Weekly Report on Viruses and Intruders – Sasser.G and Gaobot.AIR Worms, MhtRedir.S and StartPage.JL Trojans
This week’s report will focus on five malicious code: a virus called Shruggle.1318; two worms -Sasser.G and Gaobot.AIR-; and two Trojans -MhtRedir.S and StartPage.JL-.
Shruggle.1318 cannot spread automatically through its own means, but spreads its infection to other files. It infects other computers when previously infected files are distributed. These files can reach computers through the means normally used by viruses (floppy disks, email messages with attached files, Internet downloads, files transfers via FTP, IRC channels and P2P (peer-to-peer) file sharing networks, etc.).
Shruggle.1318 infects PE and DLL (Dynamic Link Library) executable files in Windows 64-bit operating systems for AMD processors.
The first worm in today’s report is Sasser.G, which spreads via the Internet, attacking remote computers and exploiting the LSASS vulnerability. To do this, it sends ICMP queries to random IP addresses through TCP port 445.
Sasser.G only spreads automatically through computers running Windows XP/2000, and works in the rest of the Windows operating systems if the file carrying the worm is run by a malicious user. Finally, it is worth highlighting that Sasser.G exploits the LSASS vulnerability, causing a buffer overflow in the LSASS.EXE program, which restarts the computer.
Gaobot.AIR is a worm that creates a backdoor and uses a range of means of propagation, such as those mentioned below.
– It exploits the LSASS, RPC DCOM and WebDAV vulnerabilities to spread via the Internet.
– It makes copies of itself in the shared network resources it manages to access.
– It can get into computers with SQL Server with the System Administrator (SA) password left blank.
– It can get into computers with the DameWare Mini Remote Control program installed and into computers affected by the following backdoor Trojans: Optix, NetDevil, Kuang and SubSeven.
Gaobot.AIR allows remote control of the computers it affects, enabling an attacker to carry out actions like the following: run commands, download and run file and capture the keystrokes entered.
We are going to finish today’s report with MhtRedir.S, a Trojan that exploits the vulnerability reported in the Microsoft bulletin MS04-013 to run on the affected computer when the user visits a web page with malicious content.
When it is run, MhtRedir.S connects to a certain web page and downloads a file called HELP.CHM. This file contains a Trojan called StartPage.JL, which changes the home page of Internet Explorer and the default search options.