Virus Threats

This week's report looks at four new IT security threats: The LootSeek.AU and Briz.F Trojans, the CrazyFrog.A worm and the Matlab/Lagob virus.

LootSeek.AU is a Trojan which in turn downloads another Trojan - detected as Rizalof.BL - onto the compromised computer. It also uses an anonymous proxy server for mass-mailing new malware.

In addition, it finalizes several processes corresponding to security tools and Windows updates.

This Trojan, like many others, cannot spread automatically using its own means and therefore, needs an attacker to distribute it.

The Briz.F Trojan is designed to steal data related to online bank services. This new threat uses the lure of pornographic web pages to install itself on users' computers.

The emergence of Briz.F is a consequence of the scam for creating and selling customized versions of Briz, recently discovered and dismantled by authorities. The web pages hosting Briz.F are designed to automatically download the malicious code onto the computers of users visiting these pages by exploiting several software vulnerabilities.

The modus operandi of Briz.F is complex and elaborate. The attack begins with the installation of a file called iexplore.exe, which really serves to prepare the ground, detecting whether there is an Internet connection. If this is the case, it connects to a certain web page in order to download another file called ieschedule.exe.

Finally, iexplore.exe disables the Windows Security Center services and shared access to the Internet. Then, ieschedule.exe sends the information about the infected computer (name, IP address, location, etc.) to a predetermined address.

It also downloads other files, including one called smss.exe, which modifies the hosts file to prevent access to websites related with security products, and another called ieredir.exe, which redirects users to spoof web pages when they try to connect to certain online services, mainly those related to online banks.

CrazyFrog.A is a worm that spreads through the MSN instant messaging system and is designed to steal both access passwords to this application and bank details of the affected user.

It does this by monitoring network traffic and checking if the user accesses web pages with certain text strings - related to online banking services - in their address. If the user accesses one of these, Crazyfrog.A installs a banker Trojan which captures the bank details entered by the user.

Finally, Matlab/Lagob is a virus that can infect files with the M extension -corresponding to the popular Matlab application for resolving mathematical problems - directory as the virus is run. When it runs the virus adds its code to the beginning of the file.