Weekly Report on Viruses and Intruders – Agent.APB backdoor trojan, Sdbot.FEP and Sdbot.FEX worms and WorldAntiSpy Tool
Agent.APB is a backdoor Trojan which creates the drwatson32.exe, winhttp.bin and wmvcore32.dll files on the computers it infects. The last of these is injected later in Internet Explorer to avoid process-oriented firewalls. This Trojan also creates several Windows registry entries in order to redirect execution of .exe and .pif files so that whenever files with these extensions are run on an infected computer, drwatson32 will be run first and will in turn use the ‘run’ parameter to execute the original Agent.APB file. To ensure that only one copy of the Trojan is run at a time it creates the MicrosoftDrWatson32 mutex.
Sdbot.FEP and Sdbot.FEX are worms that spread across the Internet by exploiting the following vulnerabilities: LSASS, RPC DCOM, Workstation Service, Plug and Play and SQL Server Resolution Service. They also install their own FTP (File Transfer Protocol) and TFTP (Trivial File Transfer Protocol) servers on infected computers to download themselves onto other computers.
Both worms connect to an IRC server to receive remote commands, such as instructions to download and run files, launch denial of service attacks, add or remove shared resources, search for vulnerable computers, etc.
We round off today’s report with WorldAntiSpy, a hacking tool installed on users’ computers without their consent, as it is downloaded automatically from certain pornographic or pirate software websites that take advantage of exploits to attack computers. It could also be downloaded voluntarily by users from a certain web address.
WorldAntiSpy takes a series of actions on infected computers including:
– Installing several threats (such as spyware and adware), and then warning users to scare them into buying the complete version of WorldAntiSpy.
– Creating a shortcut on the desktop and displaying an on-screen message.
– Creating several Windows registry entries, one of which enables WorldAntiSpy to appear as an option in the “Add /remove programs” section in the Control Panel.