Weekly Report on Viruses and Intruders – Mytob.DN, and the Trojans Gorgs.A and PGPCoder.A
Mytob.DN is a member of the well-known Mytob family of worms, responsible for several waves of attacks on computers worldwide. Mytob.DN is a worm with backdoor characteristics, which connects to a server remotely, waiting to receive commands from a malicious user to carry out certain actions on the affected computer. It also downloads another malware to the affected computer, detected by Panda Software as Faribot.A. It also modifies the infected computer’s HOSTS file, preventing users from accessing web pages belonging to antivirus companies.
The worm spreads both by taking advantage of the LSASS vulnerability, which it tries to exploit by launching attacks to randomly generate IP addresses, as well as through the MSN Messenger messaging application, by using Faribot.A. Mytob.DN can also spread via email, in a message in English with various formats, sent to addresses that the worm obtains from the affected computer.
Gorgs.A is a Trojan with keylogger characteristics, that is, it logs the keystrokes entered by the affected user in the infected computer. Once installed on the system, the Trojan uses a series of resources to try to go unnoticed by users. Thus, on Windows 9x computers, Gorgs.A uses a function in order not to have its process displayed in the Task List, whereas on Windows 2000/XP computers the Trojan injects itself into the system process EXPLORER.EXE to hide its presence to the user. If the Trojan cannot take any of these actions, it will still run on the computer, although visibly to the user. Once run, the Trojan logs all the keystrokes entered by the user and saves them to a file. When this file reaches a certain size, it is sent by email to an address belonging to a Russian domain. As is usual with Trojans, Gorgs.A cannot spread by itself but needs to be distributed manually through other channels.
PGPCoder.A has started a new trend in computer malware, the so-called “ransom-ware”, that is, malicious software whose purpose is to obtain money through extortion. In this particular case, the Trojan digitally encrypts files with certain extensions: DOC (Word documents), JPG (images), XLS (Excel spreadsheets), HTML (web pages), or the most common compression formats, ZIP and RAR. Then, PGPCoder.A creates a TXT file in every directory in which it has encrypted a file. This file includes an explanation of the Trojan’s action and asks users for $200 for their files to be released, as well as giving them a contact email address. Finally, PGPCoder.A creates two keys in the Windows Registry: one to ensure it is run on every system startup, and the second to monitor the progress of the Trojan in the infected computer, counting the number of files that have been analyzed by the malicious code.