Weekly report on viruses and intruders

Four worms -the B and C variants of Kelvir, Fatso.A and Sober.O-, and two Trojans -Ruzes.A and Downloader.BBN- will be described in this week's report on viruses and intruders.

The first three worms -Kelvir.B, Kelvir.C and Fatso.A- in todays report are designed to spread rapidly via the application MSN Messenger. These worms reach computers in a message that includes a link to an Internet address. If the user access this link, files containing the code of these worms will be downloaded and installed on the computer.

Kelvir.B and Kelvir.C carry out various actions in the computers that they infect, including the following:

- Send messages to the entries in the contacts in MSN Messenger.

- Download several variants of the Gaobot or Sdbot Trojans from a web page, which allow a hacker to gain remote control of the affected computer through IRC chat channels.

Fatso.A spreads through the instant messaging application MSN Messenger and via peer-to-peer (P2P) file sharing programs. When it infects a computer, it ends the processes belonging to various security tools, such as antivirus programs and firewalls, leaving the computer vulnerable to other malware. Fatso.A also modifies the system configuration so that it is automatically copied to all the CD-ROMs recorded on the computer.

A curious detail about Fatso.A is that it continues the cyber-war between virus authors that started with the appearance of the Assiral.A worm, and which displayed a text attacking the Bropia worms. In response, Fatso.A creates a file called "Message to n00b LARISSA.txt" on affected systems, which contains an unfriendly message for the author of Assiral, signed by someone called Skydevil.

The fourth worm in today's report is Sober.O, which spreads via email in a message that can be written in German -if the extension of the mail domain is one of the following: de (German), ch (Switzerland), at (Austria) or li (Liechtenstein)-, or in English.

When it infects a computer, Sober.O looks for email addresses in files with certain extensions. Then, Sober.O sends itself out using its own SMTP engine. Whats more, when it is run, Sober.O opens Notepad and displays a text on screen.

The first of the two Trojans in todays report is Ruzes.A, which collects email address from the files it finds on the affected computer with certain extensions. Then, it sends these addresses to an Internet address.

Ruzes.A is being downloaded by Downloader.BBN, another Trojan that appeared recently, which is very similar to the other variants in the family it belongs to.


About PandaLabs
On receiving a possibly infected file, Panda Software's technical staff get straight down to work. The file is analyzed and depending on the type, the action taken may include: disassembly, macro scanning, code analysis etc. If the file does in fact contain a new virus, the disinfection and detection routines are prepared and quickly distributed to users. For more information: http://www.pandasoftware.com/virus_info/

Comments (0)

Add a Comment

This thread has been closed from taking new comments.

Editorial: +44 (0)1892 536363
Publisher: +44 (0)208 440 0372
Subscribe FREE to the weekly E-newsletter