Panda Security's Weekly Report on Viruses and Intruders

Shark 2, a Trojan creation tool, is the main subject of this week's PandaLabs report, which also covers Addon.B and MSNPoopy.A, two worms that use MSN Messenger to spread.

Shark 2 is distributed for free in various Internet forums and is very easy to use, which makes it particularly dangerous. The Trojans created with this builder could steal all kinds of confidential data from users' computers if they are not well protected.

"These Trojans pose a threat to users' privacy as cyber-crooks could activate the victim's webcam, if they have one, and watch what they are doing", explains Luis Corrons, Technical Director of PandaLabs.

Shark 2 allows criminals to specify the server the Trojan must connect to, and set the Trojan to run on every system restart, show error messages or run other files. Also, the tool allows malicious users to perform specific actions for processes and services, such as stop certain services, shut down or delete the user server, etc.

Once it has infected a computer, the Trojan created by Shark 2 connects to the server the hacker has chosen and displays a screen that allows them to take various actions, including commanding the malware to steal all kinds of passwords (for instant messaging services, email, banking services, etc.).

The cyber-criminal can also run a large number of utilities on the infected computer, for example, to modify the registry or edit the host file. By doing this, they could redirect users to phishing or infected pages.

Trojans created with this tool can also take screenshots, capture audio and log keystrokes.

"Malware creators can use this tool to build Trojans capable of attacking users on several fronts, but always with the same goal: get information that they can easily turn into some kind of financial gain", states Corrons.

The first worm covered in today's report is Addon.B, a malware specimen that sends a .zip file called Foto_celular by MSN Messenger. If the user opens it and runs the file inside, they will be installing a copy of the worm on their computer.

Addon.B copies itself to all drives under the name Foto_celular.scr. Once run, this file downloads the second component of the worm, sexy.wm. This malware, in turn, connects to two web pages waiting for commands ranging from downloading other malicious codes onto the infected computer to updating itself.

MSNPoopy.A uses similar techniques to Addon.B to spread through MSN Messenger. In this case, it uses sentences like "look @ my cute new puppy :-D" or "look @ this picture of me, when I was a kid " to entice users into opening the attached file, which has names such as img1756 and is compressed in .zip format.

If the targeted user opens it and runs the file inside, they will become infected. Also, all the users in the victim's Address Book will receive the message the worm sends, with the possibility of becoming infected.

MSNPoopy.A edits the Windows Registry to ensure it is run every time the system is started up. It also tries to connect to other instant messaging channels to send out information or continue spreading.

"It shouldn't surprise anyone that cyber-crooks are increasingly using instant messaging to distribute their creations. These are services used by millions of people every day, so they make a very easy and quick way of infecting a huge number of users", explains Corrons.

write your comments about the article :: 2007 Computing News :: home page