Weekly Report on Viruses and Intruders – Zafi.D, Atak.H, Atak.I, Atak.J and Janx.A Worms and HideProc.B Trojan
At the beginning of this week, Zafi.D started spreading rapidly to a large number of computers hidden in email messages with variable characteristics, which passed themselves off as Christmas greetings. This worm is multi-lingual, as it is capable of adapting the language of the text that appears in the email message to the domain of the email address it is being sent to. What’s more, Zafi.D can also spread via P2P (peer-to-peer) file sharing programs.
Zafi.D creates a backdoor by opening port 8181 and waiting for a file, usually another malicious code, to be transferred in order to run it. It also prevents access to applications containing the text string regedit, msconfig or task. After it has infected a computer, Zafi.D displays an error message on screen.
Like Zafi.D, the H, I and J variants of Atak also spread via email in messages that pretend to be seasonal greetings. These reach computers in email messages with the subjects “Merry X-Mas!” or “Happy New Year!” and the message body “Happy New year and wish you good luck on next year!” or “Mery Chrismas & Happy New Year! 2005 will be the beginning!”.
The messages carrying Atak.H, Atak.I and Atak.J include an attachment compressed in .zip, which contains a file called bat, com, pif or scr. If the user runs this file, these worms copy themselves to the Windows system directory under the name dec25.exe. At the same time, they use their own SMTP engine to send themselves out to all the addresses they find in files with certain extensions stored on the affected computer.
These three variants of Atak are very similar to one another; differing only in aspects like the size of the file attached to infected messages. However, due to a programming error, Atak.J cannot send itself out via email.
The final worm in today’s report is Janx.A, which spreads across the Internet by exploiting the LSASS vulnerability. To be more specific, it spreads automatically to computers running Windows XP/2000, which are not correctly updated. It also works on other Windows operating systems, if the file carrying the virus is run.
Janx.A connects to an IRC server and waits for control commands to carry out on the affected computer. What’s more, it installs an FTP server in port 5533.
The Trojan in today’s report is HideProc.B, which cannot spread automatically, as it requires intervention from an attacker. HideProc.B consists of a DLL (Dynamic Link Library), which is used by another malicious code to hide the execution of up to two processes.