contents

software
 
Panda Software's Weekly Report on Viruses and Intruders

The dangerous Cimuz.EL Trojan is one of the malicious codes covered in this week's PandaLabs report together with another Trojan, Gogo.A, and two worms: UsbStorm.A and Nurech.Z. Also, this week Microsoft has published five new security patches.

Cimuz.EL accounted for up to 57 percent of malware detection notifications received per hour at PandaLabs. Cimuz.EL is designed to steal all kinds of data from targeted computers. It reaches computers in fragments. First, it installs a part of its code with downloader features. This downloader, in turn, downloads the part of the code that performs the most harmful actions: stealing data from the infected computer (email passwords, IP address, computer location, software installed, etc.) and injecting a DLL in Internet Explorer to log the user's Internet activity and stealing more information. In this way, All the data that Cimuz.EL steals is sent to its creator regularly through a certain Web server.

The second Trojan is Gogo.A, a new malicious code designed to steal data entered by users through the keyboard while surfing the Web. To do this, it installs as an Internet Explorer plug-in and logs the user's activity. When the user types some key words, Gogo.A activates and starts capturing keystrokes. Then Gogo.A sends the stolen information to its creator through a web page. The Trojan also has rootkit features to hide its processes and evade detection, which makes it even more dangerous.

"Password theft, the purpose of these two Trojans, fits very well in the current malware dynamic. With the information they get, cyber-criminals can access confidential data or bank accounts. The use of Trojans for this purpose is multiplying as this is more silent than other techniques like phishing, for example", explains Luis Corrons, Technical Director of PandaLabs.

UsbStorm.A is a worm that spreads by copying itself to removable drives, such as USB memory sticks. When one of these drives is connected to a computer, the worm activates and infects it. UsbStorm.A goes memory resident in the computer waiting for new drives to spread to. It remains on computers and tries to update itself by downloading new versions of itself from different web pages.

Nurech.Z is a worm that spreads by email in messages with variable subjects related to the massive propagation of some malware: Worm alert!, spyware alert! Virus Alert!, etc. It also uses sender names such as 'Customer Support' to pretend it has been sent from a trusted source. The worm hides in a password-protected .zip file attached to the message and tries to pass itself off as a patch against the malware that is supposedly causing the alert. The password is included in a .gif file, not a text file, to make detection more difficult.

"For this not to raise suspicion, the malware creator explains that the patch has been zipped to protect it from the worm's actions. In this way, it tries to dupe trusting users into opening the file", explains Corrons.

Nurech.Z is designed to end processes belonging to several security, monitoring and debugging solutions. It looks for email addresses in the target computer to send the infected messages to. Finally, it has two rootkits: one hides processes to make detection more difficult, and the other looks for the email addresses, creates the .gif with the password and sends out spam emails.

Microsoft has published its April security patches: five in all, four of which have been rated as "critical". The first critical patch fixes two vulnerabilities in Microsoft Content Management Server. The third flaw lies in Universal Plug and Play and affects Windows XP systems solely, whereas the fourth one was found in Microsoft Agent and affected the latest Windows versions, barring Vista. The fifth vulnerability was identified in CSRSS (Windows Client/Server Runtime Server Subsystem) and affects the latest Windows versions, including Vista and Vista x64. All these vulnerabilities could allow attackers to run code or control targeted computers remotely. The only patch not rated as "Critical", but "Important" fixes a vulnerability in the Windows kernel. This security flaw could be exploited by a remote attacker to elevate their privileges on the affected computer.

All these updates can be downloaded fromhere.



write your comments about the article :: 2007 Computing News :: home page