Weekly report on viruses and intruders

This week's report on viruses and intruders will focus on the worms Crowt.A, Mydoom.AG, Cisum.A, Bagle.BK and Bagle.BL.

Crowt.A is a worm that spreads via email in messages that contain texts made up of the headlines on CNN's website. This malicious code is designed to create a backdoor in affected computers in order to receive commands from remote attackers. What's more, Crowt.A installs a keylogger that can be used to steal personal or confidential data, such as passwords entered by the user to access online banking services.

Crowt.A also deletes the cookies stored on the computer and opens the Internet browser at a certain website.

Mydoom.AG is a new variant of a worm that, almost a year ago, caused a worldwide epidemic. This malicious code modifies the HOSTS file so that the affected user cannot access the websites of certain antivirus manufacturers. It also ends the processes belonging to different antivirus programs and spreads via email and peer-to-peer (P2P) file sharing programs.

Cisum.A is a worm whose most distinguishing action is that it insults the user by displaying a screen with the text 'YOU ARE AN IDIOT' while playing an MP3 audio file that repeats the same sentence. This malicious code can only spread automatically across computer networks. If a network user runs the file carrying Cisum.A, it copies itself under the name ProjectX.exe to the root directory of the shared networks drives on the computer.

Cisum.A also ends the processes belonging to antivirus programs and other IT security applications, leaving the computer vulnerable to possible attacks from other viruses and hackers. What's more, it creates several entries in the Windows Registry in order to ensure that it is run whenever the affected computer is started up.

Finally, the BK and BL variants of the notorious Bagle worm reach computers in email messages in which the address of the sender of the message has been spoofed, and with a subject selected at random from a list of options. Some examples of these subjects are: 'Delivery by mail' or 'Delivery service mail'. The message body contains texts like: 'Before use read the help' or 'Thanks for use of our software'. The names of the files attached to these messages, which actually contain the code of these worms, are variable but always have a COM, CPL, EXE or SCR extension. In order to spread via P2P applications like KaZaA or Morpheus, these worms create copies of themselves under names like ACDSee 9.exe, Adobe Photoshop 9 full.exe or Ahead Nero 7.exe, to name a few.

If a file carrying any of these worms is run, they automatically send themselves out to all the email addresses they find in files with certain extensions stored on the affected computer, using their own SMTP engine. What's more, these variants of Bagle end the processes running in memory belonging to various antivirus programs and other security applications.

About PandaLabs
On receiving a possibly infected file, Panda Software's technical staff get straight down to work. The file is analyzed and depending on the type, the action taken may include: disassembly, macro scanning, code analysis etc. If the file does in fact contain a new virus, the disinfection and detection routines are prepared and quickly distributed to users.
For more information: http://www.pandasoftware.com/virus_info/

Comments (0)

Add a Comment

This thread has been closed from taking new comments.

Editorial: +44 (0)1892 536363
Publisher: +44 (0)208 440 0372
Subscribe FREE to the weekly E-newsletter