Panda Software Reports the Appearance of Lohack.C
PandaLabs has detected the appearance of a new worm called Lohack.C (W32/Lohack.C), which is causing incidents in Spain. In order to trick users, Lohack.C spoofs the address of the message carrying the worm so that it seems to have been sent from Panda Software or the Spanish Ministry of Science and Technology. The message text can refer to the Spanish Information and E-business Services Law (LSSI in Spanish) or an antidote for a new virus.
When Lohack.C is run, it sends itself out to all the contacts in the Windows address book on the affected computer. Similarly, it also tries to obtain the contact list from MSN Messenger and uses Google to search for domains that could contain addresses to send itself to. Apart from e-mail, this worm also spreads across network drives.
The e-mail messages that Lohack.C sends out are usually in html and, depending on the subject of the message, they take advantage of certain web pages that contain images. Below is an example of a message carrying this malicious code.
Lohack.C automatically activates when the message carrying the worm is viewed through the Preview Pane in Outlook. It does this by exploiting a vulnerability -known as Exploit/Iframe- that affects versions 5.01 and 5.5 of Internet Explorer and allows e-mail attachments to run automatically.
When it is run, Lohack.C carries out the following actions:
– It moves the mouse, obstructing the tasks performed.
– It copies messages in Spanish that refer to the Spanish Information and E-business Services Law (LSSI in Spanish) to the affected computer.
– It creates several entries in the Windows Registry to ensure it is run whenever the computer starts up.
– It looks for web servers in the network in order to modify the home page.
Panda Software advises users to treat all e-mails received with caution, and to update their antivirus solutions immediately.. Users can also detect this and other malicious code using the free, online antivirus, Panda ActiveScan, which is available on the company’s website.