Weekly Report on Viruses and Intruders – Mepe.A worm, and two Trojans, Mitglieder.EW and Mitglieder.FB.
This week’s report looks at a wide range of threats including three worms -P2load.A, Mytob.JN and Bagle.EI-, one example of spyware -Spytrooper-, three Trojans- Fantibag.A, Banker.APM and Mitglieder.EV-, and a hacking tool-Keyspy.B-.
P2load.A is a worm that spreads through the P2P file-sharing programs, Shareaza and Imesh. It takes several actions on infected computers, including modifying the HOSTS file so that when users request the Google page they are taken to another page, exactly the same as Google, but with nothing to do with the company, and hosted on a server in Germany. The spoof page appears to be exactly the same as the legitimate one and even includes the 17 languages supported by Google.
When users try to run a search on the spoof Google page, the results are displayed correctly or with slight variations with respect to the genuine Google results. What do change however, are the links sponsored by companies which normally appear at the top of the list of results. However in this case, with certain searches, users whose computers are affected by P2load will see other links specified by the malware creator in order to increase traffic to these sites.
The second worm that we are looking at today is Mytob.JN, which spreads via email in a message with variable characteristics. Mytob.JN opens a TCP port to connect to a server and receive remote control commands to execute on the infected PC. This worm also terminates processes belonging to different security tools, such as antivirus programs and firewalls, and processes belonging to other examples of malware. It also prevents access to certain web pages, in particular those of antivirus companies.
The third and final worm in today’s report is Bagle.EI, which sends a copy of a variant of Mitglieder to all email addresses that it gathers from certain websites and which don’t contain certain text strings. This example of malware also prevents some variants of Netsky from running when Windows starts up.
The next malware specimen that we are looking at is called Spytrooper. This is a type of adware which is automatically downloaded from adult websites or pirate software pages which use exploits to affect computers. It can also be downloaded after a pop-up window appears warning about spyware on the computer, or if users voluntarily download it from a certain web page.
Spytrooper warns users that their computer is infected by threats -which actually don’t exist-, at the same time as informing them that the threats can only be eliminated after they buy a full version of the program. When users buy and register Spytrooper, the supposed threats are no longer detected and the computer is ‘seemingly’ clean.
The first Trojan we are looking at today is Fantibag.A, which prevents access to a series of websites, mostly belonging to antivirus companies. It does this using a method based on RRAS (Routing and Remote Access Service) API functions, which provide packet filtering capacity.
Banker.APM is a Trojan that aims to steal confidential information such as passwords, which it then sends to its creator. It tries to redirect websites of various banks to a server hosting spoofed pages so that users enter their personal details when they visit these pages.
The third Trojan we’re looking at here is Mitglieder.EV, which attacks certain security tools such as antivirus programs and firewalls. Specifically, it deletes essential files and removes Windows Registry entries that allow applications to run automatically, it blocks services and terminates processes associated to the programs that provide the antivirus updates.
We end today’s report with a hacking tool called Keyspy.B, which logs keystrokes and then sends them out by email. It can also execute or block the execution of any program and monitor web pages visited.Mepe.A is a worm that caused a significant number of infections on September 20 and 21, especially in Latin America, placing it at the head of the infections ranking for several hours. In order to spread, this worm searches for open windows (normally instant messaging applications) with the title “Conversaci??n”. When infected users have such a window open, the worm sends them an invitation in Spanish with a link to a site from which they can supposedly download a postcard.
This is really the virus itself, which when it is run, displays a false error message while continuing with its action. Incidents involving this virus have, over the last few hours, reduced drastically, as the ISP responsible for the server on which the malware creator had hosted the worm, has disabled the file after being alerted to the issue by PandaLabs.
The other two species of malware, Mitglieder.EW and Mitglieder.FB, are similar in structure, and have been responsible for numerous incidents over the last few days, as part of the wave of Bagle and Mitglieder malware being distributed massively by email. Both of these principally aim to disable security solutions on users’ computers, making them vulnerable to further malware attacks.
Mitglieder.EW is a Trojan, and as such has no means of self-propagation. This worm could have been distributed manually as well as in symbiosis with Bagle worms (a frequent occurrence between these two types of malware), and through bot networks. Once it reaches a computer, the Trojan blocks update routine processes of several antivirus programs, as well as services related to antivirus programs, firewalls, etc.
To ensure these programs don’t run, it also eliminates Windows Registry entries containing their configuration. Finally, and as is usually the case with Mitglieder, it tries to download a file, OSA6.GIF, that appears to be an image but is really an executable, from numerous websites. This file is actually a variant of the Fantibag family.
Mitglieder.FB operates in the same way as the previous example, including the addresses from which it downloads OSA6.GIF, terminating numerous processes, and deleting a series of files from the computer’s hard disk, regardless of the drive, and mostly related with IT security. In this case, the file downloaded contains a variant of Downloader.
To prevent this malware or any other malicious code from infecting users’ computers, Panda Software advises users to keep their security software up-to-date. Panda Software clients already have the updates available to detect and disinfect these malware specimens.