This week’s virus report will look at four worms: Axatak, Ganda.A, Bibrog.C and Lentin.Q.
Axatak uses any of the usual means of transmission employed by worms to spread themselves (e-mail messages, Internet downloads, FTP file transfers, etc.). After infecting a PC, it collects the passwords used to access certain resources and then sends them to the virus author.
Axatak also acts as a backdoor Trojan, as it opens communication ports 8850 and 8851 to enter the Internet. This could allow a hacker to access resources on the affected computer and take actions such as sending files or opening and closing the CD tray. Finally, Axatak tries, at five minute intervals, to access the floppy disk drive to copy itself to diskettes.
Ganda.A also spreads via e-mail, and can sometimes activate automatically when the message carrying the worm is viewed through the Outlook Preview Pane, exploiting a known vulnerability in Internet Explorer versions 5.01 and 5.5. Once the worm has infected a computer, it sends itself to all addresses in the Windows address book, in “EML”, “HTM” and “DBX” files and the Internet cache.
Ganda.A is a worm that infects PE files, by copying part of its code to them. It also creates a dropper type file in affected computers and ends processes belonging to certain antivirus and firewall programs, if they are active.
The third worm we’ll look at today is Bibrog.C which spreads in an e-mail with an attachment called “ACADEMIA.EXE”, although it can also spread via P2P exchanges and ICQ channels. It is easily recognized, as once it runs the “ACADEMIA.EXE” file, it displays a game and changes the desktop wallpaper.
Bibrog.C steals the details with which users enter Hotmail, Yahoo, Citibank, etc. and is designed to delete certain files, but due to a programming error, this does not actually take place.
The last worm in today’s report, Lentin.Q, spreads mainly via e-mail in a message that has extremely variable characteristics. Lentin.Q, like Ganda.A also exploits a vulnerability in versions 5.01 and 5.5 of Internet Explorer, so a computer can be infected by simply viewing the infected message through the Preview Pane. It can also spread across networks, as every Wednesday it copies the virus to the shared drives in the affected computer.
Lentin.Q ends processes belonging to antivirus and firewall programs and launches DoS attacks against five Internet addresses. It also changes the Home page of Internet Explorer and closes the Task Manager.
For further information about these and other viruses, visit Panda Software’s Virus Encyclopedia.