This week's virus report looks at three worms -Bropia.A, Zar.A and Mydoom.AE-, and Gaobot.batch.
Bropia.A spreads via MSN Messenger. It does this by searching the application for an instance of the class 'IMWindowClass' and, if it finds one, it sends itself out with one of the following names: Drunk_lol.pif, Webcam_004.pif, sexy_bedroom.pif, naked_party.pif and love_me.pif.
After it is run, Bropia.A searches -in systemdir- files with the following names: adaware.exe, VB6.EXE, lexplore.exe and Win32.exe. If they don't exist, it creates a file that contains a copy of a variant of Gaobot. Bropia.A also generates several empty files in the path systemdir and opens them to prevent the taskmgr.exe and cmd.exe processes from executing. Similarly, Bropia.A disables the CTRL+ALT+Del key combination, and can also disable the right button on the mouse.
Zar.A spreads via email in a message that refers to the tsunamis that struck Asia in December 2004. Both the subject and the message text make an appeal for help for the victims, and the attachment is called TSUNAMI.EXE. When the file is run, the computer is infected by Zar.A, which, using MAPI, sends a copy of itself to all addresses in the Outlook address book.
Zar.A creates three files and generates a Windows registry entry to ensure that it is run every time the computer is started up. This worm also tries to launch Denial of Service attacks (DoS), against the w w w.hacksector.de website.
The next worm we'll be looking at today is Mydoom.AE, which spreads in an email with variable characteristics, and through P2P file sharing programs.
Once it infects a computer, Mydoom.AE takes the following action:
- It opens Notepad and displays a text made up of random characters.
- It alters the HOSTS file to prevent users from accessing the web pages of certain antivirus companies. It also terminates processes belonging to certain antivirus programs, leaving the computer vulnerable to attack from other malware.
- It terminates processes belonging to malware.
- It tries to download a file from the Internet.
We end today's report with a mention of Gaobot.batch, which is a batch process file that deletes the original Gaobot file when this has been installed on the computer.
On receiving a possibly infected file, Panda Software's technical staff get straight down to work. The file is analyzed and depending on the type, the action taken may include: disassembly, macro scanning, code analysis etc. If the file does in fact contain a new virus, the disinfection and detection routines are prepared and quickly distributed to users.
For more information: http://www.pandasoftware.com/virus_info/