    The same warning about the new clone has been released by dozens of other groups including...

    http://www.f-secure.com/v-descs/msblast.shtml

    http://securityresponse.symantec.com/

    http://us.mcafee.com/virusInfo/default.asp

    --
    Whenever the offence inspires less horror than the punishment, the rigour of penal law is obliged to give way...
  6. Re: Cloning.. by Satan's+Librarian · · Score: 5, Informative
    Uhm - they've been doing that for years. Early types were called polymorphism, an idea pioneered by the 'Dark Avenger'. Search for "MtE Dark Avenger" on the net. Old stuff.

    Basically, the concept is that an encryptor is built up in memory randomly, while the inverted code (e.g. add vs. sub, rol vs. ror) is built up in reverse. The virus is encrypted with the encryptor, and the decryptor is prepended.

    There were a ton of them in the early 90's. There are polymorphic Word viruses that use different techniques - running their script through a randomizer for variable names and such. Some viruses have also mutated their own opcodes as you suggest, although it's less common - but its been done.

    Detecting such viruses is challanging, but usually there are static bytes with known (although possibly variable) distances between them. One can also run an interpreter over a file and pseudo-execute it until it can be proven that it is or is not a virus, or just blast any existing crypto around the body and look to see what's there. If the virus just flips between equivalent opcodes, then just scan with a regular expression that includes each equivalent as an alternative. Another method is analysing the opcodes - if an exe's entry point is at the end of the file where you have a 1k decryptor right before 2k of garbage, and all the decryptor's opcodes fall within what one virus can produce, chances are....

    There are a lot more complex and hybrid techniques for it -those are just a few that can be described quickly.

    --
    I write code.
  7. MSBlast attacks Friday MORNING by seattlenerd · · Score: 3, Informative

    Just in case others got misled by the general press reports: The MSBlast (and its two known variants) worm attack against WindowsUpdate.com will really start at 4 a.m. Pacific Friday (Redmond time). As noted in this News.com piece the widely-reported "midnight" is really "when a PC clock shows midnight" -- whenever Friday becomes Saturday, starting across the International Date Line in Anadyr, Russia. Set your TiVos accordingly, assuming you have power.

  8. Re: Cloning.. by Doomdark · · Score: 5, Informative
    The French intelligence services work very closely with French businesses.

    And, to be fair, US intelligence service works occasionally closely with US corporations (there were some cases related to airplane industry where EU was investigating how come US company had found out what some european company was bidding).

    Point being that perspective certainly matters, like you say, but also that few government agencies if any are completely above using illegal and/or immoral practices to help "their" companies, anywhere in the world.

    Open democracies, and especially free press lessen likelihood of such stunts (by retroactively uncovering them, usually leading to scandals... which act as deterrent in the long run). Unfortunately those 'antidotes' are being threatened especially in US, by latest legislations (from "Patriot" act to DMCA).

    --
    I like paying taxes. With them I buy civilization -- Oliver Wendell Holmes