Weekly Report on Viruses and Intruders – Mytob.CX, Mytob.CU and Sdbot.DKE Worms, two Trojans, Whiter.F and Kelvir.AS
This week’s report on viruses and intruders will focus on three worms Mytob.CX, Mytob.CU and Sdbot.DKE, two Trojans, Whiter.F and Kelvir.AS, a vulnerability, MS05-024, and a hacking tool, QuickKeylog.
Mytob.CX and Mytob.CU are two members of the Mytob family of worms, of which over 100 variants have been set on the loose in the last few months. These two malicious codes are email worms with backdoor characteristics, which, once installed, connect to an IRC server waiting for instructions to carry out certain actions on the affected computers, such as delete, download or run files. Like other members of the same family, these worms shut down processes belonging to certain security applications and prevent users from accessing various web addresses, mainly sites related to IT security.
Sdbot.DKE is a worm with backdoor characteristics, which, as it is usually the case with bot type malware, allows hackers to gain remote access to the affected computer, in this case through its own IRC server. The worm can accept remote control commands, such as launching denial of service (DoS) attacks against websites. To propagate, Sdbot.DKE uses known vulnerabilities in operating systems and unprotected shared resources as well as resources protected with weak passwords. This worm is also distributed by the Trojan Kelvir.AS.
Kelvir.AS is one of the new Trojans that spread through instant messaging programs, by sending out a message to all the addresses in the Contact List of the affected user. This messages includes a link that points to a web address which, in turn, downloads a copy of the worm Sdbot.DKE. Kelvir.AS does not spread using its own means, but needs manual intervention to reach affected computers. The means of transmission used include floppy disks, CD-ROMs, e-mail messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.
Although included in this report, QuickKeylog is not a malicious code but a tool reported to have been inappropriately used for unlawful purposes. QuickKeylog is a legitimate and useful tool, whose functionality has made it subject to malicious usage by hackers. QuickKeylog logs keystrokes entered by the affected user and stores them in a hidden and encrypted file, accessible only to the user who installed it.
The war of malware creators against software and music piracy seems to continue with Whiter.F, an extremely harmful Trojan which deletes all of the files in the hard disk of the affected computer. Once installed in a computer, Whiter.F creates a text file called WXP in the root directory of the targeted computer and replaces all the files on the hard drive with the file it has created. This file contains the phrase You did a piracy, you deserve it. Finally, the Trojan completely removes all of the files on the hard drive so that, even if the user attempts to recover the hard drive data using some special tool, the files recovered will be copies of the file WXP.
We will finish today’s report with the MS05-024 vulnerability, an important security flaw which affects Windows 2000 computers and could allows hackers to gain remote control of the affected computer with the same privileges as the user that originally logger on to it. MS05-024 is exploited by creating a malicious file and tricking users into connecting to the folder that contains it and previewing it through Windows Explorer. It is recommended to update your operating systems with the corresponding security patch to avoid potential infections.