Peer-to-peer worming and JavaScript Trojans

By Matt Whipp

Posted on 30 May 2003 at 16:55

New viruses on the loose

Sophos has identified two new viruses that will be looking for trouble this weekend.

Both have been encountered on the public Internet. The first, W32/Holar-H, also goes under a number of aliases, including the familiar Hawawi.e.

It arrives with a variety of subject lines and messages and spreads itself by sending itself to email addresses found on the infected computer and by copying itself as a number of adult-titled files to shared folders used by peer to peer networks.

The worm sets a Registry entry to count how many times it is run (typically every time the infected computer is restarted). When the count reaches 30 it will begin trying to delete files from the hard drive. It displays a series of dialog boxes. If the user clicks OK on the last of these, then the system is shut down.

The second rampant vermis goes by the name JS/Fortnight-D. It infects HTML-reading email clients by using a combination of JavaScript and Java applets to attempt to open a Web site when the infected email is viewed. The Web site then uses a java applet to run the Trojan Troj/ByteVeri-A locally on the computer. The Trojan gives back-door access to the computer that potentially could allow an attacker to run code.

It also drops a file that sets itself as the signature in Outlook Express 5.0 and makes a number of Registry edits and additions to the Favourites folder.

As ever, more information can be found at the Sophos Web site.