Weekly Report on Viruses and Intruders – Mugly.A and Gaobot.BXG- Worms, Jabbit.A and Skulls.B Trojans
This week’s report looks at two worms -Mugly.A and Gaobot.BXG-, a virus called Jabbit.A, the Skulls.B Trojan and an application called pcAudit.
Mugly.A is a worm that spreads via email in message with variable characteristics that includes an attachment called ATTACHED.ZIP. This file in turn contains an executable file, which is actually the worm itself.
In the computer it infects, Mugly.A searches files with the following extension: ADB, ASP, DBX, DOC, HTM, HTML, PHP, SHT, TBB, TXT o WAB-, looking for email addresses to which to send itself, unless the addresses contain text referring to antivirus companies.
After it’s run, Mugly.A displays an image on screen, and installs and runs another worm, which Panda Software detects as Gaobot.BXG, which spreads by making copies of itself in shared network resources that it manages to access.
Gaobot.BXG affects computers with Windows 2003/XP/2000/NT, exploiting the LSASS, RPC DCOM and WebDAV vulnerabilities. It also connects to an IRC server and awaits orders to carry out malicious action such as obtaining information from the PC, executing files and carrying out Distributed Denial of Service attacks (DDoS).
Jabbit.A is a virus that doesn’t spread automatically and reaches computers when it is distributed through any of the usual means (floppies, CD-ROMs, emails, etc.) in previously infected files. The virus uses ‘prepending’ techniques to infect HTML files that are in the directory in which it is executed. It also creates copies of itself in the Favorites folder and makes all links in the folder point to the virus, so it is run whenever users access the links.
After it infects a PC, on the 13th of each month Jabbit.A makes several messages appear on screen. It then opens the Internet Explorer and displays a certain web page.
The next malicious code we will look at today is Skulls.B, a Trojan that has been distributed through cellphone forums and needs user interaction in order to install itself. It affects mobile phones using the Symbian operating system. Although the initial targets were Nokia 7610 phones, other devices based on the Symbian operating system can also be affected.
Skulls.B changes the icons of all the applications on the phone for others belonging to a certain system application. It also installs files corresponding to other malware that also affects phones based on Symbian and detected by Panda Software as Cabir.A
We end today’s report with pcAudit, a program developed by a private company to check the level of security of the computer. By simulating a hacker attack, it tries to send data (such as files and folders in the My documents directory, screenshots, keystrokes, etc.) to a server. If it manages to send information, the consequences can be serious as it will be transmitted over the Internet without any kind of encryption.