Weekly Virus Report – Look at 3 Trojans and 2 Slapper Versions
This week’s virus report looks at three Trojans and two variants of Linux/Slapper
The first Trojan we will refer to today is Bck/RBackdoor, which, by default, opens communication port 4820 and assigns the password “redkod” to communications. When Bck/RBackdoor reaches a computer, it goes memory resident and waits for a Telnet connection -or a connection carried out with a similar program- to be established. Furthermore, Bck/Rbackdoor inserts an entry in the affected computer’s Windows Registry in order to ensure it is run every time Windows is started up, and saves a file that contains the Trojan’s code to the system.
The second Trojan is Trj/Nidra, which modifies the system configuration in order to activate every time a file with an EXE or TXT extension is run. When Trj/Nidra activates, it creates a process in memory which might cause affected computers to slow down. Finally, it saves two copies of itself – NOTEPAD.EXE and WINNDOW386.EXE- to the Windows system directory.
Trj/Nidra modifies several Windows Registry entries and creates others in order to ensure it is run every time the system is started up. Once Trj/Nidra has carried out its actions, it displays a message on screen.
The last Trojan we will deal with today is Inwi (Trj/Inwi), which, like the previous one, makes changes in the system to ensure that it is run every time a file with an .EXE or .TXT extension is opened. This Trojan also creates several files in the computer, including copies of itself, in order to steal data from the affected computer and send it to a certain e-mail address. Finally, the Trojan changes the Internet Explorer settings, including the default URL.
We will finish today’s report with two variants (B and C) of Linux/Slapper, which appeared at the beginning of this week. Like their predecessor, these two new worms use a known buffer overflow vulnerability in the OpenSSL component of Apache Web servers installed on certain Linux distributions (some versions of Mandrake, SuSe, Slackware, RedHat, Debian and Gentoo). However, they differ from Linux/Slapper in the UDP port number they use to carry out attacks on affected computers (Linux/Slapper.B uses port UPD 1978 and Linux/Slapper.C port UPD 4156), and the Linux distributions subject to infection.