This weeks report on viruses and intruders will focus on the worms Kedebe.C and Sober.V, the backdoor Trojan Bck/BotMail.C, and the adware application Adware/Topspyware.
Kedebe.C is a worm with backdoor characteristics whose main aim is to end the processes belonging to certain security tools, such as several antivirus programs and firewalls, among others. This leaves the affected computer vulnerable to attacks from other malware.
This worm is easy to detect as it displays a message on screen when it is run. Kedebe.C reaches computers in an email message with variable characteristics and installs itself in a system folder, and also inserts a series of keys in the Registry to ensure that it is run as a service when the computer starts up. As well as the actions described above, Kedebe.C modifies the HOSTS file on the affected computer in order to block access to the websites belonging to IT security companies.
Sober.V, which due to its rate of propagation and its threat level has reached orange alert status, is a worm that spreads via email in a message written in English or German with variable characteristics. The bait used by this worm is free tickets to the next soccer world cup.
Like the previous worm, Sober.V also displays a message on screen. It also copies itself to the Windows system directory and modifies entries in the Windows Registry in order to ensure that it is run whenever the system is started up. Whats more, it collects email addresses from the affected computer and automatically sends itself to all those that do not belong to a predefined list of domains.
Bck/BotMail.C is a backdoor Trojan that acts as a proxy server, allowing files to be downloaded and run, commands to be executed and this malware to be updated. In order to do this, it opens a communications port in the affected computer. In order to carry out its actions, it modifies a large number of keys in the Windows Registry, ensuring that it is run whenever the system is started up. This malicious code cannot spread on its own and is carried by some worms, like SDBot.
At the end of this week, the adware program Adware/Topspyware appeared, which is designed to trick users into visiting a security software website where they can get a solution to disinfect this malware, after paying a certain fee. This malicious code has very clear symptoms. It displays an icon in the system tray, which imitates the Windows Update icon and displays a fake virus alert. Whats more, it changes the color of the Windows desktop to bright red and includes a warning that the PC is infected. Both the icon and the desktop are links that, when accessed, take the user to a web page that offers several programs for disinfecting this variant, for a fee.
This adware cannot spread on its own, but is downloaded from malicious websites from where other types of malware are also downloaded.
On receiving a possibly infected file, Panda Software's technical staff get straight down to work. The file is analyzed and depending on the type, the action taken may include: disassembly, macro scanning, code analysis etc. If the file does in fact contain a new virus, the disinfection and detection routines are prepared and quickly distributed to users. For more information: http://www.pandasoftware.com/virus_info/