This weeks report looks at a worm -SdBot.EXG-, a Trojan called Cimuz.X and two hacking tools called GuardMon and SpyEx.
SdBot.EXG is a worm that spreads by exploiting the five following security problems (the number in brackets refers to the Microsoft bulletin dealing with each vulnerability): buffer overflow in SQL Server 2000 (MS02-039); vulnerability in Workstation Service (MS03-049); LSASS (MS04-011); RPC-DCOM (MS04-012); and remote code execution in Plug and Play -PnP- (MS05-039). In order to send itself out, this worm also has its own FTP and TFTP server.
Sdbot.EXG connects to certain IRC servers from which it can receive commands, such as to update itself, download and execute files, consult the list of shared resources and add or remove some, etc.
Cimuz.X is a Trojan which when installed on a computer, carries out a series of actions including the following:
- Opening a random port, allowing the computer to be used as an HTTP proxy.
- Executing PHP scripts from several web addresses in order to inform the creator that it has infected PC.
- To avoid firewalls, it injects its process in the processes of other programs which don't have Internet restrictions. It also adds its associated process to the list of authorized applications in the Windows XP firewall.
- It creates several Windows registry entries with different purposes (to run every time Windows starts up, to see if the computer had previously been infected, etc.).
Cimuz.X uses several DLLs and code other than its own. Its author has probably reused components from other Trojans.
The next example of malware we are looking at is GuardMon, a hacking tool that logs the keystrokes typed by the user. This can be used to capture passwords or other kind of sensitive information and represents a serious threat.
GuardMon creates the GPS.DLL file on the infected computer, which exports the function WSPStartup. This function controls the process of monitoring the keystrokes.
We end todays report with SpyEx, a hacking tool that monitors users keystrokes, the applications used on the PC and Internet activity. The information compiled is then sent by email in an attachment to an address specified during installation.
Since 1990, PandaLabs mission has been to analyze new threats as soon as possible to ensure that our clients are safe. Several teams specialized in each specific type of malware (viruses, worms, Trojans, spyware, phishing, spam, etc.) work 24x7 to offer global coverage. To do this they are supported by TruPrevent Technologies, a truly global early warning system made up of sensors that are strategically distributed and neutralize new threats and send them to PandaLabs for in-depth analysis. According to AV-Test.org, PandaLabs is the fastest in the industry to offer complete updates (more information at www.pandasoftware.com/pandalabs.asp).