Virus News

24/09/2006: Weekly report on viruses and intruders

Wapplex.C is a worm that, although it does not have any damaging effects, stands out for the variety of means it uses to spread. To spread across networks, this worm can copy itself to the different shared resources. Similarly, it can infect mapped drives.

It can also spread via email in different types of files, such as:

- Executable files compressed in ZIP format.
- JPG image files, compressed or uncompressed, which can exploit the WMF vulnerability.

To prevent any type of attack from this worm or any other worm that exploits the aforementioned vulnerability, it is highly recommendable to install the corresponding patch released by Microsoft.

The second worm in today's report is Sohanat.A, whose aim is to modify different elements. These include the Internet Explorer home page and address bar title, the web page displayed when the user opens Yahoo Messenger, etc.

This worm spreads through the instant messaging program Yahoo Messenger by sending messages that include a link. If the user clicks on the link, a web page opens, which contains an exploit that installs the worm on the computer.

The adware program Ajax, reaches computers when users visit a certain malicious website that is designed to download it to the computer without the user realizing. Once installed, as well as showing advertising every so often, it causes the computer to significantly slow down, with the problems that this can cause.

Finally, the VML vulnerability has been classified as critical and affects a large number of versions of Windows XP and Windows Server 2003. This vulnerability lies in the way in which Microsoft Internet Explorer handles VML (Vector Markup Language) graphics. As a result, a hacker could host a specially-crafted web page that, when visited by users, forces the browser to silently download and run files. In fact, proof-of-concept code of this issue has been published.

Microsoft has not yet released the patch to fix this vulnerability. In the meantime, users are recommended to disable execution of Java script in the Microsoft Internet Explorer settings.

17/09/2006: Weekly report on viruses and intruders

This week's report looks at the BarcPhish phishing attack, the Spamta.X worm and the MS06-052, MS06-053 and MS06-054 vulnerabilities affecting some of Microsoft's products.

BarcPhish is a large-scale phishing attack targeting clients of Barclays Bank's online services and involving at least 70 variants of a spoof email. The false emails received by users are designed to appear as if they have been sent from Barclay's customer services, with the subject field chosen at random from a list of options. Some of these options are:
Barclays bank official update, Barclays bank - Security update, Please Read or Verify your data with Barclays bank. The message text, imitating Barclays' corporate image, informs users that the bank is upgrading software and that they should go to a link in order to confirm their bank details.

Users that click on the link will access websites similar to those used by the bank requesting their account number, credit card number or PIN.

Spamta.X is an email worm that sends messages with subjects including Error, Good Day or Mail Delivery System, and text content such as: Mail transaction failed. Partial message is available.

The worm is hidden in an attachment to these messages. This attachment has variable names and two extensions that are also chosen at random from a list of options. It also displays the typical icon of .txt files.

If a user runs the file, Windows notepad opens displaying a list of garbled characters and several files are created on the system along with certain new registry entries.

The action that Spamta.X takes on computers includes modifying the hosts file in order, primarily, to prevent users from accessing security related websites. In order to spread, the worm searches files with certain extensions on the infected computer for addresses to which to send itself.

Finally, we are looking at three vulnerabilities in Microsoft products:
MS06-052, MS06-053 and MS06-054. The first of these, MS06-052, is classified as important and could allow attackers to take remote control of computers. The most concerning however is MS06-054, which affects Microsoft Office, in particular, the Publisher application. This security problem has been classified as critical, as it could allow malicious Publisher files to be constructed which, if opened, could run malicious code on the system.

10/09/2006: Weekly report on viruses and intruders

Goldun.LC is a password-stealer Trojan that steals login details for e-gold accounts from infected users. It does this by installing itself as an Internet Explorer BHO (Browser Helper Object).

Then, every time the browser is opened, it is activated and records user keystrokes, thereby obtaining the login details for the e-gold account (if users have one). It then sends the stolen data to another computer through a TCP port.

As with most Trojans, it cannot spread by itself, it normally reaches users as an attachment to an email with a .bmp file icon.

Lootseek.JJ is a worm that connects to an IRC server to receive orders from a remote hacker. The worm's payload includes downloading and running the Rizalof Trojan, designed to use computers as platforms for sending spam.

Lootseek.JJ can spread across computer networks, making copies of itself in the shared network drives it manages to access.

Finally, Banbra.DCY has established a new way of stealing confidencial data from users: video captures. Banbra.DCY is specifically designed to launch attacks against users of certain Brazilian banks that use 'virtual keyboards' (where users enter their passwords through Mouse clicks on the on-screen image of a keyboard) to allow users to log in.

When users connect to certain online banking websites, the Trojan captures the area of the screen around the mouse cursor and saves it in .avi format video files. The files are then sent secretly to malicious users who can use the data for all types of online fraud.

03/09/2006: Weekly report on viruses and intruders

Clagge.B is a downloader type Trojan that goes memory resident. It makes the modifications necessary to the Windows Registry to avoid the firewall control in order to execute malicious code. After doing this, it connects to a certain Internet address from which it downloads a file called suhoy341.exe, which belongs to the Trj/Banker.CZI Trojan, designed to steal users' bank details.

Like most Trojans, Clagge.B cannot spread through its own means and requires intervention from a malicious user to distribute it manually. This Trojan can be included in files downloaded from the Internet, P2P (peer-to-peer) networks, attached to email messages, etc.

The second Trojan in this week's report, Rizalof.HT, creates an anonymous proxy server on affected computers so that they can be used to send out spam. To do this, when it is run, it connects to a server from which it downloads other components and installs them on the computer. One of these components is used to spread spam. What's more, it tries to end Windows security and update processes.

Finally, the Zcodec spyware program is included in a program that supposedly installs the codecs needed to play a certain multimedia format. Once on the system, a rootkit (a program designed to hide processes, files or registry entries) is installed so that users cannot see which files are being run. In this way, Zcodec installs two executable files. The first of these modifies the DNS settings on the compromised computer so that when a user clicks on results returned from search engines such as Google, a different page is displayed. This tactic is exploited by the creators of the program in order to profit from pay-per-click systems, or even to redirect users to pages designed to steal confidential data.

The second executable file can have two different actions, which are executed at random. In some cases, it installs the Ruins.MB Trojan, designed to download other malicious programs to the computer. And on other occasions, the file continually launches a casino application, asking for the user's permission to install it. However, even if the user rejects installation of the program, an icon is created on the Windows desktop, which when clicked, will install the program.

27/08/2006: Weekly report on viruses and intruders

This week's report looks at the Goldun.KR, Downloader.KCC and Downloader.KBR Trojans, and the Eliles.A worm.

Goldun.KR is a Trojan that monitors Internet traffic generated when the user accesses web pages related with several online banks. In this way, it steals the user names and passwords for these services and sends them to its creator.

This Trojan reaches computers inside a double extension file called ASSET.TXT.EXE. It tries to trick users into thinking that it is really a text file, as if the option to hide extensions of known file types is enabled, users will only see ASSET.TXT. If run, it opens Windows notepad.

The Downloader,KBR and Downloader.KCC Trojans are sent in files attached to spam messages which simulate receipts of purchases made by the user or chargebacks to credit cards.

If the user runs the message attached to any of the two above messages, the Trojan will be installed on the computer. Downloader.KCC and Downloader.KBR carry out similar actions and download the Spyforms.A Trojan to the system, which is designed to steal data from infected computers, such as the IP address or the Internet access password.

Finally, Eliles.A is a worm that tries to send messages to Movistar and Vodafone cell phones. These messages include a link to download a malicious file to the phone. Eliles.A has been programmed in Visual Basic Script and reaches computers in email messages with the Spanish subject Curriculum Vitae para posible vacante and the following text body (also in Spanish): Adjunto Currilum Vitae, por estar interesado en algún puesto vacante en su empresa,me encantaria que lo tuviera en cuenta, ya que estoy buscando trabajo por esa zona. Sin más, reciba un cordial Saludo.

If the target user runs the attached file, the worm copies itself to the computer under the name C.Vitae.zip, and sends itself out to all the email addresses it finds on the system. It also disables some antivirus programs that could be installed on the computer and inserts entries in the Windows Registry to ensure it is run on every system start-up.

Finally, the worm tries to send messages to cell phones from the Vodafone and Movistar companies with a link to download a malicious file called Antivirus.sis, and which could affect cell phones running the Symbian operating system.

20/08/2006: Weekly report on viruses and intruders

This week's report looks at the Oscarbot.KD worm and the Nabload.JC and Banker.EEA Trojans.

Oskarbot.KD is the first malicious code to infect systems by exploiting the Microsoft MS06-040 vulnerability. Oscarbot.KD searches for computers with this vulnerability. If it finds them, it causes a buffer overflow on the system and executes the code needed to download a copy of itself onto the computer in a file called wgareg.exe. However, Oscarbot.KD can also spread using the AOL instant messenger service and across shared drives.

When the worm is installed on a computer, it opens port 18067 and connects to certain IRC servers. This could allow a remote attacker to communicate with Oscarbot.KD to download and run all types of software on the compromised computer or launch attacks on other computers, among many other actions.

Oscarbot.KD also edits a series of Windows registry keys to disable the firewall included in certain versions of the operating system.

Nabload.JC, like many Trojans, cannot spread automatically using its own means and therefore needs an attacker to distribute it. Propagation methods are various and include floppy disks, CDs or email messages with attachments. Nabload.JC is designed to download the malicious code that we will describe below: Banker.EEA.

Banker.EEA is a Trojan that modifies the authentication page displayed in users' browsers of the website of Postbank, a German bank. The Trojan modifies it so that in addition to requesting the username and PIN, it also asks for the TAN (Transaction Authorization Number). When it gets this information it sends it to a server where it can be accessed by malicious users and used for criminal purposes.

Bear in mind that although Banker.EEA is aimed specifically at clients of Postbank, it also monitors and collect information entered in forms from other sources, such as other banks or web mail services.

13/08/2006: Weekly report on viruses and intruders

The patches released by Microsoft to resolve 12 vulnerabilities, and a worm called DarkFloppy.A, are the subject of this week's report on viruses and intruders.

Of the 12 corrected vulnerabilities (from MS06-040 to MS06-51), the following eight are considered 'critical':

• MS06-040: update that resolves several vulnerabilities in the Server service in Windows 2000, XP and Server 2003.
• MS06-041: update that resolves several vulnerabilities in the DNS service that could allow remote code execution in Windows 2000, XP and Server 2003.
• MS06-042: cumulative update that resolves several vulnerabilities in Internet Explorer.
• MS06-043: for Outlook Express in Windows XP and Windows Server 2003.
• MS06-044: resolves a vulnerability in the Microsoft Management Console in Windows 2000 that could allow remote code execution.
• MS06-046: update that prevents a buffer overflow in HTML Help. Applies to Windows 2000, XP and Server 2003.
• MS06-047: update that resolves a vulnerability in Visual Basic for Applications that could allow remote code execution. Systems affected are: Office 2000, Project 2000, Access 2000, Office XP, Project 2002, Visio 2002, Works Suites 2004, Works Suites 2005, Works Suites 2006 and Visual Basic for Applications SDK 6.0, 6.2, 6.3 and 6.4.
• MS06-048: Recommended for Microsoft Office 2000, 2003 and XP to prevent two Power Point vulnerabilities.

Of all of these, MS06-040 is of most concern to experts as, not only have exploits been published on the Internet, but it could also allow remote control of compromised computers. It is therefore likely that more malicious code will appear that can exploit this flaw. Users are advised to install the Microsoft patch, available at: http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx

DarkFloppy.A is a worm with no destructive effects, and only spreads by making copies of itself on floppy disks. This malicious code is easy to detect when it is installed on a system, as it displays an animation in the Windows taskbar. Curiously, the animation can be changed through a small menu accessed by right-clicking on the image.

06/08/2006: Weekly report on viruses and intruders

This week's report on viruses and intruders clearly reflects the new dynamic influencing malware creators. The three examples of malicious code detailed in the report are aimed at spying, hijacking computers and stealing bank details.

Firstly, RuSpy.A is a Trojan that obtains user names and passwords for a range of programs including ICQ, Internet Explorer, Mozilla, Outlook and The Bat!. This information is then sent to the creator in an email message.

To avoid detection, it tries to terminate several processes belonging to security tools (antivirus programs and files). This however is not effective against Panda Software's TruPrevent(tm) Technologies and the auto-protection systems of Panda solutions.

As well as sending out the information mentioned before, it tries to download the file XINCH.EXE from a web page and creates shortcuts to several websites (all with Russian "ru" domains), and alters the Internet home page on the infected system.

Another widespread fraud technique is to hijack computers. This is what the Tervserv.A backdoor Trojan does. It connects to a website in order to receive remote commands, such as instructions to download and run files that give the attacker complete control over the compromised computer.

Tervserv.A can also be instructed to send information about files on the computer as well as update or uninstall itself.

Finally, this week's report looks at Banker.DZO. This is a Trojan that monitors Internet traffic generated when a user accesses the web pages of Banco de Brasil, Bradesco, CEF, GERENCIADOR, Itau and Brad.Juridico.

When an infected user opens one of these pages, Banker.DZO displays a false login page in order to obtain the user name and password for accessing accounts. This information is then sent to the creator in an email message. The information compiled is quite extensive, ranging from the particular bank or branch of the user to the password or even the secret password reminder question.