Sunday, May 13, 2007

Panda: beware of MSNDiablo worm

via: financial mirror (see link) 12 may 2007
This week’s PandaLabs’ report focuses on three trojans – Alanchum.VL, Downloader.OHC and Cimuz.FH – and a worm that spreads through instant messaging, MSNDiablo.A.

The Alanchum.VL trojan has been this week’s most notable malware. This malicious code has accounted for up to 62% of the reports of malware in circulation per hour received by PandaLabs. According to Luis Corrons, the Alanchum family, this variant included, use social engineering techniques to spread. To do so, they use subjects that are newsworthy (a widely-spread Alanchum variant used Fidel Castro’s death as a ruse) or attractive (free products, porn, etc.) which entice users to open the malware-infected file”.

Alanchum.VL is designed to download the Cimuz.BE trojan onto the computer, which in turn records web pages visited by users. When they visit certain pages (banks, webmail pages, online forms,…), Cimuz.BE captures the information entered and sends it to its creator.
A new variant of Cimuz has been detected by PandaLabs this week. It is the Cimuz.FH trojan, which drops a DLL in the browser and registers it as a BHO (Browser Helper Object). It then updates its code online without users noticing.

Cimuz.FH also steals data (IP addresses, user credentials…) from users’ computers. The data is stored onto a file created by the trojan and is sent to its creator by connecting to a server via HTTP.

The third trojan in this report is Downloader.OHC. “It could almost be considered three-in-one malware, since the first thing it does when it infects a computer is to download two malicious codes”, comments Corrons.
These codes are the Grum.D.drp virus and the AdClicker spyware. It also downloads a PHP file used to send information via an HTTP GET request. Grum.D,drp integrates a mail server that can be used to send spam. It gets spam templates, code updates, etc. by connecting to another online server.

The AdClicker spyware on the other hand, makes several modifications in the Windows registry and the system DLLs. It also connects to a URL to download more malware onto the infected computer.
“Downloader.OHC is a good example of malware creators’ attempts to profit from their infections. One malicious code is enough to increase the chances of success, in this case, by downloading more malware”, says Corrons. The MSNDiablo.A worm uses social engineering techniques to spread through MSN Messenger. In this case, to fool users, the worm sends the message to all the users’ contacts which are connected to MSN Messenger. This message includes comments on an animation and invites users to view it by clicking on a link. When users download and run the animation from the URL, what they are really doing is introducing MSNDiablo.A in their computers. Once it infects a computer, the worm repeats the whole process over again, sending the same instant message out to all the contacts connected at that moment. MSNDiablo.A tries to connect to different URLs to download different types of files, including malware. It is also designed to make several modifications in the Windows registry. One of these ensures that it is run every time a session is started. When run, MSNDiablo.A shows an error message. It also prevents the task manager and the registry editor in Windows from opening.

This week Microsoft has also published seven security patches, MS07-023 to MS07-029. They all fix errors critical errors that could allow remote code execution.
The vulnerabilities affect Microsoft Office, Microsoft Windows and CAPICOM. The patches are available from http://www.microsoft.com/technet/security/bulletin/ms07-may.mspx All users that want to know whether their computers have been attacked by these or other malicious code can use TotalScan or NanoScan beta, the free, online solutions available at: http://www.infectedornot.com.
Link