 |
|
|
| News archive about antivirus software, virus threats, trojans |
|
May 2007
Weekly report on viruses and intruders from Panda Software -- Posted by Igor_Donchenko on Monday, May 28 2007
This week's PandaLabs' report focuses on Conycspa.AJ, a dangerous Trojan that downloads nine malicious codes onto computers. It also focuses on Briz.X, a Trojan that has infected more than 14,000 users, and on the MSNPhoto.A and Ridnu.D worms.
The Conycspa.AJ Trojan is designed to show adverts to users. To do so, it changes several Windows registry entries and modifies the results of online user searches. This way, it redirects users to specific web pages, mostly related to medicine.
This Trojan also connects to a specific web address from which it downloads various files. One of them is mm4839.exe, which is designed to send spam about medicines from users' computers.
It also downloads a long list of infected files from the Internet which correspond to the following malware: the MalwareAlarm adware, the potentially dangerous programs DriveCleaner, WinAntivirus2006 and PsKill.J, the Stox.A and Cimuz.EI Trojans, and the DriveCleaner, MediaPlex and DriveCleaner cookies.
"Cyber-crooks seek profit with their malware attacks. In each infection they manage to insert malicious codes on users' computers, increasing the possibility of profiting from stealing confidential data, visiting web pages that sell specific products, sending spam, hijacking computers, etc.", explains Luis Corrons.
Conycspa.AJ creates more changes in the Windows registry, one of which makes sure it is run on every restart. It also creates a BHO (Browser Helper Object) which allows it to record users' browsing activity.
It also modifies the firewall to open a random port and the win.ini file to automatically run when a session is started.
The Windows operating system has a protection called Windows File Protection (WFM), which checks there are no corrupt files, replacing them for the original copies if there are. This dangerous Trojan modifies the file restoration folder by establishing its own. Consequently, when the operating system tries to restore the corrupt library, it will be replaced by the one created by the Trojan. This way, it protects its modifications and prevents the operating system from deleting it.
Briz.X has also played an important role this week. PandaLabs found a server that received confidential information stolen by this Trojan. More than 14,000 users have been affected by this variant which infects 500 computers a day on average.
Briz.X has a parser module which allows cyber-crooks to handle all the stolen information, searching for terms or IP addresses or creating filters to obtain data quickly.
MSNPhoto.A is a worm that spreads through MSN Messenger. This malware reaches the computer with the icon of an image, but it is really an .exe file.
When run, MSNPhoto.A shuts all the MSN Messenger windows opened by the user and sends a message to its contacts tricking them into opening a file called fotos_posse.zip, which is really a copy of the worm.
This worm also prevents the task manager from opening, therefore preventing the user from closing MSN Messenger. It also tries to download several files from the Internet. Finally, it modifies the Windows registry to maker sure it is run every time the system restarts.
"Instant messaging services like MSN Messenger, Yahoo!Messenger, AIM, etc. are increasingly used by home users and businesses. And the fact that they are so widespread has made them an excellent means of propagation for malware, which uses it to spread to as many computers as possible," explains Corrons.
Ridnu.D is the second worm in this report. This malware, like other variants of the Ridnu family, is characterized by displaying annoying messages. This way, it replaces "run" for "Mr_CoolFace Has Come!". It also changes the name of the "My Documents" to "Mr_CoolFace" and writes messages like "Dear my princess" every time the user opens the Notepad.
One of the malicious actions carried out by Ridnu.D is to create several entries in the Windows registry to change the aspect of the Windows Explorer taskbar and make sure it runs every time the computer is restarted.
Source: http://www.pandasoftware.com
|
Weekly report on viruses and intruders from Panda Software -- Posted by Igor_Donchenko on Tuesday, May 22 2007
This week's PandaLabs' report focuses on two dangerous Trojans, KardPhisher.A and Spabot.AS, and the Mhubs.A network worm.
KardPhisher.A is a Trojan that steals confidential information by imitating a Windows message. The process is as follows: once it has infected a computer, the Trojan creates a file called "keylog.dll" which captures keystrokes.
To guarantee users enter 'valuable' data, the next time the PC starts up, it displays a fake Windows message informing users that another user has activated their copy of Windows. Users are asked for specific data to make sure their copy is legitimate.
"The trick is that users are forced to enter the data. Even if users click "No, I will do it later", the computer will shut down and the same message will be displayed if they restart the computer," explains Luis Corrons, Technical Director of PandaLabs.
If users continue, the Trojan will display a new window asking for personal data such as the credit card number, email address or the CVV code.
The Trojan checks that the email address contains the "@" symbol and that the credit card has the correct number of digits.
"However, the data doesn't have to be real. In other words, you can use a fake email address and credit card number. This way, you will avoid providing confidential data and you will be able to use your computer correctly again," assures Corrons.
"The risk lies in someone who is unaware providing real data, since the information provided by the user is immediately sent to the Trojan-creator via a website".
Spabot.AS is another dangerous Trojan. This malware drops several files on the computer. One of them is the original Trojan, which checks whether there is an Internet connection and if so, starts to send spam. This junk mail advertises medicine and tries to direct users to a specific website where, supposedly, they can buy it.
Another file dropped by Spabot.AS, is the DLL library which modifies the LSP layers (Layered Service Provider) to filter communications.
The LSPs monitor the network communications of the applications installed. This, for example, enables the Trojan to obtain information exchanged between the Internet Explorer and the servers and allows it to intercept the emails sent from Outlook.
This week's third malware is the Mhubs.A worm. To fool users it spreads using the typical "My PC" Windows icon. If users run it, the worm opens a window with the same information that appears in the real "My PC" folder. However, at the same time, it copies itself to all the physical and mapped drives connected to the computer.
Mhubs.A creates a file that injects itself in Windows Explorer and that allows the worm to run every time the user opens the tool. In Windows 98 computers, the computer requires user consent before running since it identifies the malware as an ActiveX Control. However, in Windows XP the infection is immediate and has no visible symptoms.
This worm also makes a series of modifications to the Windows registry. One of them enables it to conceal file extensions so they are not visible from Windows. It can also hide its copies on the different drives.
|
|
