Weekly Report on Viruses and Intruders – Infober.A, Incef.A and Bobax.AU.
Infober.A spreads via computer networks, making a list of shared resources and copying itself in them. It creates four files, two of which are called MMSOFTCPL.CPL and DEATHLOG.TXT, while the names of the other two are generated by searching through the .cpl, .exe and .doc files on all disk drives. One of the files executes the worm when the computer is started up, importing the “
Infober.A opens port UDP 45075, acting as a backdoor in order to allow remote access to the computer and thereby enabling actions that could compromise confidentiality of user data or impede working with the computer. It creates the “SQL Script” mutex to prevent two copies of itself being executed simultaneously on the system.
The second worm we are looking at today is Incef.A, which spreads via IRC -using mIRC-, and the KaZaA P2P file sharing program.
Incef.A takes several actions on infected computers including:
– Altering KaZaA settings to facilitate its propagation. It shares the C: drive root directory and a subfolder of the Windows directory. It also disables the firewall and the virus filter.
– It modifies the MIRC.INI file, so that it runs a certain script.
We close today’s report with Bobax.AU, a worm that spreads via e-mail, in a message with variable characteristics including an attachment with a two-part name made up of: a text which could be either “BUSH”, “FUNNY”, “JOKE”, “PICS”, or “SECRET”-, and an extension which can be either-.exe, .pif or .scr-. When the file is run, Bobax.AU searches the computer for e-mail addresses to which to send itself. It also takes several actions:
– It modifies the HOSTS file to prevent access to certain web pages, in particular those belonging to antivirus companies.
– It creates several files, one of which is a DLL (Dynamic Link Library) to prevent the associated process from being displayed in the task manager.