This week's report on viruses and intruders will focus on three backdoor Trojans -Webber.S, Webber.P and Agent.E-, two Trojans -Webber.S, Webber.P and Agent.E-, -, and three new Korgo variants.
Webber.S and Webber.P are two backdoor Trojans that allow malicious users to access remote computers, steal confidential information and send it to several websites. These two variants differ in their means of distribution.
Webber.P spreads by modifying the configuration of web servers that use IIS 5.0 (Internet Information Services). As a result, these servers will include malicious JavaScript code -detected by Panda Software as Exploit/DialogArg- in the pages they host. This code exploits an Internet Explorer vulnerability to allow Webber.P to be downloaded and run on the computer, without the user's consent.
Webber.S is also distributed when users visit certain web pages which include a malicious JavaScript code. Due to a vulnerability in Internet Explorer, this code allows Webber.S to be downloaded and run in the computer, without the user realizing.
Webber.P opens two TCP ports in order to make the affected computer act as a proxy server.
The third backdoor Trojan in today's report is Agent.E, which installs itself on affected computer when users visit certain web sites. This malicious code creates a dinamic link library in the targeted computer, which takes control of certain features of the browser Internet Explorer. Agent.E allows the following actions to be carried out: obtain information from the system, access files belonging to several applications, use objects for communication, etc.
The Trojan Bankhook.A installs itself on the affected computer by exploiting the MhtRedir Internet Explorer vulnerability. Bankhook.A modifies the affected computer's Windows Registry in order to ensure it is run every time the Internet Explorer is launched.
Bankhook.A searches the HTTPS traffic generated in the affected computer for text strings related to different online banks. If successful, Bankhook.A steals confidential information (user names, passwords, account numbers, credit card numbers, etc.) and sends it to a remote computer though a script.
The second Trojan in today's report is Scob.A, which only affects Windows XP/2000/NT computers that act as web servers, provided that they have IIS (Internet Information Services) v5.0 installed. Scob.A modifies the application settings so that malicious code (Exploit/DialogArg) is included in all the files provided from those servers.
We are going to finish this week's report with variants U, V and W of Korgo. All these malicious code exploit the Windows LSASS vulnerability to spread automatically to computers via the Internet. Even though these malicious code affect all Windows platforms, they can only spread automatically to Windows XP/2000 computers. All these Korgo variants connect to several websites and try to download files from them. They also send information on the country in which the affected computer is located to those websites.
Korgo.U, Korgo.V and Korgo.W go memory resident and, unlike other malicious codes that exploit the LSASS vulnerability to affect computers, they do not display an error message with a countdown clock or restart the affected computer.
For further information about these and other computer threats, visit Panda Software's Virus Encyclopedia .
Additional information
Backdoor Trojan: this is a program that enters the computer and creates a backdoor through which it is possible to control the affected system without the user realizing.
Internet Information Server( IIS): this is a Microsoft server designed for publishing and maintaining web pages and portals.
Dynamic Link Library (DLL): a special type of file with the extension DLL.
More definitions at:http://www.pandasoftware.com/virus_info/glossary/default.aspx
About PandaLabs
On receiving a possibly infected file, Panda Software's technical staff get straight down to work. The file is analyzed and depending on the type, the action taken may include: disassembly, macro scanning, code analysis etc. If the file does in fact contain a new virus, the disinfection and detection routines are prepared and quickly distributed to users.
Add a Comment
No messages on this article yet