Weekly report on viruses and intruders – Mydoom.P, Mydoom.O and Amus.A Worms and Downloader.OG and Brador.A Trojans
Mydoom.P spreads via email in a message that simulates an error messages. Every five seconds the worm checks to see if in the memory there are any active processes with the text strings av, AV, can, cc, ecur, erve, iru, java, KV, mc, Mc, nti, nv, ort, scn, SkyNet, sss, sym, Sym, uba and xp.exe. If so, Mydoom.P will terminate the process. Sometimes, the first time the worm is executed it opens Notepad.
Mydoom.P tries to use the two methods below in order to collect email addresses:
– Searching in all files with any of the following extensions: ADB, ASP, CFG, DBX, DHTM, EML, HTM, HTML, JS, JSE, JSP, MMF, MSG, ODS, PHP, PL, SHT, SHTM, SHTML, TBB, TXT, WAB and XML.
– Making HTTP requests to the email.people.yahoo.com website, to use the people search feature in Yahoo mail.
Mydoom.O spreads via an email with variable characteristics. It installs a file that opens and listens on backdoor in TCP port 1034. This can give access to the compromised computer, though which confidential data can be stolen or users’ can be prevented from using the computer properly.
The third worm we’re looking at today is Amus.A, which uses its own SMTP engine to spread via email. It creates several copies of itself and a registry entry in the computer to ensure it is run every time Windows starts up. Sometimes, Amus.A can create a small white square in the top left-hand corner of the desktop.
The first Trojan in today’s report is Brador.A, which affects PDAs (Personal Digital Assistant) running the Windows CE operating system. Its actions include opening a port that allows outside connections, and copying itself -as Svchost.exe- to the Start directory. When Brador.A affects a system it sends its creator a message saying that the device is available.
We finish of today’s edition with Downloader.OG, a Trojan which periodically installs the adware Adware/Wupd, downoading it from a series of predetermined websites. Downloader.OG also creates on the victim’s computer -in the Windows system directory- the BRIDGEX.DLL, file which is really a copy of itself.