Virus 2003 English

Virus Incidents Indonesia 2003 December 26, 2003
(English Version)

Virus Storm in the New Year
In January 2003, Yaha.M and Klez.H have closed year 2002 and have become unwanted 2003’s New Year presents. Klez (especially Klez.H) has proven as one of the long lasting virus in history. It stays in the Top 10 virus charts for more than one year. Klez.A made its first appearance in October 2001 and until year 2003, its variant Klez.H consistently hit the number one position on the virus monthly virus chart (MessageLabs, Sophos, Vaksin.com).
Also registered “Celebrities” worm, Lirva that make the infected PC’s to access Avril Lavigne’s website automatically. The 2003’s most succesful refurbished worm award go to Explorezip.N, a very popular worm 3.5 years ago (approximately June 1999) recompressed and distributed through the internet on January 8 and surprisingly undetected by most antivirus vendor (with update less than January 9, 2003), even by the best heuristic engine claimed to be able to detect replication of complicated polymorphic virus. The bad news is Explorezip.N destroy all the MS Office data “completely” and almost impossible to recover (like Klez.E action).

As if “misery” is not enough, on January 27 new generation of CodeRed like virus appear. It was Slammer that attacks Microsoft SQL Server 2000. In Indonesia, 3 big webhosting companies connected to IDC was brought down by Ddos caused by Slammer. Traffic caused by Slammer is really heavy that it could not be handled even by Cisco 3600 router (middle class router) and the only way to overcome this is to unplug the router and reconnected only after Slammer has cleaned from the infected server. Another Slammer story comes from Bandung’s ISP. Its dial up customers suddenly broadcasted data packet in huge quantity and jammed the ISP’s bandwidth. In our record, Slammer scan port 1434 in order to spread itself.

Opaserv.K, “BSA the Punisher”
After January’s storm, February was marked by the appearance of Opaserv.K, Opaserv’s variant that spread “only” through network (not email) including internet network and intranet network. Opaserv.K has additional nasty payload that can destroy harddrive of the infected computer right after showing “fake” message from BSA. It makes user think BSA (Business Software Alliance) punish the user by destroying their harddrive because of piracy. Of course BSA denied this (see attached image 1)

Image 1

Also Sobig.C that made your printer working very hard on June 8 by printing bulk of random characters.
Bugbear Reloaded, as Sophos describe Bugbear.B action, whose in the premier of its appearance climbed straight to the Top list of virus chart as number one virus, throwing Sobig.C to number 2. Speed and quantity of Bugbear.B was categorized as huge. As number one virus it is stopped by Messagelabs in 95.000, email it is 4 times compared to the second rank Sobig.C that “only” stoppped by MessageLabs in 25.000 email.

New Icon in you Internet Explorer
In July 2003, Fortnight.D silently spread in Indonesia’s internet community. Vaksincom received a lot of “virus suspected” question and it has been confirmed to be Fortnight.D. If your IE get “new” button such as “Antivirus”, “Entertaintment”, “Security” and “Search” (Image 2) it means that your PC already infected by Fortnight.D.

Image 2

Fortnight.D exploited Microsoft Virtual Machine ActiveX, a component that should be patched since October 2000. But as usual, because of unpatched system, everytime victims received email containing Fortnight the virus code will automatically be executed without a click.

Disaster after CodeRed
On July 30, patch for RPC Dcom vulnerability was already available and Vaksincom already issue a notification about the importance of this patch. But majority users “again” didn’t take proper action. On August 13, Blaster the first worm which exploited RPC Dcom vulnerability rose and spread in lightning speed. This “only” 6 KB worm spread very fast and efective because of its small size and > 95 % unpatched Windows system. The next variant of Blaster, MSBlast.D / Nachi crippled most ISP in Indonesia for months by consuming valuable bandwitdh to spread itself. Few ISP even comes to a brave decision to block any unpatched system, even if it is their customer.

Hard Days Night for Mailserver
A week after Blaster attack, internet user did not have the opportunity to breath. On August 18, a new worm was coming. If Blaster do its job by attacking network (infrastructure) with Win 2000 and XP as the main target (Win NT and 2003 were not affected “too much” by Blaster), the new worm called Sobig.F crippled mailserver and caused spam. It remind us to deadly duo in 2001, CodeRed and Nimda.
Mark Mimail who has its own SMTP server to spread and always contains one file “MESSAGE.ZIP”, intended to fool corporate mailserver which blocks all executable and allow compressed attachment.

The Worm Month 2003
August and September were nominated as Worm Months of 2003. Computer user panic, ISP crippled. In one week from August 12 to August 19, 2003 internet almost crippled. Internet access become very slow because the bandwidth consumed by worm which are W32/Blaster, W32/Nachi.A and W32/Sobig.F@mm. Blaster and Nachi attack user by exploiting vulnerability in Windows XP, 2000, NT and 2003, the worm will start by scanning port 135 to find out whether it can be exploited or not. If the victims PC hasnot been patched, it will be infected and became the host that do the scanning, looking for another victims again and again. So, when you are doing something online and suddenly your PC restarting or asking for restart, most probably your PC has been infected by Blaster. On extreme case, user cannot use his PC because it keeps asking for restart.

Sticky Virus Award
The Sticky Virus Award 2003 virus goes to Swen. Once your system is infected, it will be difficult to clean because everytime you run regedit.exe in order to remove virus entry, you will run the virus again. It is because Swen register itself as “ALL” executable .

Broken Heart Virus after Linong
Local virus (made in Indonesia) that infect most cybercafe in Indonesia is W32.Pesin.A. This broken heart themed virus “proudly” claimed that it was made by programmer of Sumatera Island succesfully infected most cybercafe in Indonesia because of its smart payload that infected FDD wihch is “surprisingly” still very popular in Indonesia’s cybercafe community (especially student). Pesin spread widely in September – November and decreasing case still confirmed up to December 2003.
If you are cybercafe user or one of your network member is cybercafe user, please check whether your PC and FDD contains one the following files :

My Love.exe
Kenangan.exe
Hallo.exe
Puisi Cinta.exe
My Heart.exe
Jangan Dibuka.exe
Mistery.exe
With logo like MS Word documents (image 3)
Once you get message like this (image 4)

(Image 4)

it means that your PC is infected by Pesin. One of its payload is its ability to block access to Registry Editor (regedit.com) by disabling your Keyboard and Mouse everytime you open Regedit.exe.

Veteran
The Veteran League still appearing now are Funlove, Redlof and JS/KAK@m. They consistently get in to the Big 5 of the Top 10 virus stopped by Vaksincom. These viruses (especially Redlof) have high ability to duplicate itself over infected system. We usually got report that one PC have thousands of infected file detected as foldet.htt. Also they are very persistent and difficult to remove. Even after you have cleaned and formatted your PC, once you connect it again to the network, the virus will simply go back in a minute. What you have to do is make an update to the correct vulnerability exploited by the viruses. And if you think this routine consume your resource and time, consider do an auto update (Win XP and 2000 only) or outsource it to the expert.

Merry Christmas and Happy Newyear.

Translated by BMB (Bernie) from Original Indonesian article of AAT.