Weekly Report on Viruses and Intruders – Mitglieder.EK, Zotob.A, Zotob.B, Zotob.D, IRCBot.KC and IRCBot.KD
This week, Panda Software’s report includes information about a Trojan, Mitglieder.EK; a hacking tool, ModemSpy and five worms, Zotob.A, Zotob.B, Zotob.D, IRCBot.KC and IRCBot.KD. Except for the hacking tool, which is not malicious code as such, all of these malware specimens were neutralized in the computers of users of TruPreventâ„? Technologies before they had been identified.
Mitglieder.EK is a Trojan whose main aim is to end process related to antivirus or firewall applications, as well as their update routines, by deleting, modifying or creating keys in the Registry. It also creates a Registry key to ensure that it is run whenever the affected computer is started up. What’s more, it tries to download a file called OSA4.GIF, which passes itself as an image, but is actually an executable file. Like all Trojans, it cannot spread through its own means and therefore must be distributed manually, via email, P2P programs or other means.
Zotob.A and Zotob.B are two worms that work in the same way, which exploit a buffer overflow vulnerability in the Windows Plug and Play service, reported by Microsoft in its bulletin MS05-039, and affects Windows 2000, Windows XP, and Windows 2003 Server. These worms spread by exploiting this vulnerability; generating random IP addresses which they try to connect to through port 445 and checking if the computer is vulnerable. If they find the vulnerability, they install an FTP server on the affected computer and try to download of copy of themselves through TCP port 33333. When they reach affected computers, they carry out two actions: they block access to the websites of antivirus companies and open a backdoor in the affected computer and wait to receive commands through IRC, which include downloading, running or deleting files.
Zotob.D, IRCBot.KC and IRCBot.KD are three other worms with very similar functioning, and like the previous worms, they also try to spread by exploiting the vulnerability in the Plug and Play service. These worms also generate random IP addresses to which they try to connect through port 445, searching vulnerable systems. If found, they will send instructions to download a copy of the worm by TFTP. The actions carried out vary depending on the worm: Zotob.D deletes different adware or spyware programs as well as the previous variants A, B and C. IRCBot.KD tries to end the processes related to previous versions of both Zotob and IRCBot, as well as other malware. The characteristic they share is that they open a backdoor through which they receive commands via a connection to certain IRC channels.
These three worms have hit a significant number of US corporations, generating an orange alert. To avoid infection, users are advised to keep antivirus software updated and apply the patch that fixes the Plug and Play vulnerability.
Finally, ModemSpy is a hacking tool. Although it is actually a legitimate application, it can be mal-used in the hands of hackers. This software allows a hacker to record phone conversations and play them back or send them out via email, identify callers or even record messages, using a microphone. What’s more, it has a function that allows it to go unnoticed by the user, thanks to its stealth mode.
To prevent these malware or any other malicious code from affecting your computer, Panda Software recommends keeping antivirus software up-to-date. Panda Software clients can already access the updates to detect and disinfect these malicious code.