Weekly Virus Report – Autorroter Trojan, Panol and Mimail Worms
This week’s report looks at a Trojan called Autorooter and two worms, Panol and Mimail.
Autorooter is a Trojan that uses a vulnerability exploit known as DCOM-RPC. Whenever this malicious code finds a valid IP address, it connects to the computer and checks if it can exploit this security flaw. If it can, Autorooter uses the FTP server TFTPD.EXE to download a file containing a backdoor Trojan called LOLX.EXE or DCOM.EXE. This file allows a hacker to gain remote access to the affected computer and perform the following actions, among others: reformat the hard drive, add new users, etc.
Autorooter spreads in a file called WORM.EXE, which reaches computers through many different means (e-mail messages sent by malovent users, files downloaded from the Internet, etc.). When this file is run, Autorooter creates several files in the computer, including RPC.EXE, which is the file that exploits the DCOM-RPC vulnerability.
Panol is a worm with destructive effects that spreads via e-mail in a file called VIRUS_BLOCK.EXE, which is attached to a message with the subject: “Protects against viruses, worms, Trojan & hackers”. When this malicious code is run, it ends processes belonging to several antivirus programs and security applications.
This worm formats the C: drive when the affected computer is restarted. Panol also changes the home page of Internet Explorer and, on September 2 and September 11, it displays a message on screen.
Panol sends itself out via e-mail to all of the contacts in the Outlook Address book. In addition, it searches for e-mail addresses in all the files with an ASP, HTM or HTML extension.
We are going to finish this report with Mimail, a worm that does not have any destructive effects, which spreads via e-mail in a message with clearly defined characteristics. Mimail tricks the user into thinking that the message has been sent from the mail server administrator. In addition, in order to run its code in the local zone of the effected computer, this malicious code exploits the following vulnerabilities: Internet Zone, an Internet Explorer vulnerability and MHTML, an Outlook Express vulnerability.