Weekly Report on Viruses and Intruders – Mytob worm Variants, Bobin.A Trojan and Application/SpyPc
Three critical vulnerabilities affecting several Microsoft products, three new variants -HT, HU, and HV- of the Mytob worm, a Trojan called Bobin.A and Application/SpyPc are covered in this week’s report.
The three security problems we are looking at today could allow an attacker to take control of affected computers, with the same privileges as the user that started the session. Other characteristics of these vulnerabilities include:
– One of the security problems lies in Microsoft Word and affects Office 2000, Office XP and Microsoft Works Suite 2001, 2002, 2003 and 2004. An attacker could exploit this vulnerability, tricking users to open a specially-crafted document that includes malicious code.
– The second security problem lies in Microsoft Color Management Module and affects Windows 2000, Windows XP, Windows Server 2003, Windows 98 and Windows Me. It could be exploited by an attacker by convincing users to visit a specially-crafted webpage.
– The third vulnerability lies in Jview Profiler and affects Windows 2000, Windows XP, Windows Server 2003, Windows 98 and Windows Me. As with the previous problem, it can also be exploited by an attacker by convincing users to visit a specially-crafted web page.
Microsoft has reported these vulnerabilities in three security bulletins -MS05-035 to MS05-037-, in which it also announces the availability of the patches to resolve the problems and recommends users install them.
Mytob.HT, Mytob.HU and Mytob.HV are three worms that spread via email, in messages with variable characteristics. The three also share the following traits:
– They have backdoor characteristics. The three of them connect to an IRC server to receive commands to carry out on the affected computer.
– They terminate processes belonging to certain security tools, such as antivirus programs and firewalls. It also terminates processes belonging to other malware and prevents users from accessing certain web pages, in particular those of antivirus companies.
The next example of malware we are looking at is Bobin.A, a Trojan that uses infected computers to send out spam. To check that the Internet connection is active, it sends ping commands to a public DNS server. Another interesting characteristic of Bobin.A is that it updates itself, and could therefore increase its functionality. To do this it checks the version available in a web server, and if it is the most recent it downloads it.
We complete this report with Application/SpyPc, a program that logs keystrokes to monitor web pages visited by the user and chat conversations. It can also capture images from the PC, block the computer, disable system functions and log the files executed and files accessed.