Tuesday, May 03, 2005

- Panda Software weekly report on viruses and intruders -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, April 29, 2005 - This week's report on viruses and intruders looks at the Kedebe.B and Nopir.A worms, as well as the Bancos.NL Trojan.

Kedebe.A is an email worm whose main danger lies in the fact that it leaves systems defenseless against attacks from other malware. This malicious code spreads in the form of attachments to other emails with variable characteristics, as both the subject and the message text are selected from a predefined list of options.

If a user were to run a file containing Kedebe.A, this would generate two files on the system. One of these contains a copy of the worm, while the other is a text file that reads: "Properly infected. Kill those fools, Mydoom-er and Bagle-r!! They're DEAD!! EthioLove.X!!".

Kedebe.A finalizes memory processes corresponding to security and antivirus applications. Similarly, it modifies the HOSTS file, to prevent access to several web pages related to IT security. It also makes an entry in the Windows registry to ensure it is run on every system start-up.

Nopir.A is designed to spread across P2P networks, deleting files with COM and MP3 extensions that it finds on the computer. For this reason, some media sources have dubbed it an "anti-pirate" worm, but really it is a dangerous type of malware that can cause serious damage to systems. It prevents systems from running Windows 2003/XP/2000/NT from starting up, as it deletes the NTDETECT.COM file.

If a user were to run a file containing, an 'anti-pirate' image is displayed on screen. At the same time, it disables the Windows registry editor, the task administrator and the control panel. In order to spread, Nopir.A uses the eMule file-sharing program. It does this by generating a file called ANYDVD 5.1.0.1 CRACK+KEYGEN BY RAZOR.EXE in the folder of this program which other users can download to their computers without realizing that it really contains a copy of Nopir.A.

Finally, the Bancos.NL Trojan is designed to intercept confidential data from clients of more than 2,500 bank portals. This Trojan cannot spread under its own steam, and needs third-parties to intervene manually, using traditional propagation methods such as floppies or CDs or through Internet downloads, email, FTP transfers, P2P networks, etc.

Once a user runs a file containing the Trojan, it is installed on the system as MSCVC.EXE, and starts to monitor the user's Internet activity, waiting for it to connect to one of the 2,500 Internet addresses listed in its code. When this happens, it logs the information entered by the user related to credit cards, account numbers, passwords, etc. This information is sent to a server where it can be collected by cyber-crooks.