Wednesday, 08 February 2012
Home arrow Advertises arrow Virus arrow Panda Software's Weekly Report on Viruses and Intruders - 6/08/07
Security software
Anti spam tools
Anti spyware tools
Antivirus
Backup
Encryption
Firewall
Free software
Passwords managers
Popup ad blockers
Other
Other
Submit software
Security news
Security information
Contact us


RSS
Security software
Security software


Sell software online
Affiliate Programs
Hand guns


Panda Software's Weekly Report on Viruses and Intruders - 6/08/07
Saturday, 09 June 2007
This week's PandaLabs report looks at the
BankFake.F Trojan, the two first variants of the MSNHideOptions worm and
also the Grogotix.A worm.

BankFake.F is a dangerous banker Trojan that affects nine financial
entities. This malware, which can be distributed via email or infected
Internet downloads, reaches computers with an icon of two small winged
tortoises.

When its run, this Trojan accesses a web page and displays a photo.
Meanwhile, it connects to two other addresses to download several
compressed files, all packed with UPX.

These Trojan is designed to steal bank passwords. It works in the
following way: when the user types the address in the browser of one of
the banks targeted by BankFake.F, it closes the browser and runs an
application corresponding to that particular bank. The application
displays an image of the bank's web page.

Once the confidential data has been entered, it is stored in .bsp or
.cop. files. It periodically establishes connection with an FTP site to
send the creator the information compiled.

In addition to bank passwords, BankFake.F is also designed to steal
Hotmail account passwords. To do this, it displays an error message and
asks you to enter your data again, although once again, it is not the
real page but an application belonging to the Trojan.

Grogotix.A is a worm that creates six copies of itself on the system
when it infects a computer. Every time the user accesses a folder, it
creates a copy of itself under the name of the folder in the same
directory and the one immediately above it. It also creates a copy of
itself every time a file is run with the same name as the original one.

Grogotix.A modifies the host file, adding a text with a message
supposedly signed by the creator of the worm stating that he hates his
campus. This modification also prevents the user from accessing several
web pages, all of them related to computer security companies. This
modification is detected by Panda Software as Qhost.gen.

This worm also creates and modifies registry entries. One of these
ensures that it is run on every system startup, while another makes
several options in the Start menu disappear.

Grogotix.A is also designed to prevent several programs from running. It
also hides some security solutions' folders.

It tries to access an IRC network, connecting to several servers. If
successful, it will use the connection to transmit information about the
infected computer to its creator. It also sends random private messages
to network users, with a range of texts and a link to download the
malware. These texts include:

- $nick, free picture indonesia sex double klik url:
- aloo $nick mo liat artis majalah playboy indo?, double klik url:
- Bunga.C Dah Berani Bugil, Untuk liat Fotonya double klik url:
- 8 aloo $nick mo liat artis-artis indonesia nude, double klik url:

But the malicious action taken by Grogotix.A doesn't end there. It also
drops a web page on the system with a random five-character name and
tries to use a script to download a malicious file.

This week, PandaLabs has also discovered the A and B variants of the
MSNHideOptions worms. Although the previous code tries to slip by
unnoticed, these seem to want to be seen. As soon as they are run on a
computer, they show users a couple of messages in Spanish. And one of
those is an insult.

Other malicious action carried out by these worms include creating a
file called "Mis Contactos", in which all addresses of contacts in the
users mail program are stored. They also hide certain applications on
the Windows Start bar, including Run, Search, Help, etc.

These variants of MSNHideOptions spread via email or MSN Messenger. To
do this, they send a message to the contacts on the infected computer
asking them to access a link, which supposedly contains photos of a
person.

More information about these and other threats is available in Panda
Software's Encyclopedia at
http://www.pandasoftware.com/virus_info/encyclopedia/

All users that want to know whether their computers have been attacked
by this or other malicious code can use TotalScan or NanoScan beta, the
free, online solutions available at: http://www.infectedornot.com .

Antivirus software
 
< Prev   Next >
[ Back ]
Security articles
  • Rootkits the new weapon for cyber criminals (q)
  • Sniffing (q)
  • Definition: PGP (q)
  • Cryptanalysis (q)
  • Backup Hints (q)
    • © 2004-2007 Daita.org