Weekly Report on Viruses and Intruders – Gaobot.IUF and Prex.AM Worms, Banker.XP Trojan etc
This week’s report looks at two worms -Gaobot.IUF and Prex.AM-, a vulnerability in JAVAPRXY.DLL, a keylogger called Application/KeySpy, a program called Application/GoldenKeyLog, and the Banker.XP Trojan.
Prex.AM spreads through the MSN Messenger instant messaging application. Gaobot.IUF can spread through a range of channels including shared network resources protected with weak passwords.
One notable feature of Gaobot.IUF and Prex.AM is that they spread together using a single RAR file. If the file is run, it is decompressed automatically and generates two files containing the worms which from then on, take a series of actions including the following:
– Gaobot.IUF creates a backdoor and connects to an IRC server, where it waits for commands (to gather information about system hardware, to steal registration codes for certain games, etc.) from a remote attacker.
– Prex.AM sends, using MSN Messenger, messages with the text: “hmm like my friend said dont look ahaha, SICK pictures”, and a link to an Internet address. If the user clicks on this link, the file containing both malicious codes is downloaded onto the computer.
The security problem that we are looking at today -and which Microsoft has reported in the SecAdv903144 security bulletin- affects the JAVAPRXY.DLL file, a component of Internet Explorer in computers with Windows 2003/XP/2000/Me/98. Versions 5.01, 5.5 and 6 are affected.
This vulnerability, which can be exploited through a specially-crafted web page, could allow an attacker to take control of the affected computer with the same permissions (to create, edit or delete files, install programs, etc.) as the user that started the session. For this reason, users of computers affected by this problem are advised to install the update released by Microsoft. This can be accessed through the Microsoft security bulletin (clicking on “Workarounds” and then “Disable the Javaprxy.dll COM object from running in Internet Explorer”).
We continue this report with Application/KeySpy, which logs all keystrokes made on the affected computer from the Windows startup to the close of the session, including passwords for protected programs or entered on web pages. In addition, an icon is displayed on the desktop, which if opened will display a window with all of the keystrokes logged.
Application/GoldenKeyLog is a program that monitors keyboard activity when the computer is started up. It also displays a screen when it is installed on a computer and modifies the Windows registry to create an entry in “Settings-Add or remove programs”.
We finish today’s report with Banker.XP, a Trojan that tries to obtain confidential details -such as access passwords to different services- from the affected computer. Once it has obtained them, they are compiled in a file and sent to a hacker.