Weekly Virus Report – Linux Typot Trojan, Sobi, Sluter, Fortnight, Trile and Auric Worms
In this week’s virus report we will describe a Trojan called Typot (Linux/Typot), and the following worms: Sobig.E (W32/Sobig.E); Sluter (W32/Sluter); Fortnight.E (JS/Fortnight.E); Trile.C (W32/Trile.C) and Auric.E (W32/Auric.E).
Linux\Typot is a Trojan that only affects computers running under Linux platforms. Similarly, as it is dynamically linked against GLIBC 2.3, this Trojan only works in recent Linux distributions. It is programmed to open random ports in the affected computer and map them to the Internet. Then, every 24 hours it sends the information it has collected on the open ports to a predefined IP address.
The first worm in this report is Sobig.E, which spreads via e-mail compressed in a zip file. It infects computers with Win9x, ME, NT, 2000 and XP installed. Using its own SMTP engine, it sends itself out to the e-mail addresses it finds in files with any of the following extensions: TXT, EML, HTM*, DBX, WAB. It looks for these files in all the directories of the infected system.
The second worm, Sluter spreads across shared resources on servers running under the operating systems Windows XP, 2000 and NT. Once Sluter has infected the computer, it checks if there are other computers connected to the network. If there are, it tries to access them in order to create a copy of itself and run it. Sluter goes memory resident and scans the TCP/IP ports 3330, 3331 and 3332.
Fortnight.E is a worm that spreads via e-mail in a link to a web page hidden in the AutoSignature of the message. When the user views this message, the Internet browser is opened at the hidden link. This web page contains JavaScript with the worm’s code that is automatically downloaded, thereby infecting the computer. Fortnight.E also changes the settings of the browser Internet Explorer and adds a shortcut to three web pages with pornographic content.
The next malicious code is Trile.C, a worm that mainly spreads in a file attached to an e-mail message with variable characteristics, and via the P2P (peer to peer) file sharing programs KaZaA and Shareaza. When it has infected a computer, Trile.C sends itself out to all the contacts in the Address Book in Outlook. In addition, Trile.C infects a large number of files on the affected computer by copying itself to the beginning of them. Finally, it looks for processes belonging to antivirus and security programs and ends them if they are active.
We will close this report with Auric.E, which spreads via e-mail, the IRC channels mIRC and Pirch and P2P (peer to peer) file sharing programs. When it spreads via e-mail, Auric.E reaches computers in an e-mail message that contains an attached file called ‘SZISZI_VIDEO.EXE’. When this file is run, the worm sends itself out to all the addresses in the Outlook Address Book and in all the files it finds with an HT* extension.