Weekly Report On Viruses And Intruders – Webber Backdoors, Bankhook and Scob Trojans and Korgo Variants
This week’s report on viruses and intruders will focus on three backdoor Trojans -Webber.S, Webber.P and Agent.E-, two Trojans -Bankhook.A and Scob.A-, and three new Korgo variants.
Webber.S and Webber.P are two backdoor Trojans that allow malicious users to access remote computers, steal confidential information and send it to several websites. These two variants differ in their means of distribution.
Webber.P spreads by modifying the configuration of web servers that use IIS 5.0 (Internet Information Services). As a result, these servers will include malicious JavaScript code -detected by Panda Software as Exploit/DialogArg- in the pages they host. This code exploits an Internet Explorer vulnerability to allow Webber.P to be downloaded and run on the computer, without the user’s consent.
Webber.S is also distributed when users visit certain web pages which include a malicious JavaScript code. Due to a vulnerability in Internet Explorer, this code allows Webber.S to be downloaded and run in the computer, without the user realizing.
Webber.P opens two TCP ports in order to make the affected computer act as a proxy server.
The third backdoor Trojan in today’s report is Agent.E, which installs itself on affected computer when users visit certain web sites. This malicious code creates a dinamic link library in the targeted computer, which takes control of certain features of the browser Internet Explorer. Agent.E allows the following actions to be carried out: obtain information from the system, access files belonging to several applications, use objects for communication, etc.
The Trojan Bankhook.A installs itself on the affected computer by exploiting the MhtRedir Internet Explorer vulnerability. Bankhook.A modifies the affected computer’s Windows Registry in order to ensure it is run every time the Internet Explorer is launched.
Bankhook.A searches the HTTPS traffic generated in the affected computer for text strings related to different online banks. If successful, Bankhook.A steals confidential information (user names, passwords, account numbers, credit card numbers, etc.) and sends it to a remote computer though a script.
The second Trojan in today’s report is Scob.A, which only affects Windows XP/2000/NT computers that act as web servers, provided that they have IIS (Internet Information Services) v5.0 installed. Scob.A modifies the application settings so that malicious code (Exploit/DialogArg) is included in all the files provided from those servers.
We are going to finish this week’s report with variants U, V and W of Korgo. All these malicious code exploit the Windows LSASS vulnerability to spread automatically to computers via the Internet. Even though these malicious code affect all Windows platforms, they can only spread automatically to Windows XP/2000 computers. All these Korgo variants connect to several websites and try to download files from them. They also send information on the country in which the affected computer is located to those websites.
Korgo.U, Korgo.V and Korgo.W go memory resident and, unlike other malicious codes that exploit the LSASS vulnerability to affect computers, they do not display an error message with a countdown clock or restart the affected computer.