Trj/Kamuflao3 affects computers with Windows XP and has three files: a client, a server and a simple configuration program (called “Generador Victima Smtp.exe”). An attacker could use the latter to enter an e-mail address to which to send the IP address of the computer under attack.
For Trj/Kamuflao3 to act, the server file has to be installed on the victim’s computer, which means the user has to run this file. Once this server is configured, a connection can be established with the client and Trj/Kamuflao3 will be ready to take a series of actions on the infected computer such as displaying the MSN password and deleting files from the hard disk root directory.
The first of the two worms were looking at today is Grimgram, which sends itself out to all e-mail addresses in the computer’s Address Book, as well as all e-mail addresses in files with “HTM” and “HTML” extensions. It also spreads via the KaZaA file sharing program and IRC.
After infecting a computer, Grimgram displays an on-screen message, it makes two Internet connections and sends an e-mail with confidential information from the affected computer to firstname.lastname@example.org.
The file that causes the Grimgram infection is an “HTML” document which contains Visual Basic script. When the file is run, the worm generates a copy of itself in the root directory on the hard disk, and three other copies in the System directory. Grimgram also creates two Windows Registry keys. With one of these it ensures it is run on every system start-up and with the other it stores the e-mail addresses to which copies of the virus have been sent.
Finally, Cult.B, like Grimgram, uses e-mail and KaZaA to spread and alters Windows Registry keys to run itself on every system start-up.
To carry out its infection, Cult.B creates a copy of itself called “Wuauqmr.exe” in the Windows system directory. This malicious code is easily recognized, as it comes in an e-mail with the following subject: “Hi, I sent you an eCard from BlueMountain.com”.