This week's report will focus on six Korgo variants, the Downloader.JH Trojan and a hacking tool called IPScanner.A.
Like its predecessors, the six Korgo variants -T, S, R, Q, P, O and N- that we refer to in this report take advantage of the Windows LSASS vulnerability to spread automatically to computers via the Internet. Even though these malicious codes affect all Windows platforms, they can only spread automatically to Windows XP/2000 computers.
Korgo variants S, R, Q, P and O connect to several websites in an attempt to download files from them. They also send information on the country in which the affected computer is to those websites. Korgo.T opens port 3067 and listens on it, waiting for a file in order to run it on the affected computer. It also tries to connect to several IRC servers in order to allow remote control commands to be run.
In order to go unnoticed by users and unlike other malicious code that exploit the LSASS vulnerability to affect computers, these Korgo variants do not display an error message with a countdown clock or restart the affected computer.
The Trojan in today's report is Downloader.JH, which obtains information from the affected computer and downloads a dialer onto it (detected by Panda Software as Dialer.DA). It also creates the following files on the target computer: D1K.EXE, OLE32WS.DLL and CAX.CAB.
Downloader.JH is difficult to recognize, as it does not display any messages or warnings that indicate it has reached the computer. The Trojan does not spread automatically using its own means. It needs the attacker's intervention to reach affected computers through various means of transmission (floppy disks, CD-ROMs, e-mail messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer -P2P- file sharing networks, etc.).
We are going to finish this week's report with IPScanner.A, a tool designed to monitor computers within Microsoft networks. IPScanner.A does not show any messages or warnings that reveal its presence on the affected computer.
For further information about these and other computer threats, visit Panda Software's Virus Encyclopedia.
Dialer: this is a program that is often used to maliciously redirect Internet connections. When used in this way, it disconnects the legitimate telephone connection used to hook up to the Internet and re-connects via a premium rate number. Often, the first indication a user has of this activity is an extremely expensive phone bill.
Hacking tool: program that can be used by a hacker to carry out actions that cause problems for the user of the affected computer (allowing the hacker to control the affected computer, steal confidential information, scan communication ports, etc.).
More definitions at: http://www.pandasoftware.com/virus_info/glossary/default.aspx
On receiving a possibly infected file, Panda Software's technical staff get straight down to work. The file is analyzed and depending on the type, the action taken may include: disassembly, macro scanning, code analysis etc. If the file does in fact contain a new virus, the disinfection and detection routines are prepared and quickly distributed to users.