This edition of Panda Softwares weekly report looks at three Trojans, Trj/PGPCoder.B, Trj/Mitglieder.DQ and Trj/Bancos.GW, and two worms, W32/Oscarbot.AY and W32/Codbot.AP.
Bancos.GW is a Trojan that steals passwords and is programmed to spy on the browsing activity of the users it affects. If they enter certain keywords related to online banking portals, which are registered in this malwares code or visit the websites of certain international banks, it displays a pop-up message. This pop-up message asks users for information about their bank accounts, assuring the user that it is part of the banks secure SSL protocol. It sends all of the information it collects to a remote server, which the author of this malware can access.
The B version of PGPCoder is an update of a malware that hijacked files, encrypted them and held them to ransom, with improved functions, such as the capacity to encrypt a larger number of files and a different encryption algorithm. After encrypting the files, it deletes itself and sends the affected user an email asking the user for an unspecified amount of money in order to resolve the problem. This malware cannot spread by itself and therefore, must be distributed manually.
The last Trojan, Mitglieder.DQ, targets certain IT security tools, such as antivirus programs and firewalls, stopping the associated services and ending the processes. It also deletes the entries with their configuration details from the Registry. This Trojan also tries to download a file called OSA3.GIF, which could be another type of malware, although these downloads were not available when this article was written. This Trojan belongs to the Bagle/Mitglieder family. Over the last few months a large number of variants of this family have appeared, causing a significant number of incidents.
The two worms in this weeks report are bots. This type of malware has backdoor characteristics and goes resident on the users computer and waits to receive commands. Bots can be used to carry out coordinated attacks or send out spam and are hired out by their creators. The first of these is Oscarbot.AY, a worm that receives commands through an IRC server, which range from downloading and running code to updating its code or deleting itself. This worm spreads through the instant messaging application AOL Instant Messenger (AIM) by sending a message to all the contacts of the affected user with a link to a copy of the worm.
Codbot.AP acts in a similar way, but it also checks the computer for the most common known vulnerabilities and can log the users keystrokes in order to steal passwords or other confidential information like bank account details, credit card numbers, etc. This worm spreads by exploiting two of the most common known Windows vulnerabilities, LSASS and RPC-DCOM, making it essential to update the system to resolve these incidents.
To prevent these malware or any other malicious code from affecting your computer, Panda Software recommends keeping antivirus software up-to-date. Panda Software clients can already access the updates to detect and disinfect these malicious code.
On receiving a possibly infected file, Panda Software's technical staff get straight down to work. The file is analyzed and depending on the type, the action taken may include: disassembly, macro scanning, code analysis etc. If the file does in fact contain a new virus, the disinfection and detection routines are prepared and quickly distributed to users.
For more information: http://www.pandasoftware.com/virus_info/