Saturday, May 06, 2006

Current Virus Threats

A worm, Nugache.A, the backdoor Trojan Hiviti.Aand the Banker.CTD Trojan are the focus of this week's report.

Nugache.A can spread in three different ways: exploiting the LSSAS andRPC DCOM known software vulnerabilities, through the popular MSNMessenger application, or via email.

When installed on a computer, Nugache.A creates a copy of itself in theWindows system directory, in a file with the name MSTC.EXE.

In addition, it generates several Windows registry entries. Having done this, itopens several communication ports to connect to a series of IP addressesfrom which it receives remote instructions across P2P networks, allowingan attacker to take malicious action on the affected system.

Hiviti.A is a backdoor Trojan that cannot spread on its own, butrequires the intervention a malicious user. When it is installed on acomputer, it creates a copy of itself under the name LOADCNTR.EXE, itmakes new entries in the Windows registry, and injects itself in theexplorer.exe process so that it is not noticed by users.

In this way,the Trojan waits to log keystrokes made by the user, thereby accessingall types of confidential information, such as user names, passwords,etc. The data collected is then sent to certain predetermined emailaddresses.

We finish this week's report with Banker.CTD, a new banker Trojan, i.e.designed to steal confidential data related to online banking services. Banker.CTD waits for the user to access web pages belonging to certain banks, including Banking, Bradesco, NetBanking, Santander and Sudameris, in order to log the data entered by the user.

It then sends the data toa certain email address. Banker.CTD requires the intervention of an attacker in order to reach computers. The means of distribution used vary and include floppy disks,CD-ROMs, email messages with attachments, Internet download, files transferred via FTP, IRC channels, P2P file sharing networks, etc.