contents

software
 
Panda Software's Weekly Report on Viruses and Intruders

This week's PandaLabs report looks at the Therat.B and Alanchum.UG Trojans, the backdoor Trojan Redirection.A and the TellSky.A worm. Therat.B is a keylogger Trojan, designed to record users' keystrokes, that reaches computers in emails, through downloads, etc. It also has a particularly dangerous function: it can steal passwords stored in the auto-complete function of Internet browsers used to complete user names and passwords in online forms after the first one or two characters have been entered.

The aim of Therat.B is to steal user names, passwords, web addresses etc. It then sends all this information to its creator via email. Therat.B makes certain modifications to the system to ensure it is run on every system startup.

"This is a clear example of how a range of malicious functions can be combined in one malware specimen. In this case, several techniques for stealing confidential data have been combined in a single Trojan. By employing different strategies to steal data, cyber-crooks increase their chances of success", explains Luis Corrons, Technical Director of PandaLabs.

Alanchum.UG is a new addition to the Alanchum family, one of the most active types of malware over recent months. This specific variant is downloaded by other malicious code, including the adware CWS.

It alters the Windows registry to ensure it is run on every system startup. Alanchum.UG is designed to send out spam. It does this by gathering email addresses from infected computers. It then stores these addresses on a web page. To make it more difficult to detect, the Trojan has rootkit functions that hide its processes.

Redirection.A is the next malicious code in the report. As with all backdoor Trojans, it opens a backdoor on the infected computer. It then connects to an IRC server and allows the computer to be controlled remotely. This malware can perform a series of malicious actions: getting information about the infected system (IP, characteristics, ); activating an FTP server to download and execute other malicious files on the computer.

Redirection.A is also designed to scan IP ranges looking for computers with the VNC program installed. This program allows a computer to be controlled remotely. If it finds a computer with this software installed, Redirection.A will install itself on this system as well. It is also able to uninstall itself by deleting registry entries it has created and therefore making it even more difficult to detect.

The report closes with the TellSky.A worm. This malware is copied to hard disk under names such as Girl.exe or Downloader.exe. It also alters the Windows registry to ensure it is run on every system startup. The first time it is run, the worm displays an error message. This message is aimed at distracting users, as, at the same time, TellSky.A is carrying out malicious actions. These include preventing security solutions from operating correctly. It then tries to connect to a web page from which other files can be downloaded.

TellSky.A disables several functions on systems including the Run option in the Start menu and Folder options. Most modifications are designed to reduce security or block features that could be used to locate it.



write your comments about the article :: 2007 Computing News :: home page