This weeks report describes a worm -SdBot.FME-, a macro Trojan -Naiva.A-, a backdoor Trojan -IRCBot.NT-, and a hacking tool called Mirkov.
SdBot.FME is a worm that spreads by exploiting the following four security flaws that appear here with the number of the Microsoft bulletin that describes them: execution of remote code in Plug and Play -PnP-(MS05-039); RPC-DCOM (MS04-012); LSASS (MS04-011); and a vulnerability in WorKStation Service (MS03-049).
SdBot.FME contains a backdoor Trojan that connects to several IRC servers, through which it can receive different commands including: download and run files via HTTP, register and delete services, set the level of the security policies or carry out denial of service attacks.
The second threat in this weeks report is Naiva.A which, like all Trojans, cannot spread using its own means but needs to be distributed manually by third-parties (via email, Internet downloads, file transfers via FTP or other means). This Trojan reaches computers as a Word document informing about the bird flu epidemic.
- Naiva.A uses two Word macros. The first calls five kernel functions, which allow it to modify create and delete files. It uses the second macro to install Ranky.FY on the computer, a Trojan that will allow a potential attacker to gain remote control of the affected computer.
- To avoid falling victim to Naiva.A, users should ensure that the macro security level is set at medium to receive a warning when they are run or high to stop them from running.
- IRCBot.NT is a backdoor Trojan that cannot spread using its own means, although it can receive remote control commands to get into other computer by exploiting the Plug and Play vulnerability.
- Once installed on computers, IRCBot.NT carries out several actions including:
- Connecting to two IRC servers to receive remote control commands (IP scanning, Denial of Service attacks and download and run files).
- Creating several files. One of these aims to bypass process oriented firewalls.
- Registering itself as a Windows service.
We are going to finish this weeks report with Mirkov, a hacking tool that allows an attacker to gain remote control over the affected computer through a web browser. It can receive various control commands, such as download files or end process. It can also capture the keystrokes entered by the user, which can be used to collect passwords or other confidential information, compromising user privacy.
Kernel: This is the central module of an operating system.
Macro: A macro is a series of instructions defined so that a program, say Word, Excel, PowerPoint, or Access, carries out certain operations.
Since 1990, PandaLabs mission has been to analyze new threats as soon as possible to ensure that our clients are safe. Several teams specialized in each specific type of malware (viruses, worms, Trojans, spyware, phishing, spam, etc.) work 24x7 to offer global coverage. To do this they are supported by TruPrevent Technologies, a truly global early warning system made up of sensors that are strategically distributed and neutralize new threats and send them to PandaLabs for in-depth analysis. According to AV-Test.org, PandaLabs is the fastest in the industry to offer complete updates (more information at www.pandasoftware.com/pandalabs.asp).