This week’s report looks at four malicious code: the worms, Sory (W32/Sory), Kickin (W32/Kickin) and Winur (W32/P2P.Winur.C), and the Trojan AOL.Aim (Trj/PSW.AOL.Aim).
Sory obtains confidential information from the affected computer and sends it out to an Internet address. The data sent out by Sory includes the operating system version, the CPU number, type and speed, the amount of RAM and the e-mail address of the affected user. Similarly, Sory logs the keystrokes entered by the user of the infected computer and saves them in a file, which it also sends out. By doing this, the recipient of the message can access confidential information belonging to the user, such as the passwords for accessing certain services.
This worm spreads across networks and through computers with an English or Turkish operating system installed.
Winur.C is designed to spread rapidly through P2P (peer-to-peer) file sharing programs, such as WinMX, KaZaa or Edonkey. Once a machine is infected, the worm carries out a DoS (denial of service) attack against the www.whitepower.org web page, as well as deleting certain antivirus programs.
It also copies a lot of personal files from the infected computer to the P2P program shared directories. In this way, these files could be accessible to the virus author or any other user of these applications.
The Kickin worm spreads via e-mail using its own SMTP engine, although it also spreads via IRC and P2P applications. W32/Kickin infects Win9x, NT, 2000 and XP and is programmed in Microsoft Visual C 6.00. This worm scours the computer’s memory for a particular series of processes (related to security and antivirus software) and terminates those that it finds active.
The messages used by W32/Kickin try to trick users into running the infected file with references to topics such as SARS (Severe Acute Respiratory Syndrome), patches, love letters, games, photos of celebrities, etc.
W32/Kickin creates a script.ini file containing its code so as to spread via mIRC. It also copies itself to P2P application shared directories (KaZaA, Bearhsare, Edonkey2000 and Morpheus).
Finally, AOL.Aim is a Trojan that steals the access data of the users of the America On Line (AOL) instant messaging service. The data it obtains is the user name and password. It then sends this information to the virus author.
AOL.Aim uses various means to spread: e-mail messages with an infected document, computer networks, CD-ROMs, Internet downloads, FTP, floppy disks, etc.