Webber.P virus infects from compromised servers - Severe Damage

The Webber virus is hitting and is expected to hit hard. This IS the time to promote Panda Antivirus solutions.

What follows is a summary on this virus.

--------------------------------------------------------
Webber.PThreat Level: Moderate
Distribution: Low
Damage: Severe
--------------------------------------------------------
The Threat Level varies according to the Distribution and Damage levels


Common name: Webber.P
Technical name: Bck/Webber.P
Alias: Berbew.F, Backdoor.Padodor.gen, Backdoor.Berbew
Type: Backdoor

Effects:
It makes requests to different web sites located in Russia, without the user noticing and logs confidential information on the affected computer in a file.


Affected platforms: Windows XP/2000/NT
First appeared on: June 25, 2004
In circulation? Yes


Brief Description
Webber.P is a backdoor that allows to gain remote control over the affected computer through the TCP port 23232, in order to carry out actions that would compromise users confidentiality, or even impede normal work. In addition, Webber.P opens two TCP ports, in order to make the affected computer act as a proxy server. This backdoor sends confidential information to different web sites, as well as data stored in the cache of the browser Internet Explorer. Webber.P logs confidential information, such as the user name and the name of the affected computer, in a file.

Visible Symptoms
Webber.P is difficult to recognize, as it does not display any messages or warnings that indicate it has reached the computer.

Effects
Webber.P has the following effects:

It allows to gain remote control over the affected computer through the TCP port 23232, in order to carry out actions that would compromise users confidentiality, or even impede normal work. It opens two TCP ports, in order to make the affected computer act as a proxy server. It sends confidential information to different web sites, as well as data stored in the cache of the browser Internet Explorer:

Infection strategy
Webber.P creates the following files in the Windows system directory:

Means of transmission
The following steps have been carried out in order to distribute Webber.P:

Thanks to an specific method that our experts are still studying, the configuration of web servers using IIS 5.0 (Internet Information Services) has been modified, in such a way that these servers now include a footnote in all the sites they host. That footnote includes a DLL file, which contains malicious JavaScript code. When a user visits any of these web sites, the JavaScript code redirects the browser to a different web site. That web site contains code for exploiting a vulnerability in Internet Explorer, which allows to download and execute files in the affected computers, without users noticing. The file downloaded is the one corresponding to Webber.P.