Weekly Report On Viruses And Intruders – Sober.I, Bagle.BG, Yanz.A, Drew.A and Aler.A-, and Msnsoug.A Trojan.
Sober.I is sent by email using its own SMTP engine, in a message either in German or English depending on the recipient. It gets email addresses from the infected computer and stores them in files. In order to ensure it is run whenever the computer is started up, it creates several entries in the Windows registry.
Bagle.BG sends itself out in emails with variable characteristics. The action it takes includes opening and listening on TCP port 2002. It acts as a backdoor allowing access to the infected computer. Bagle.BG also terminates processes belonging to certain applications that update antivirus solutions, leaving the computer vulnerable to future attack.
Yanz.A is an email worm that spreads in messages with highly variable characteristics and which displays false sender addresses. It can also use P2P file-sharing programs to spread creating files, with variable names, with copies of itself in folders whose name contains the letters ‘shar’. Both the messages and the shared files it creates, make reference to the Chinese singer Sun Yan Zi.
Should the file containing the worm be executed, Yanz.A displays a small window with the text “Kernel Hatasi”. It also opens and listens on TCP port 67. Through this port it will try to download all shorts of malware which Yanz.A will immediately execute.
Drew.A spreads both via email and P2P applications. In the first case it uses its own SMTP engine to send messages with a highly variable format. Both the message subject and text, along with the name of the attachment are chosen at random from a list of options. To spread via P2P applications, Drew.A searches all folders with the text ‘share’ and copies itself to these folders using names aimed at enticing users such as “Cameron Dias.scr”, “Delphi 8 keygen.com” and “DrWeb 4.32 Key.com”.
If a user runs one of the attachments with Drew.A, this worm creates two files on the affected computer with copies of itself. At the same time, it sends itself to all entries in the users address book and deletes all files with HTM or TXT extension that it finds on the computer.
The last worm we’ll look at today is Aler.A which, although it first appeared a few days ago, has been distributed massively over the last week in email messages. The messages have the subject “Latest News about Arafat !!!”, and include two attachments. One of them is an image file with a picture of the funeral of the Palestinian politician. The other however, contains code designed to exploit a vulnerability in Internet Explorer. Through this flaw, it automatically installs the Aler.A worm which is designed to spread across inadequately protected networks.
Today’s report ends with Msnsoug.A, a Trojan that does not spread under its own steam. Once it has infected a computer, it waits for a user to start a MSN Messenger session and sends -to all contacts active at that moment- a text message in Portuguese.