Friday, January 27, 2006

Weekly Virus Threat Report

This week's report looks at a Trojan -Mitglieder.HJ-, and two worms, Mytob.MU and Feebs.E.

Mitglieder.HJ cannot spread using its own means but needs to be distributed manually by third-parties (via email, Internet downloads, file transfers via FTP or other means). Nevertheless, if it receives the corresponding command, it can send a copy of itself via email using a certain SMTP server.

The action that Mitglieder.HJ takes on infected computers includes the following:
- Opening port 33322 and acting as a proxy server. It also waits for remote control orders to carry out on the PC -such as starting an SMTP server-, or updating itself.
- It tries to download, from several web pages, a text file containing a list of IP addresses.
- It creates a mutex -called 555-, to ensure that there is only one copy of itself running at any time.

The first worm that we are looking at today is Mytob.MU, which spreads via email in a variable message with a ZIP file attachment. When the file is run, the worm infects the computer and searches for email addresses to which to send itself using its own SMTP engine.

Mytob.MU connects to an IRC to receive remote control orders, which it executes on the computer that it has installed itself on. It also terminates processes belonging to several security tools - such as antivirus programs and firewalls- along with those belonging to certain other specimens of malware.

Similarly, it prevents users from accessing certain web pages, notably those belonging to antivirus companies. In computers with Windows XP, it disables the Internet connection firewall (ICF) and the Internet connection sharing (ICS) features.

The third threat in today's report is Feebs.E, a worm that spreads through P2P file-sharing programs and email.

One of the methods used to spread by email is to monitor network traffic to detect if any message is being sent with an attachment and MIME format. In this case it attaches itself to the message. By doing this, it passes itself off as coming from a reliable source, so recipients are more liable to open and run it.

After installing itself on a computer, Feebs.E opens several ports to receive remote control orders and uses rootkit techniques (to hide its files and Windows registry entries and the ports it has opened). In addition, this worm disables several security programs, leaving the computer vulnerable to attacks from other malware.

Links to this post:

Create a Link

<< Home