Tuesday, August 08, 2006

Current Virus Threats

This week's report from Panda Software on viruses and intruders clearly reflects the new dynamic influencing malware creators. The three examples of malicious code detailed in the report are aimed at spying, hijacking computers and stealing bank details.

Firstly, RuSpy.A is a Trojan that obtains user names and passwords for a range of programs including ICQ, Internet Explorer, Mozilla, Outlook and The Bat!. This information is then sent to the creator in an email message.

To avoid detection, it tries to terminate several processes belonging to security tools (antivirus programs and files). This however is not effective against Panda Software's TruPrevent(tm) Technologies and the auto-protection systems of Panda solutions.

As well as sending out the information mentioned before, it tries to download the file XINCH.EXE from a web page and creates shortcuts to several websites (all with Russian "ru" domains), and alters the Internet home page on the infected system.

Another widespread fraud technique is to hijack computers. This is what the Tervserv.A backdoor Trojan does. It connects to a website in order to receive remote commands, such as instructions to download and run files that give the attacker complete control over the compromised computer.

Tervserv.A can also be instructed to send information about files on the computer as well as update or uninstall itself.

Finally, this week's report looks at Banker.DZO. This is a Trojan that monitors Internet traffic generated when a user accesses the web pages of Banco de Brasil, Bradesco, CEF, GERENCIADOR, Itau and Brad.Juridico.

When an infected user opens one of these pages, Banker.DZO displays a false login page in order to obtain the user name and password for accessing accounts. This information is then sent to the creator in an email message. The information compiled is quite extensive, ranging from the particular bank or branch of the user to the password or even the secret password reminder question.