RealTime IT News

Virus Alert: Worm Sends Mail, Infects Executable Files

An Internet worm reported Monday by antivirus software vendor Sophos attempts to email itself to addresses taken from a variety of sources on the local machine.

W32/Nofer-A also will try to infect executable files. W32/Nofer-A will copy itself to svchost.exe and to a randomly named executable file in the Windows folder. It creates a registry entry in HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ that points to the randomly named executable file to ensure the worm is run at system startup. W32/Nofer-A also will attempt to spread using peer-to-peer networks.

Find out how to remove the worm at this Sophos page.

BackDoor-AVF Trojan Opens Port and Loads Itself at System Start-up

This is detection for a Trojan that opens port TCP 80 (HTTP) on the victim machine. Incoming requests on that port are redirected to a Web site on the Internet. After execution, the Trojan copies itself as SYS64.EXE into %WINDIR%\SYSTEM32. The worm creates a registry run key to load itself at system startup:

B7 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "Tuneling" = SYS64.EXE

It runs HTTP server on port TCP80 and redirects incoming requests to http://promin.*OMITTED*.gs. It also sends on start a notification to the IP address 66.220.17.33 containing information about the victim. Find out more at this Network Associates page.

Worm Ends Security Software Processes and Runs Icon

Danvee is a worm that checks if a series of processes belonging to antivirus and security programs are active in the affected computer and ends them if they are. By doing this, certain applications will temporarily stop working. p Danvee spreads rapidly via e-mail in a message that is very easy to recognize, as it always includes an attached file called CROCK.EXE, and has an icon that can be viewed at this Panda Software page.

Trojan Creates Files

W32/Mooder is one of multiple minor variants of the W32/Mooder Trojan. The malicious mooder.exe variants have a file size of 8192 bytes. It may create the files called:

c:\windows\mood.exe
c:\windows\supertoy.exe
c:\windows\mood.bat
c:\windows\mood.cmd
c:\windows\mood.vbs
c:\windows\mood.htm

When run, it runs as a console application ("command box"). It tries to overwrite files with .exe .bat .cmd .js .vbs .htm extensions. Find out more at this McAfee page.

Trojan Tries to Create Malicious .exe Files

The Salvia Trojan driver was added to cover for a malicious file, salvia.exe, with a filesize 122.880 bytes. It's created using Borland C++.

When run, it may try to create:

c:\windows\system\salvia.exe
c:\windows\system\crack.exe
c:\crack.exe
c:\windows\_salvia.txt

It tries to delete *.exe, *.com , *.dll from c:\windows\%system. Read more at this McAfee page.

Nowar Trojan Displays Message Box

The driver for the Nowar Trojan is to cover for a malicious file called nowar.exe. There are two minor variants, with file sizes of 7.680 and 24576 bytes.

When run, Nowar displays a message box on the screen. View it and other information at this McAfee page.

Three Trojans Act as Covers for Malicious Files

The entry for QDel391 was added to cover for a malicious file called intrenet.exe, with a file size of 17,408 bytes. The file is internally compressed with Aspack.

When run, no gui message boxes appear, it runs silently. It may drop the file intrenet.exe in the windows\%system folder and create a registry entry under:

...\Microsoft\Windows\CurrentVersion\Run\ "intrenet"

It may also change the Internet Explorer startup page, however, McAfee purposely is omitting the exact address here. During testing, no file system changes were encountered, the vendor reports.

Read more at this McAfee page.

The QDel390 driver was added to cover for a malicious file called w32stop.exe, with a file size of 20,480 bytes. The file is written in MSVB60 and is not internally compressed.

When the QDel390 Trojan is run, it tries to modify/delete the files:

c:\windows\win.ini
c:\windows\win.vbs
c:\windows\system.ini
c:\windows\system32\cmd.exe
c:\windows\system32\taskmgr.exe

The Trojan also tries to modify the keyboard/mouse drivers, making the system practically unusable. Find out more at this McAfee page.

The QDel392 driver was added to cover for a malicious file called x-plorer.exe, which has a file size of 24,576 bytes. The file is written with MSVB60 and is not internally compressed. When run, it may drop itself as explorer.exe in the current directory, initially as a zero bytes file but with increasing file size due to logging.

During testing, this file became more than 2 Mb in size. It drops itself as winlogger.exe, with a file size of 24,576 bytes, in the %windows\%system directory and it creates a registry key to call it:

...\Software\Microsoft\Windows\CurrentVersion\Run\

More information is at this McAfee page.

Compiled by Esther Shein.