This week’s top malware: “YouTube” and Dotex worms

This week’s PandaLabs report looks at two very dangerous worms: Dotex.A and SpreadBanker.A, as well as the six security patches published by Microsoft to fix up to fifteen vulnerabilities in many of the company’s applications.

Once run on a computer, Dotex.A connects to a web page from which it downloads two malware strains: the QQPass.AFD worm and the QQRob.OI Trojan which, in turn, connect to another web page and download several variants of the Lineage family onto the infected computer.

Dotex.A copies itself as a hidden file to several directories and mapped drives on the infected system. The worm deletes several entries in the Windows registry and modifies others. One of these changes aims at preventing hidden files from being displayed, thus making the worm’s copies invisible to users.

The second worm is SpreadBanker.A, which uses a YouTube video to conceal its activity. The worm is made up of two components. When the user runs the first one, it connects to the YouTube site and shows a video. At the same time, it connects to another website and downloads the second component, which performs a series of malicious actions.

This worm is designed to steal login details for several online banks and passwords for online games such as Age Of Mythology, GTA, Unreal Tournament, WarCraft or Final Fantasy.

“Theft of passwords for online games is becoming increasingly popular. The difficulty of getting points, add-ons and other ‘premium content’ for these games make some people willing to pay for them. This is used by cyber-criminals to profit by selling passwords from registered users with high scores,” explains Luis Corrons, Technical Director of PandaLabs.