 |
|
|
| News archive about antivirus software, virus threats, trojans |
|
May 2007
Weekly report on viruses and intruders from Panda Software -- Posted by Igor_Donchenko on Tuesday, May 22 2007
This week's PandaLabs' report focuses on two dangerous Trojans, KardPhisher.A and Spabot.AS, and the Mhubs.A network worm.
KardPhisher.A is a Trojan that steals confidential information by imitating a Windows message. The process is as follows: once it has infected a computer, the Trojan creates a file called "keylog.dll" which captures keystrokes.
To guarantee users enter 'valuable' data, the next time the PC starts up, it displays a fake Windows message informing users that another user has activated their copy of Windows. Users are asked for specific data to make sure their copy is legitimate.
"The trick is that users are forced to enter the data. Even if users click "No, I will do it later", the computer will shut down and the same message will be displayed if they restart the computer," explains Luis Corrons, Technical Director of PandaLabs.
If users continue, the Trojan will display a new window asking for personal data such as the credit card number, email address or the CVV code.
The Trojan checks that the email address contains the "@" symbol and that the credit card has the correct number of digits.
"However, the data doesn't have to be real. In other words, you can use a fake email address and credit card number. This way, you will avoid providing confidential data and you will be able to use your computer correctly again," assures Corrons.
"The risk lies in someone who is unaware providing real data, since the information provided by the user is immediately sent to the Trojan-creator via a website".
Spabot.AS is another dangerous Trojan. This malware drops several files on the computer. One of them is the original Trojan, which checks whether there is an Internet connection and if so, starts to send spam. This junk mail advertises medicine and tries to direct users to a specific website where, supposedly, they can buy it.
Another file dropped by Spabot.AS, is the DLL library which modifies the LSP layers (Layered Service Provider) to filter communications.
The LSPs monitor the network communications of the applications installed. This, for example, enables the Trojan to obtain information exchanged between the Internet Explorer and the servers and allows it to intercept the emails sent from Outlook.
This week's third malware is the Mhubs.A worm. To fool users it spreads using the typical "My PC" Windows icon. If users run it, the worm opens a window with the same information that appears in the real "My PC" folder. However, at the same time, it copies itself to all the physical and mapped drives connected to the computer.
Mhubs.A creates a file that injects itself in Windows Explorer and that allows the worm to run every time the user opens the tool. In Windows 98 computers, the computer requires user consent before running since it identifies the malware as an ActiveX Control. However, in Windows XP the infection is immediate and has no visible symptoms.
This worm also makes a series of modifications to the Windows registry. One of them enables it to conceal file extensions so they are not visible from Windows. It can also hide its copies on the different drives.
|
|
