Weekly Virus Report – Seven Worms and One Spyware Application
This week’s report will look at seven worms -Bagle.BC, Zafi.C, the B and C variants of Famus, Swash.A, Buchon.A and Buchon.B- and a spyware application known as Spyware/Spydeleter.
Bagle.BC spreads via email in a message with variable characteristics, through P2P (peer-to-peer) file sharing programs, and across networks. It opens TCP port 81 and listens in on the communications for a remote connection. Through this connection, the worm will allow remote access to the affected computer. This would allow a remote user to carry out actions that could compromise the confidentiality of user data or impede the tasks carried out. What’s more, Bagle.BC ends the processes belonging to security tools, such as antivirus applications, leaving the computer vulnerable to attack from other malware.
Zafi.C spreads through peer-to-peer (P2P) file sharing programs and via email. To spread via email it uses its own SMTP engine and sends itself to the addresses whose domain does not contain certain text strings. It obtains these addresses from the files with a htm, wab, txt, dbx, tbb, asp, php, sht, adb, mbx, eml or pmr extension it finds on the affected computer.
The language of the message sent by Zafi.C varies depending on the extension of the domain to which the message is sent. If the domain corresponds to the following countries: Germany, the Czech Republic, Denmark, Spain, Finland, France, Holland, Hungary, Italy, Lithuania, Norway, Poland or Sweden, the text will appear in the corresponding languages, and if not, it will be in English.
Zafi.C tries to launch Denial of Service (DoS) attacks against three websites belonging to Google, Microsoft and the Hungarian Prime Minister. What’s more, it ends the processes containing the strings ‘firewall’ and ‘virus’, and blocks access to applications that include the text ‘reged’, ‘msconfig2’ and ‘task2’.
The next worms we will look at are the B and C variants of Famus. Both these worms spread via email in a file attached to a message written in English and Spanish, which uses social engineering techniques to spread to as many computers as possible. The message tries to trick users into opening the attachment by making them believe it contains interesting images of the conflict in Iraq. When the file is run, they display a false error message on screen and send themselves out to the addresses they find in the files with a doc, eml, htm, or htt extension on the affected computer.
Famus.B and Famus.C also collect data from infected computer, such as the mail account, server, user name, version of Windows, etc., and sends them to the author of the code.
Swash.A is a worm that spreads via email in a message with variable characteristics and through P2P file sharing programs. It ends the processes belonging to security programs, like antivirus programs and firewalls, and blocks access to the websites of the main developers of antivirus software. Due to these actions, Swash.A leaves the infected computer vulnerable to other malware.
The last worms in today’s report are Buchon.A and Buchon.B, which spread via email. A curious characteristic of these worms is that once they are run, they wait ten minutes before starting to send out infected messages. The difference between these two variants is that variant B was compiled seven hours later and that it checks the system date before waiting ten minutes to send itself out via email.
We are going to finish today’s report with Spyware/Spydeleter, a spyware application that is automatically downloaded when users visit web pages containing links to malicious Java scripts, which try to install it. Once it has been installed on a computer, Spyware/Spydeleter downloads other spyware applications via FTP. Similarly it creates several processes and leaves them memory resident so that they are running at all times.
Spyware/Spydeleter creates several entries in the Windows Registry in the affected computer, whose most significant effect is that they change the home page of Microsoft Internet Explorer for another page warning the user that the computer could be infected by spyware. This page contains a link where the user can supposedly find help to clean the computer. However, if the user clicks on this link, a page opens from which the application Spy Deleter is downloaded, which will delete the spyware application for the 29 dollars, and which has apparently been programmed by the same person that created and distributed Spyware/Spydeleter.
Users affected by Spyware/Spydeleter will also find that two links called ‘Click to Remove Spyware’ and ‘Remove Spyware Now’ have been created on their desktop which point to this purchase page.