Weekly Report on Viruses and Intruders – P2load.A, Mytob.JN and Bagle.EI, Spytrooper, Fantibag.A, Banker.APM and Mitglieder.EV
This week’s report looks at a wide range of threats including three worms -P2load.A, Mytob.JN and Bagle.EI-, one example of spyware -Spytrooper-, three Trojans- Fantibag.A, Banker.APM and Mitglieder.EV-, and a hacking tool-Keyspy.B-.
P2load.A is a worm that spreads through the P2P file-sharing programs, Shareaza and Imesh. It takes several actions on infected computers, including modifying the HOSTS file so that when users request the Google page they are taken to another page, exactly the same as Google, but with nothing to do with the company, and hosted on a server in Germany. The spoof page appears to be exactly the same as the legitimate one and even includes the 17 languages supported by Google.
When users try to run a search on the spoof Google page, the results are displayed correctly or with slight variations with respect to the genuine Google results. What do change however, are the links sponsored by companies which normally appear at the top of the list of results. However in this case, with certain searches, users whose computers are affected by P2load will see other links specified by the malware creator in order to increase traffic to these sites.
The second worm that we are looking at today is Mytob.JN, which spreads via email in a message with variable characteristics. Mytob.JN opens a TCP port to connect to a server and receive remote control commands to execute on the infected PC. This worm also terminates processes belonging to different security tools, such as antivirus programs and firewalls, and processes belonging to other examples of malware. It also prevents access to certain web pages, in particular those of antivirus companies.
The third and final worm in today’s report is Bagle.EI, which sends a copy of a variant of Mitglieder to all email addresses that it gathers from certain websites and which don’t contain certain text strings. This example of malware also prevents some variants of Netsky from running when Windows starts up.
The next malware specimen that we are looking at is called Spytrooper. This is a type of adware which is automatically downloaded from adult websites or pirate software pages which use exploits to affect computers. It can also be downloaded after a pop-up window appears warning about spyware on the computer, or if users voluntarily download it from a certain web page.
Spytrooper warns users that their computer is infected by threats -which actually don’t exist-, at the same time as informing them that the threats can only be eliminated after they buy a full version of the program. When users buy and register Spytrooper, the supposed threats are no longer detected and the computer is ‘seemingly’ clean.
The first Trojan we are looking at today is Fantibag.A, which prevents access to a series of websites, mostly belonging to antivirus companies. It does this using a method based on RRAS (Routing and Remote Access Service) API functions, which provide packet filtering capacity.
Banker.APM is a Trojan that aims to steal confidential information such as passwords, which it then sends to its creator. It tries to redirect websites of various banks to a server hosting spoofed pages so that users enter their personal details when they visit these pages.
The third Trojan we’re looking at here is Mitglieder.EV, which attacks certain security tools such as antivirus programs and firewalls. Specifically, it deletes essential files and removes Windows Registry entries that allow applications to run automatically, it blocks services and terminates processes associated to the programs that provide the antivirus updates.
We end today’s report with a hacking tool called Keyspy.B, which logs keystrokes and then sends them out by email. It can also execute or block the execution of any program and monitor web pages visited.