Weekly report on viruses and intruders

This weeks report looks at four threats: a backdoor Trojan called Agent.APB, the Sdbot.FEP and Sdbot.FEX worms and the WorldAntiSpy hacking tool.

Agent.APB is a backdoor Trojan which creates the drwatson32.exe, winhttp.bin and wmvcore32.dll files on the computers it infects. The last of these is injected later in Internet Explorer to avoid process-oriented firewalls. This Trojan also creates several Windows registry entries in order to redirect execution of .exe and .pif files so that whenever files with these extensions are run on an infected computer, drwatson32 will be run first and will in turn use the run parameter to execute the original Agent.APB file. To ensure that only one copy of the Trojan is run at a time it creates the MicrosoftDrWatson32 mutex.

Sdbot.FEP and Sdbot.FEX are worms that spread across the Internet by exploiting the following vulnerabilities: LSASS, RPC DCOM, Workstation Service, Plug and Play and SQL Server Resolution Service. They also install their own FTP (File Transfer Protocol) and TFTP (Trivial File Transfer Protocol) servers on infected computers to download themselves onto other computers.

Both worms connect to an IRC server to receive remote commands, such as instructions to download and run files, launch denial of service attacks, add or remove shared resources, search for vulnerable computers, etc.

We round off todays report with WorldAntiSpy, a hacking tool installed on users computers without their consent, as it is downloaded automatically from certain pornographic or pirate software websites that take advantage of exploits to attack computers. It could also be downloaded voluntarily by users from a certain web address.

WorldAntiSpy takes a series of actions on infected computers including:

- Installing several threats (such as spyware and adware), and then warning users to scare them into buying the complete version of WorldAntiSpy.

- Creating a shortcut on the desktop and displaying an on-screen message.

- Creating several Windows registry entries, one of which enables WorldAntiSpy to appear as an option in the "Add /remove programs" section in the Control Panel.

For further information about these and other computer threats, visit Panda Software's Encyclopedia.

About PandaLabs

Since 1990, PandaLabs mission has been to analyze new threats as soon as possible to ensure that our clients are safe. Several teams specialized in each specific type of malware (viruses, worms, Trojans, spyware, phishing, spam, etc.) work 24x7 to offer global coverage. To do this they are supported by TruPrevent Technologies, a truly global early warning system made up of sensors that are strategically distributed and neutralize new threats and send them to PandaLabs for in-depth analysis. According to AV-Test.org, PandaLabs is the fastest in the industry to offer complete updates (more information at www.pandasoftware.com/pandalabs.asp).