This week's report on viruses and intruders looks at three worms -Mydoom.P, Mydoom.O and Amus.A-, and two Trojans called Downloader.OG and Brador.A.
Mydoom.P spreads via email in a message that simulates an error messages. Every five seconds the worm checks to see if in the memory there are any active processes with the text strings av, AV, can, cc, ecur, erve, iru, java, KV, mc, Mc, nti, nv, ort, scn, SkyNet, sss, sym, Sym, uba and xp.exe. If so, Mydoom.P will terminate the process. Sometimes, the first time the worm is executed it opens Notepad.
Mydoom.P tries to use the two methods below in order to collect email addresses
- Searching in all files with any of the following extensions: ADB, ASP, CFG, DBX, DHTM, EML, HTM, HTML, JS, JSE, JSP, MMF, MSG, ODS, PHP, PL, SHT, SHTM, SHTML, TBB, TXT, WAB and XML.
- Making HTTP requests to the email.people.yahoo.com website, to use the people search feature in Yahoo mail.
Mydoom.O spreads via an email with variable characteristics. It installs a file that opens and listens on backdoor in TCP port 1034. This can give access to the compromised computer, though which confidential data can be stolen or users' can be prevented from using the computer properly.
The third worm we're looking at today is Amus.A, which uses its own SMTP engine to spread via email. It creates several copies of itself and a registry entry in the computer to ensure it is run every time Windows starts up. Sometimes, Amus.A can create a small white square in the top left-hand corner of the desktop.
The first Trojan in today's report is Brador.A, which affects PDAs (Personal Digital Assistant) running the Windows CE operating system. Its actions include opening a port that allows outside connections, and copying itself -as Svchost.exe- to the Start directory. When Brador.A affects a system it sends its creator a message saying that the device is available.
We finish of today's edition with Downloader.OG, a Trojan which periodically installs the adware Adware/Wupd, downoading it from a series of predetermined websites. Downloader.OG also creates on the victim's computer -in the Windows system directory- the BRIDGEX.DLL, file which is really a copy of itself.
For further information about these and other computer threats, visitPanda Software's Virus Encyclopedia.
- Backdoor: a backdoor can be used to allow an attacker to take control of a computer without the user's knowledge.
- Download: This is the process of obtaining files from the Internet (from Web pages or FTP sites set up specifically for that purpose).
On receiving a possibly infected file, Panda Software's technical staff get straight down to work. The file is analyzed and depending on the type, the action taken may include: disassembly, macro scanning, code analysis etc. If the file does in fact contain a new virus, the disinfection and detection routines are prepared and quickly distributed to users.