This week's report will look at a program called Constructor/JPGDownloader, a hacking tool called SentinelSteal, two Trojans -Malam.A and Malam.B- and three worms -Fightrub.A, Bagle.BA and Rayl.A-.
Constructor/JPGDownloader is a tool for creating JPG image files which can exploit a buffer overflow called "Buffer overrun in JPEG processing". This security problem leads to a file (which could be a virus, worm, Trojan, etc.) being downloaded from the Internet and run when an image is opened with a vulnerable application.
Constructor/JPGDownloader lets malicious users enter the URL from which the file to be run on victim's computers is downloaded. Once the user has done this, it creates the JPG file with the information needed to download and run the file (which as mentioned, could be a virus, worm, etc.).
SentinelSteal is a hacking tool that can be run silently so that a user whose computer has been infected won't be aware of its presence or the actions it performs. These include:
- Logging keystrokes, including text entered in email messages, chats, instant messaging, etc.
- Registering web pages visited and blocking access to certain web pages.
- Taking screenshots at pre-determined intervals.
SentinelSteal sends -by e-mail or by FTP- the information it has gathered and then deletes it. This hacking tool is password protected.
Malam.A and Malam.B are Trojans sent out en masse in email messages, which include a link to a web page hosting a script. When a user accesses the address, the script installs an executable file that downloads the main component of the Trojans on the PC.
Malam.A opens a communication port on the computers it affects, through which it is possible to take action that could compromise the confidentiality of data or prevent the computer from being used properly. This Trojan also changes the Internet Explorer home page.
The B variant of Malam opens port 9687 and makes the computer act as a proxy server, becoming an intermediary between the attackers computer and the final target of the attack which is used to carry out a range of actions (send spam, access PCs to obtain information, etc.).
The first worm we'll look at in today's report is Fightrub.A, which spreads in an email with variable characteristics and through P2P file sharing applications. It is easy to tell when it has infected a computer, as once it runs, it displays the following text on screen: "Serial: 41191480 File crack".
The second worm is Bagle.BA, which arrives in an email with the subject "photo-gallery! =)", and includes an attachment "FOTO.ZIP".
Bagle.BA installs a keylogger on the affected computer -which Panda Software detects as Application/Keyhook.A-, which registers all keystrokes entered by the user. It also collects other information including system data, user names and passwords for applications and Internet accounts. The information obtained is sent via email to the virus author. Finally, this worm also opens port 2050 and waits for commands through remote connections.
Today's report ends with Rayl.A, a worm that spreads via MSN Messenger. A message is received with a link to an image, hosted on a web page. When the user clicks on the link to open the image -which is actually an HTM file-, Rayl.A infects the computer. This malicious code also tries to exploit the MhtRedir.gen vulnerability to download and run other malware on the computer.
For further information about these and other computer threats, visit Panda Software's Virus Encyclopedia.
On receiving a possibly infected file, Panda Software's technical staff get straight down to work. The file is analyzed and depending on the type, the action taken may include: disassembly, macro scanning, code analysis etc. If the file does in fact contain a new virus, the disinfection and detection routines are prepared and quickly distributed to users.