Weekly Report on Viruses and Intruders – Trj/PGPCoder.B, Trj/Mitglieder.DQ and Trj/Bancos.GW, W32/Oscarbot.AY and W32/Codbot.AP
Bancos.GW is a Trojan that steals passwords and is programmed to spy on the browsing activity of the users it affects. If they enter certain keywords related to online banking portals, which are registered in this malware’s code or visit the websites of certain international banks, it displays a pop-up message. This pop-up message asks users for information about their bank accounts, assuring the user that it is part of the bank’s secure SSL protocol. It sends all of the information it collects to a remote server, which the author of this malware can access.
The B version of PGPCoder is an update of a malware that “hijacked” files, encrypted them and held them to ransom, with improved functions, such as the capacity to encrypt a larger number of files and a different encryption algorithm. After encrypting the files, it deletes itself and sends the affected user an email asking the user for an unspecified amount of money in order to resolve the problem. This malware cannot spread by itself and therefore, must be distributed manually.
The last Trojan, Mitglieder.DQ, targets certain IT security tools, such as antivirus programs and firewalls, stopping the associated services and ending the processes. It also deletes the entries with their configuration details from the Registry. This Trojan also tries to download a file called OSA3.GIF, which could be another type of malware, although these downloads were not available when this article was written. This Trojan belongs to the Bagle/Mitglieder family. Over the last few months a large number of variants of this family have appeared, causing a significant number of incidents.
The two worms in this week’s report are bots. This type of malware has backdoor characteristics and goes resident on the user’s computer and waits to receive commands. Bots can be used to carry out coordinated attacks or send out spam and are “hired out” by their creators. The first of these is Oscarbot.AY, a worm that receives commands through an IRC server, which range from downloading and running code to updating its code or deleting itself. This worm spreads through the instant messaging application AOL Instant Messenger (AIM) by sending a message to all the contacts of the affected user with a link to a copy of the worm.
Codbot.AP acts in a similar way, but it also checks the computer for the most common known vulnerabilities and can log the users’ keystrokes in order to steal passwords or other confidential information like bank account details, credit card numbers, etc. This worm spreads by exploiting two of the most common known Windows vulnerabilities, LSASS and RPC-DCOM, making it essential to update the system to resolve these incidents.