contents | software | |||||||
| Panda Software's Weekly Report on Viruses and Intruders This week's report looks at the Netsad.D and Nuwar.A worms, as well as the Nixfed.A backdoor Trojan. The Netsad.F worm uses a classic system to evade detection: it terminates processes belonging to a range of security tools. This technique is frequently used by malicious code both to avoid detection and to leave the computer vulnerable to other threats. It also makes changes to the system configuration so that the user can't access the web pages of numerous IT security companies. Netsad.F uses two different systems in order to spread. Firstly, it sends itself via email in messages that appear to have been sent from yahoo.com, disguising the address of the real sender. The message subjects either try to appeal to users' curiosity ("classroom test of you?", "I have your password.", "old photos about you?", etc) or attract their attention with error messages ("Deliver Error", "Deliver Mail", "Delivery Failure", etc). The worm's code is stored in a message attachment with a variety of names including: MAIL.PIF, PANDA.EXE, README.HTML.CMD, etc. In addition to email, this worm tries to spread across P2P networks. It does this by placing a copy of its code in shared Emule, KaZaA or Morpheus files with names designed to entice users into downloading them ("FunGame.flash.exe", "PasswordFinder.exe", "pornoPic.scr", etc). The Nuwar.A worm uses a similar, albeit less effective, strategy. Where Netsad.F can terminate more than 350 different processes in memory, Nuwar.A terminates less than 15. However, the email it uses to spread uses far more false addresses and domains than those used by Netsad.F. The message subject is always related to politics, referring to the third world war or to presidents Bush or Putin. Finally, this report looks at the Nixfed.A backdoor Trojan. This program, once installed on a system, allows the computer to be manipulated by a third-party without the user's knowledge. The actions of this malicious code include: • Logging keystrokes entered by the user. • Capturing screenshots. • Transferring files. • Restarting and/or shutting down the computer • Starting a chat session with the infected computer. • Opening the CD-ROM tray. • Setting a password to establish connection with the computer. • Monitoring network traffic generated. • Log system activity. • Executing itself whenever a session is started. • Disabling the task manger. Nixfed.A is extremely dangerous for infected users, as the action it takes can be monitored, including confidential operations such as bank transactions. All the malicious code in this report are detected by Panda Software's TruPrevent Technologies, without the need to have previously identified them. Panda Software users will have therefore been protected against them right from the outset. write your comments about the article :: © 2006 Networking News :: home page |