Details
Worm.Win32.Eyeveg.b
This worm is written in Visual C++ and packed using UPX. The file is 41480 bytes in size. Installation The worm copies itself to the system directory under a random name which consists of six characters. It then registers this file in the system registry:all

Details
Worm.Win32.Doomjuice.b
This worm spreads via the Internet, using computers infected by I-Worm.Mydoom.a and I-Worm.Mydoom.b to propagate.
Installation
On launching, the worm copies itself to the Windows system directory under the name regedit.exe and registers this file in the system registry auto-run key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NeroCheck = %system%\regedit.exe
The worm creates the unique identifier _sncZZmtx_133 to show its presence in memory.
Propagation
To propagate, the worm utilizes computers infected by Mydoom.a and Mydoom.b The worm connects to TCP port 3127, which has been opened by shimgapi.dll, the backdoor component of Mydoom, to receive commands. If the infected computer answers the command, then Doomjuice establishes a connection and sends a copy of itself. The backdoor component of Mydoom accepts the file and executes it.
To determine which IP addresses to attack, the worm uses the following formula: (A.B.C.D)
The first value in the address (A) is selected from the following list:
3
4
6
8
9
11
12
13
14
15
16
17
18
19
20
21
22
24
25
26
28
29
30
32
33
34
35
38
40
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
61
62
63
64
65
66
67
68
80
81
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
193
194
195
196
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239

The second (B) and third (C) values are randomly generated by the worm. The final value (D) will be a number between 0 and 254, with values being selected in sequence.
DoS attack
The worm checks the system date, and if the current date is between the 8th and the 12th of the month, the DoS attack function will not be launched. The worm will not launch any DoS attack in January. However, in all other months and on all other dates the worm will launch a DoS attack on the www.microsoft.com site. To carry out the DoS attack, the worm sends multiple GET commands with the following parameters:
GET / HTTP/1.1
Accept: */*

Accept-Language: en-us or Accept-Language: en

Accept-Encoding: gzip, deflate or blank

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT 5.0) or
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) or
User-Agent: Mozilla/4.0

Host: www.microsoft.com:80

Details
Worm.Win32.Doomjuice.a
This worm spreads via the Internet, using computers infected by I-Worm.Mydoom.a and I-Worm.Mydoom.b to propagate. It is approximately 35KB in size, compressed using UPX. The size of the decompressed file is approximately 43 KB.
Installation
On launching, the worm copies itself to the Windows system directory under the name intrenat.exe and registers this file in the system registry auto-run key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Gremlin” = “%system%\intrenat.exe”
The worm extracts a file named sync-src-1.00.tbz from itself, and copies this file to the root directory, the Windows directory, the Windows system directory and to user directories in Documents and Settings.
This file is a tar archive which contains the full source text of I-Worm.Mydoom.a
The worm creates the unique identifier sync-Z-mtx_133 to show its presence in memory.
Propagation
To propagate, the worm utilizes computers infected by Mydoom.a and Mydoom.b The worm connects to TCP port 3127, which has been opened by shimgapi.dll, the backdoor component of Mydoom, to receive commands. If the infected computer answers the command, then Doomjuice establishes a connection and sends a copy of itself. The backdoor component of Mydoom accepts the file and executes it.
In order to choose IP addresses to attack, the worm uses the following formula: (A.B.C.D)
The first value in the address (A) is selected from the following list:
3
4
6
8
9
11
12
13
14
15
16
17
18
19
20
21
22
24
25
26
28
29
30
32
33
34
35
38
40
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
61
62
63
64
65
66
67
68
80
81
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
193
194
195
196
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239

The second (B) and third (C) values are randomly generated by the worm. The final value (D) will be a number between 0 and 254, with values being selected in sequence.
DoS attack
The worm determines the system date, and if the date is between the 1st and the 11th of the month, the worm carries out a modified DoS attack on the site www.microsoft.com. One GET command will be sent to port 80, and then repeated at random intervals. If the date is the 12th of the month or later, the commands will be sent without a break.

Details
Worm.Win32.Datom

This is a network worm. It replicates via shared network resources. The worm consists of 3 different files:
MSVXD.EXE
MSVXD16.DLL
MSVXD32.DLL

The first component, MSVXD.EXE activates the worm by loading the MSVXD16.DLL library. In turn, MSVXD16.DLL loads the MSVXD32.DLL component, which performs the worming operations.
Replication
The worm searches for available network resources and tries to connect to their host computers. If the connection has been successfull, the worm then searches for a shared directory that appears to be the Windows directory: it tries the “WinNT” name, and also tries to read the “WinDir” section in the MSDOS.SYS file (if it exists and is available). Then the worm copies all its components to the remote Windows directory, and then sets MSVXD.EXE up to start with Windows automatically: if there is file called “Win.ini” in the remote Windows directory, it writes “MSVXD.EXE” string in the “Run” section of this file, otherwise it creates a link file pointing to MSVXD.exe and called “VxD Manager.lnk” in the common (”All users”) Startup directory on the remote computer.
Other
The worm searched for the presence of the ZoneAlarm firewall, and tries to terminate its active instances. It also tries to send “notification” e-mail messages to one of two different addresses that may belong to the author of the worm. These messages contain information about the infected system.

Details
Worm.Win32.Datom

This is a network worm. It replicates via shared network resources. The worm consists of 3 different files:
MSVXD.EXE
MSVXD16.DLL
MSVXD32.DLL

The first component, MSVXD.EXE activates the worm by loading the MSVXD16.DLL library. In turn, MSVXD16.DLL loads the MSVXD32.DLL component, which performs the worming operations.
Replication
The worm searches for available network resources and tries to connect to their host computers. If the connection has been successfull, the worm then searches for a shared directory that appears to be the Windows directory: it tries the “WinNT” name, and also tries to read the “WinDir” section in the MSDOS.SYS file (if it exists and is available). Then the worm copies all its components to the remote Windows directory, and then sets MSVXD.EXE up to start with Windows automatically: if there is file called “Win.ini” in the remote Windows directory, it writes “MSVXD.EXE” string in the “Run” section of this file, otherwise it creates a link file pointing to MSVXD.exe and called “VxD Manager.lnk” in the common (”All users”) Startup directory on the remote computer.
Other
The worm searched for the presence of the ZoneAlarm firewall, and tries to terminate its active instances. It also tries to send “notification” e-mail messages to one of two different addresses that may belong to the author of the worm. These messages contain information about the infected system.

Details
Worm.Win32.Dabber.a

This worm spreads via the Internet using a vulnerability in the FTP component of Worm.Win32.Sasser.
The worm itself is a Windows PE EXE file, 29696 bytes in size, packed using UPX.
Installation
When installing, the worm copies itself to the Windows system directory under the name package.exe
c:\Documents and Settings\All Users\Start Menu\Programs\Startup %windir%\All Users\Main menu\Programs\StartUp
The worm registers this file in the system registry auto-run key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
“sassfix”=”%System%\package.exe”
The worm searches the system registry for keys installed by Sasser and deletes them.
avserve2.exe
avvserrve32
avserve
skynetave.exe
and deletes them. It also searches for and deletes keys installed by other worms:
Video
Microsoft Update
Drvddll.exe
Drvddll_exe
drvsys
drvsys.exe
ssgrate
ssgrate.exe
lsasss
lsasss.exe
Taskmon
Gremlin
Window
Video Process
TempCom
SkynetRevenge
MapiDrv
BagleAV
System Updater Service
soundcontrl
WinMsrv32
drvddll.exe
navapsrc.exe
Generic Host Service
Windows Drive Compatibility
windows
The worm scans networks for random IP addresses, searching for victim machines which have the ftp component of Sasser installed on port 5554.
When the worm finds a suitable victim machine, it sends a vulnerability exploit to it to infect the system. It then launches the command shell on port 8967. It also installs a backdoor on port 9898 to receive external commands.

Details
Worm.Win32.Cycle.a

Cycle is an Internet worm that exploits the LSASS vulnerability in MS Windows described in MS Security Bulletin MS04-011
Microsoft released a patch for this vulnerability on April 13, 2004 - available at the above link.
Cycle affects computers running Windows 2000, Windows XP and windows Server 2003
The worm is written in C++ and is about 10 KB (packed by UPX).
Propagation
Upon launching Cycle copies itself into the Windows system folder under the name ’svchost.exe’ and registers itself in the following autorun keys:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Generic Host Service” = “%windir%\system\svchost.exe”
The worm also create the file cyclone.txt in the Windows folder. This file contains the following letter to the global community from the authour of the worm:
—-
Hi,
My name is Cyclone and I live in Iran,
and I want to speak with you about problems that we have in iran:
A.In Iran we don’t have any kind of freedom, because we have islamic republic in iran:
1.we can’t speak freely about regime, we can’t speak even a little bit against them!!!
2.I have to be a moslem otherwise they don’t care about me!
3.we CAN’T even wear the clothes and styles that we wants!
4.women MUST wear a cloth that no one can even see their hair!!!
5.they do not allow our national celebrations to be held, they beat us!!
6.Many moreall
B.The human rights is not implemented in Iran and there is no justice,
1.Lynch is very common in Iran. If you are against the regime then you may silently killed, or if there is a tribunal, you can’t say anything, everyone works against you there.
2.1985-1990, the Islamic Republic of IRAN has been killed more than 10,000 Iranian youngs. that has been comfirmed by the documentations! This people killed without any tribunal or any proof.
3.there is a punishment that is used so much during this years, in this punishment, the person who must be killed stand in a hole then others attack him with stones, this will continue until he/she dead. there is some pictures and videos that shows this terrible torture!
4.Many more…
C.Misery and poverty grows in Iran, because the islamic republic leaders steal the money, they stolen the money that provided by selling oil, and then the people must die because they don’t have enough money to even buy a bread!!!
D.Misery and poverty cause vice to grow, you see many young people in Iran using drugs and I think this is also a trick by the government to not allow us to arise against them!
E.Islamic republic gave Iran a bad name. before islamic republic we can travel anywhere in the world without any problem but now we have so much problems if we want to travel a foreign country, anyone think that we are terrorist. THE PEOPLE OF IRAN ARE NOT TERRORIST, THE ISLAMIC REPUBLIC OF IRAN IS TERRORIST.
The people of Iran trying to arise, but failed to do. About one year ago, Iranian people try to say to the world that we don’t need Islamic republic but the government and police beat the people who try to tell the truth and they killed some people.
You see that they don’t even care about their own people, think what happen if they gain access to an ATOMIC BOMB!!! it’s very dangerous for the world.
With all of this conditions and injustices, european governments still support islamic republic, they say that they just care about their own country!
and I want to show them our WRATH!
All of the european people are my friends and I never want to harm them, just government and the Politicians!
If you protest against iraq war and say why there must be a war against iraq, and if you do this for humanity, please do anything that you can do for helping iranian people.
at least make your country not to support islamic republic anymore, I’m deadly sure that if european countries do not support islamic republic. it will be destroyed after 3-6 months!
so please help!
I don’t want to damage, I just want my country to grow, to improve!!! I have no other way to tell this words to world, sorry!!
—
The worm is built to fight against Internet worms Sasser and Lovesan. It creates unique identifiers in the RAM that match identifiers created by Sasser, thus preventing Sasser infections.
Jobaka3
Jobaka3l
JumpallsNlsTillt
SkynetSasserVersionWithPingFast
Cycle attempts to detect and stop the processes with names from the following list:
avserve.exe
avserve2.exe
msblast.exe
skynetave.exe
Cycle deploys an FTP server on TCP port 69, launches 4 IP address scans searching for potential victim machines and sends requests to TCP port 445. If a remote machine allows a connection Cycle sends the LSASS expoit which installs a cmd.exe command shell on the victim machine.
The worm then forwards commands to load and launch itself to the infected machine. The file containing the worm after being forwarded is named cyclone.exe..
Other
After infection, victim machines launch a notice about a LSASS service failiure and may attempt to reboot.
In addition, Cycle attempts to initiate DoS attack on irn.com and www.bbcnews.com everyday in May except Sundays.

Details
Worm.Win32.Busan
The Busan worm spreads through networks by copying itself to all accessible network resources. The worm is a Windows application (PE EXE-file) that is compressed with UPX and has a size 14KB. Its code is written in the C ++ programming language.
When run the worm sends out a message via ICQ to UIN the author, and then proceeds to copy itself to the Windows directory under the name files32.sys. The Busan worm also copies to the Windows directory a file named mh32.dll which is a keyboard ‘interceptor’. Then the worm tries to copy itself under the name auto.exe to the following directories:
C:\WINDOWS\All Users\Start Menu\Program Files\StartUp C:\WINDOWS\All Users\?’ ?-R? ?-Ï\?ÁR?Á Ì\??×R ?ÁÇ?
Because of a mistake in its code it fails to successfully copy itself to the above directories. Busan then probes IP-addresses and copies itself to all accessible network resources.
Next the worm registers itself in the system registry key:
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@=”files32.sys \”%1\” %*”

This entry causes the worm to be run anew each time any EXE-file is opened.
While running the worm collects all accessible names and passwords to the mail boxes registered in the system and stores them in the C:\WINDOWS\lmhost.log file. After this is done Busan tries to send this file to the malefactor (worm’s master). The same file contains a complete record of keyboard strokes recorded by the keyboard interceptor represented by the file mh32.dll.
The Busan worm tries to download a file named worm31.bmp from an Internet web-site but cannot as the page has since been removed.

Details
Worm.Win32.Bizex
This worm uses the Internet instant messaging system ICQ to spread via the Internet.
The worm sends ICQ users a message with a URL, which is linked to a file which contains procedures to automatically download and execute the malicious component of the worm on the victim computer.
Propagation
On connecting to the site
http://www.jokeworld.xxx/xxx.html
(x here is used to replace certain characters) the CHM-exploit-a is used. The result of this is that a specially constructed CHM file is automatically executed on the victim computer. This file contains another file named ‘iefucker.html’; this file contains TrojanDropper, a type of Trojan written in script language. This Trojan extracts a file named WinUpdate.exe from itself to a range of system directories.
In Windows 2000 and Windows XP:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinUpdate.exe
and in Windows 98:
c:\windows\Start Menu\Programs\Startup\WinUpdate.exe
WinUpdate.exe is a Trojan program of the TrojanDownloader group, which downloads the main component of the worm from a remote site, and writes it to the temporary directory under the name aptgetupd.exe.
Main component
Aptgetupd.exe is a PE.EXE file, of approximately 84KB (86528 bytes) in size, packed using PECompact.
Once executed, the worm copies itself under the name sysmon.exe to the SYSMON sub-directory in the Windows system directory, and registers this file in the system registry auto-run key:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
“sysmon” = %system%\sysmon\sysmon.exe
The worm has a theft function which enables it to steal information relating to a range of financial services:
Acceso a Banca por Internet
Accueil Bred.fr > Espace Bred.fr
American Express UK - Personal Finance
Banamex.com
baNK
Banque
Banque en ligne
Barclaycard Merchant Services
Collegamento a Scrigno
Commercial Electronic Office Sign On
Credit Lyonnais interacti
CyberMUT
E*TRADE Log On
e-gold Account Access
Home Page Banca Intesa
LloydsTSB online - Welcome
Merchant Administration
Page d’accueil
Secure User Area
SUNCORP METWAY
Tous les produits et services
VeriSign Partner Manager
VeriSign Personal Trust Service
Wells Fargo - Small Business Home Page
It also steals data transmitted by HTTPS, relating to accounts of a variety of mail services such as Yahoo, etc.
All stolen information is saved in the files ~pass.log, ~key.log and ~post.log and is sent by FTP to a remote server: www.ustrading.info
The worm extracts a number of .dll files from itself and installs them in the Windows system directory:
java32.dll
javaext.dll
icq_socket.dll (library used to send messages via ICQ)
ICQ2003Decrypt.dll (ICQ library)
The worm gains access to the ICQ contact list, disconnects the ICQ client which has been launched, connects to the server under the name of the user of the infected machine, and sends all contacts found a link to its own site.
Other
In addition to the CHM exploit, when the link is opened, an attempt will be made to download and execute a Java archive, which contains a range of TrojanDownloaders (detected as Trojan.Java.ClassLoader and TrojanDownloader.Java.OpenConnection) which also attempt to download the components of the worm to the victim computer.

Details
Worm.Win32.Autorooter
Autorooter is a multi-component Win32 worm that is designed to spread through local and global networks, however, the spreading routines are not complete in the current version.
The worm got its name from the text strings found in its main component:
rpc autorooter by ERIC
RPC autorooter
To spread the worm exploits the MS Windows DCOM RPC vulnerability. This vulnerability is described in Microsoft Security Bulletin MS03-026.

The File Archive (package)
The Autorooter worm is a Win32 SFX ZIP file (self-extracting archive) about 114KB in size, it contains three files:
rpc.exe - 41KB, main component (starter), detected as Worm.Win32.Autorooter
tftpd.exe - 144KB, legitimate FTP server
rpctest.exe - 95KB, exploit, detected as Exploit.Win32.DCom
When the SFX package is executed it extracts these three files from the root directory on the C: drive and runs the rpc.exe main component.
Main Component rpc.exe
The main component runs the tftpd.exe file and tries to download the lolx.exe file from a remote site. The known lolx.exe file is a backdoor trojan and is detected as Backdoor.SdBot.gen.
The worm then searches for remote machines and tries to establish a connection on port 445. The IP addresses (a.b.c.d) for scanning are generated randomly according to the following algorithm:
The ‘a’ value is selected from following list (all values are used):
24, 12, 211, 217, 218, 220, 4, 68, 165, 65, 213, 64, 208, 128
The ‘b’ value is a random number from 0 up to 255. The ‘c’ and ‘d’ select any variant between 1 and 255.
For example, if the ‘a’ is 68, and the ‘b’ is 120 the worm will search for machines at all addresses in the range 68.120.0.1 - 68.120.255.255.
The worm searches for remote machines in these ranges, connects to any machines that it finds and sends the exploit code to it. To send the exploit the worm runs the rpctest.exe component. This component sends a buffer-overrun request that starts a command shell on port 57005 on vulnerable (victim) machines.
rpctest.exe component
This is the exploit tool. It contains the following text string:
USE THE FORZ LUKE!
tftd.exe component
This is a legitime HaneWin TFTP server. It is installed on port 69 by the Autorooter main component and downloads the backdoor component.

Summary
Even though this file package does not contain any auto-replication functions, we still consider it to be more of a worm-type program rather than merely a backdoor or a hacktool.
We believe that this version is only a test version of a new worm that already contains enough functions to provide for self-replication. It is possible that the author aimed to set up a widely dispersed network of hacked computers for later use in hacker or virus attacks.

Our Recommendations
Apply the patch from Microsoft.
Block TCP ports 135, 139 and 445 in your local firewall.

Details
Worm.Win32.Apart
Apart is a network worm with backdoor abilities. The worm itself is a Windows PE EXE file written in Delphi. Depending on the version the worm is either 43KB or 56KB in length and is compressed by TeLock or UPX (the decompressed size is about 90KB).
“Apart.b” was posted to IRC channels in the middle of August 2002 as a
“NEW NUDE BRITNEY SPEARS SCREEN SAVER!”
Installing
While installing the worm copies itself to the Windows system directory under the “kernel32.dll*” name and sets “hidden” attribute for this file (here and below the * (star) character is A0h in hex). The following file is then registered in the system registry auto-run key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Kernel = %SystemDir%\KERNEL32.DLL*

The worm also creates the
HKCR\.dll*
key associated with the “exefile” file type. Thus .DLL* files will be executed as original .EXE files.
The worm then removes its original file (from there it was started), opensINet connection and “listens” to its master.
Spreading
By its “master’s” request (see “Backdoor” below) the worm spreads through local networks. It opens network drives that are opened for full access and copies itself to the \WINDOWS\Start Menu\Programs\StartUp\ directory under the name:
Windows.exe
Backdoor
The backdoor routine allows a remote “master” (person controlling the virus program) to perform following actions:
send detailed computer information: drivers description, local date and time, default language, computer name, CPU speed and number of processors, RAM size,Windows version e.t.c.
steals cached passwords, MSN account, password and .NET Messenger information as well.
Apart also performs the following routines:

spread over local network
reveive file or download file from Web site
execute a file
perform DoS attack on remote computer
ping a remote computer
scan ports and IP addresses
redirect PC ports
send spam messages through AOL Instant Messenger and to a mIRC channel
Other
The worm contains the following “copyright” text string:
Apartheid v.2.0

Details
Worm.Ternop

This is a worm virus spreading under DOS. The worm file itself is an encrypted 2.5Kb DOS COM program. When it runs, it copies itself into Windows\COMMAND directory with a random 8-bytes name, for example:
QNLKKLNQ.COM
JIIJLOSK.COM
YPETEDUM.COM

The worm affects the Windows directory wherever it is placed - the worm tries all variants from C:\WINDOWS till Z:\WINDOWS.
The worm then modifies the SYS.COM file (copy system files to target drive) so that the worm copies itself to the disks that are SYS-ed. To do that the worm renames the SYS.COM file with the SYS.OLD name and creates a companion SYS.BAT file that contains a set of Batch instructions. These instructions when activated rename to COM and run the original SYS.COM file, and then copy the worm code to target drive.
The worm then looks for RAR archives in the directory tree on the current drive, and adds its copy to their contents. The next victim of the worm is the Maximum BBS, if it is installed on the computer. The worm scans the drive directories for FILES.BBS files, and creates its copies in such directories. The worm then “registers” its copy in the FILES.BBS file - adds a reference to its file and a short description in Russian, like “From 2xx to 300MMX”, “New Internet cracker”, “Speed-ups modem by 30%”, e.t.c.
The worm does not manifest itself in any way, it contains the texts:
Ternopil Worm
Misdirected Youth

Details
Worm.SymbOS.Cabir.a

Cabir is the first network worm capable of spreading via Bluetooth; it infects mobile phones which run Symbian OS.
A wide range of phones from a number of manufacturers use this technology. It is clear that Nokia 3650, 7650 and N-Gage phones can all be infected by Cabir. However, any handset running Symbian OS is potentially vulnerable to infection.
The list below shows handsets running this operating system. The list is taken from the Symbian site.
Handsets
Already on the market To be released in the near future

FOMA F2051
FOMA F2102V
FOMA F900i
Motorola A920
Motorola A925
Nokia 3650/3600
Nokia 3660/3620
Nokia 6600
Nokia 7610
Nokia 7650
Nokia 9210 Communicators
Nokia 9290 Communicator
Nokia N-Gage
Nokia N-Gage QD
Sendo X
Siemens SX1
Sony Ericsson P800
Sony Ericsson P900

BenQ P30
FOMA F900iT
Motorola A1000
Nokia 6260
Nokia 6620
Nokia 6630
Nokia 7700
Nokia 9500
Panasonic X700
Samsung SGH-D710

Smartphones and communicators

Ericsson R380 World Smartphone
Ericsson R380e Smartphone
Ericsson R380sc Smartphone
Psion 618C and 618S
Psion Revo and Revo Plus
Psion Series 5mx
Psion Series 7 and netBook

There are currently two versions of this worm. They are identical, except that one version, when displaying a Window Alert text, will include the text line VZ/29a.
The worm itself is an SIS format file, called caribe.sis, of 15092 bytes in size (the second version is 15104 bytes in size)
This file contains three objects:
caribe.app: 11932 bytes/ 11944 bytes in size
flo.mdl: 2544 bytes in size
caribe.rsc: 44 bytes in size
Installation
When launched, the worm displays a message on the screen: either ‘Caribe’ or ‘Caribe - VZ/29a’.

It then installs itself to the following directories:
Ó:\system\apps\caribe\caribe.app
Ó:\system\apps\caribe\flo.mdl
Ó:\system\apps\caribe\caribe.rsc

C:\SYSTEM\SYMBIANSECUREDATA\CARIBESECURITYMANAGER\CARIBE.SIS
C:\SYSTEM\SYMBIANSECUREDATA\CARIBESECURITYMANAGER\CARIBE.APP
C:\SYSTEM\SYMBIANSECUREDATA\CARIBESECURITYMANAGER\CARIBE.RSC
C:\SYSTEM\RECOGS\FLO.MDL
The directory SYMBIANSECUREDATA which the worm creates is hidden and cannot be seen by the user of the infected telephone.
Even if the worm file is deleted from the APPS directory, the worm will continue to be active in the system.
Propagation
Each time the infected telephone is switched on, the worm scans the list of active Bluetooth connections. The worm will select the first active connection shown and will attempt to send its main file, caribe.sis, to this device. The device which receives this file will display the following information:

If receipt of the infected file is confirmed, the user will be asked if they wish to lauch the file (the message displayed depends on the model of telephone):

Other
The worm appears not to have any payload apart from propagating. However, the presence of the worm in memory, and the worm’s scanning for active Bluetooth devices, may cause infected telephones to function in an unstable manner.
Removal
Kaspersky Labs has developed a utility to remove Cabir.a from infected handsets.
The utility will detect and delete the worm from Nokia 3650 and 6600, and Siemens SX1 handsets. It is also designed to work on Nokia N-Gage and Sony Ericsson P900 handsets, but it has not been tested on these handsets.
The utility can be found on the WAP site wap.kaspersky.com. It can be downloaded either directly from the WAP site or via the Internet by following the link wap.kaspersky.com/downloads/decabir-1.0.sis
How to use the utility:
upload the installation file, decabir.sis, to the handset, and launch it.
choose the Decabir icon in the main menu
if the handset is not infected, the message ‘Device is clean’ will be displayed.
if the handset is infected, the message ‘Cabir has been removed. Please reboot’ will be displayed. You should now switch your handset off and on again.

Details
Worm.SQL.Spida.b
SQL.Spida.b is a new version of the worm SQL.Spida.a. Unlike the previous variant, SQL.Spida.b became quite widespread especially in Far Eastern Asian countries.
When comparing “b” to “a”, “b” was improved not to use the sqlpoke clone, and instead uses a Java Script version of the exploit to run commands on vulnerable machines.
Also, the “b” variant does not add the extra sqlagentcmdexec account during the attack, but instead it enables the default guest login and gives it administrative priviledges.
The following comments can be seen in the worm code:

“// sqlprocess v2.5″
“// Greetings to whole Symantec anti-virus department.”

Details
Worm.SQL.Spida.a

SQL.Spida.a is a computer worm that replicates between systems running Microsoft SQL Server software. The worm works by exploiting a weak password that is the default installation choice for the “sa” (system administrator) SQL account. It begins by scanning the Internet for machines running the MS SQL Service on the TCP port 1433 and then tries to initiate a connection with the server, logging into the “sa” account. If this succeeds, the worm adds a new Windows NT user namedall
sqlagentcmdexec
in the remote machine, sets a random password for the account and includes it in the Administrators and Domain Admins groups.
Next, the worm maps the administrative share from the remote machine and attempts to copy itself into the system32 subdirectory of the Windows installation folder. SQLSpida takes care to close the vulnerability that allowed it to infect the system by setting a non-empty password for the “sa” account, then it simply launches itself on the remote machine.
The following comments can be seen inside the worm code:

“SQL Access v2.0″ “Created 2001-2002 by Digital Spider”
Technical Details
To attack remote servers, the SQLSpida uses an exploit tool originally known as sqlpoke, which claims to be written by someone going by the handle Xaphan.
The main entry point for the worm is a Java Script file that generates random IP address classes, here it attempts to search for vulnerable machines with the modified sqlpoke tool. When a potentially vulnerable system is found, a batch file is run which connects to the remote machine and copies the worm code.
It’s also interesting to note that the worm attempts to collect both login passwords and list the databases from the SQL server, then mail them to one of the three possible addresses presumably belonging to the author.