contents | software | |||||||
| Panda Software's Weekly Report on Viruses and Intruders This week, the PandaLabs report focuses on the SpamtaLoad.DO, ArmyMovement.A and Lozyt.A Trojans and on the Muhi.A worm. The SpamtaLoad.DO Trojan spreads via email using subjects such as "Error", "Good day" or "hello". The body text varies, usually containing an error message from the sender. The Trojan itself hides in an executable attachment with varying names. When the infected file is run by users, the Trojan displays an error message. On other occasions, it shows a text in Notepad. This malicious code is designed to download the Spamta.TQ worm onto the affected computer and to resend SpamtaLoad.DO to all the email addresses it finds on the infected system. "SpamtaLoad.DO is the latest detected member of the Spamta family, one of the most active in the last few months. As with previous variants, SpamtaLoad.DO has also spread widely, accounting for up to 40 percent of infected messages received every hour by PandaLabs", explains Luis Corrons, Technical Director of PandaLabs. ArmyMovement.A is this week's second Trojan. It can reach computers by email or by file downloads, copying itself onto the system when it's run. Designed to steal email addresses that users store in the Outlook, it sends a hoax to the addresses announcing that the Turkish government has decided to increase soldiers and civil servants' wages by 50 percent. The subjects and texts of the emails are written in Turkish. "These messages usually precede a dangerous attack. Subsequent messages containing the same subject could include a link claiming to point to the original article. When clicking on the link, users would be infected", confirms Corrons. ArmyMovement.A causes several errors on infected computers. For example, it modifies the boot file to display a message prompting users to format the hard drive. It also changes the ntldr file, preventing the computer from restarting. This malicious code overwrites files with different extensions (.jpg, .xls, .doc, .zip…), causing information losses. The Lozyt.A Trojan reaches computers by email or file downloads. Once it runs on the computer, it connects to a remote server and downloads an executable file which installs the Errorsafe adware on the infected computer. Lozyt.A also kills several processes, including those of certain security solutions. Its aim is to make detection more difficult. The Muhi.A worm is the third malicious code in the report. In order to spread, it copies itself in all the system's drives, including the extractable drives (USB memory sticks, etc.). This worm eliminates the content of the different drives it copies itself in. Muhi.A also spreads via shared folders, using names such as "I_LOVE_YOU.exe", "download.exe" or "window shopper.exe". The copies of the worm appear with the Notepad icon in order to trick the user. This worm terminates the processes of several security solutions. It also modifies the registry in order to prevent the system from warning about solution errors. Muhi.A also changes Internet Explorer's start page. write your comments about the article :: © 2007 Networking News :: home page |