Weekly Report on Viruses and Intruders – Amplusnet; two Trojans, Mytob.EN and Downloader.CZR, Mytob.EP, and Bobax.AO, Smitfraud and Smitfraud.A
Amplusnet is a tool that, although it is a legitimate and useful application, could be used by a malicious user to compromise the privacy of a remote user. It is used to monitor and log the activity of users in certain web sites, logging browsing habits and other types of confidential information and generating reports. This application can be password-protected so that it cannot be view in the Task Manager and is run whenever the system starts up. To do this, it creates key in the System Registry.
Mytob.EN and Mytob.EP are two variants of the numerous Mytob family, which is already one of the biggest organized attacks in the history of the Internet. However, they have very different characteristics: where as Mytob.EP acts in the same way as other variants of Mytob, spreading as an attachment to an email messages and receiving commands via IRC, Mytob.EN is the first variant in this family with the characteristics of a Trojan. It uses techniques associated to online banking fraud or phishing to spread. The Trojan sends out emails that, instead of inserting the malware as an attached file, includes a URL where users that have receive the email message can confirm their account details for a certain entity. This URL actually contains a copy of the Trojan that is downloaded to the computer when users access this web page. Like other variants, this specimen also has backdoor characteristics and ends the processes belonging to antivirus applications.
Bobax.AO and Downloader.CZR launched a joint attack at the end of last week, in which the Trojan Downloader.CZR, distributed manually through several different means, was downloaded to the computer infected by the Bobax.AO worm. This malicious code can be managed remotely, making it extremely versatile. The actions that it can carry out include downloading and running files, mass-mailing spam and even updating itself. This worm spreads using the following means of transmission: the Trojan described earlier, a file attached to an email messages, or by exploiting vulnerabilities in the LSASS process that attack against random IP addresses. What’s more, it protects itself by blocking access to certain web pages, the majority of which are related to IT security companies.
Finally, Smitfraud and Smitfraud.A have also coordinated an attack and have managed to spread widely, especially Smitfraud.A. The first is a spyware program that installs itself on the computer without the user realizing and when it is run, it changes the Windows desktop to an image that is similar to the classic Blue Screen Of Death, which advises the user to run an antispyware solution that resolves the problem. This spyware program previously installs the solution PSGuard, which will detect the malware, but the user must register in order to disinfect it. Smitfraud.A is used by the spyware program to infect the wininet.dll file, replacing it with the oleadm32.dll when the system is restarted, among other actions. Smitfraud is another of the examples of malware downloaded by CoolWebSearch, and can infect the computer when viewing web pages with underground or adult content.
To prevent these malware or any other malicious code from affecting your computer, Panda Software recommends keeping antivirus software up-to-date. Panda Software clients can already access the updates to detect and disinfect these malicious code.
For further information about these and other computer threats, visit Panda Software’s Encyclopedia.