[virusinfo] Panda Software's weekly report on viruses and intruders - 6-10-05

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Fri, 10 Jun 2005 16:29:20 -0700

From; Panda Virus Alerts:

- Panda Software's weekly report on viruses and intruders -
   Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

MADRID, June 10, 2005 - This edition of Panda Software's weekly report
looks at seven examples of malware: a hacking tool, Amplusnet; two Trojans,
Mytob.EN and Downloader.CZR; two worms, Mytob.EP, and Bobax.AO; a spyware
program, Smitfraud; and a virus, Smitfraud.A.

Amplusnet is a tool that, although it is a legitimate and useful
application, could be used by a malicious user to compromise the privacy of
a remote user. It is used to monitor and log the activity of users in
certain web sites, logging browsing habits and other types of confidential
information and generating reports. This application can be
password-protected so that it cannot be view in the Task Manager and is run
whenever the system starts up. To do this, it creates key in the System
Registry. 

Mytob.EN and Mytob.EP are two variants of the numerous Mytob family, which
is already one of the biggest organized attacks in the history of the
Internet. However, they have very different characteristics: where as
Mytob.EP acts in the same way as other variants of Mytob, spreading as an
attachment to an email messages and receiving commands via IRC, Mytob.EN is
the first variant in this family with the characteristics of a Trojan. It
uses techniques associated to online banking fraud or phishing to spread.
The Trojan  sends out emails that, instead of inserting the malware as an
attached file, includes a URL where  users that have receive the email
message can confirm their account details for a certain entity. This URL
actually contains a copy of the Trojan that is downloaded to the computer
when users access this web page. Like other variants, this specimen also
has backdoor characteristics and ends the processes belonging to antivirus
applications.

Bobax.AO and Downloader.CZR launched a joint attack at the end of last
week, in which the Trojan Downloader.CZR, distributed manually through
several different means, was downloaded to the computer infected by the
Bobax.AO worm. This malicious code can be managed remotely, making it
extremely versatile. The actions that it can carry out include downloading
and running files, mass-mailing spam and even updating itself. This worm
spreads using the following means of transmission: the Trojan described
earlier, a file attached to an email messages, or by exploiting
vulnerabilities in the LSASS process that attack against random IP
addresses. What's more, it protects itself by blocking access to certain
web pages, the majority of which are related to IT security companies.

Finally, Smitfraud and Smitfraud.A have also coordinated an attack and have
managed to spread widely, especially Smitfraud.A. The first is a spyware
program that installs itself on the computer without the user realizing and
when it is run, it changes the Windows desktop to an image that is similar
to the classic Blue Screen Of Death, which advises the user to run an
antispyware solution that resolves the problem. This spyware program
previously installs the solution PSGuard, which will detect the malware,
but the user must register in order to disinfect it. Smitfraud.A is used by
the spyware program to infect the wininet.dll file, replacing it with the
oleadm32.dll when the system is restarted, among other actions. Smitfraud
is another of the examples of malware downloaded by CoolWebSearch, and can
infect the computer when viewing web pages with underground or adult
content.

To prevent these malware or any other malicious code from affecting your
computer, Panda Software recommends keeping antivirus software up-to-date.
Panda Software clients can already access the updates to detect and
disinfect these malicious code.

For further information about these and other computer threats, visit Panda
Software's Encyclopedia at:
http://www.pandasoftware.com/virus_info/encyclopedia/

NOTE: The address above may not show up on your screen as a single line.
This would prevent you from using the link to access the web page. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.

------------------------------------------------------------
To contact with Panda Software, please visit:
http://www.pandasoftware.com/about/contact/
------------------------------------------------------------

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] Panda Software's weekly report on viruses and intruders - 6-10-05

1. Home
2. virusinfo
3. Archive
4. 06-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---