This week’s virus report looks at Naco.B (W32/Naco.B), Holar.H (W32/Holar.H) and Auric (W32/Auric).
Naco.B is a dangerous worm, as it includes a Trojan component that allows an attacker to gain remote access to certain resources on the affected computer. The actions a hacker could carry out include: opening and closing the CD-ROM tray or switching the mouse button functions.
Naco.B spreads rapidly via e-mail, P2P (peer-to-peer) file sharing programs and ICQ chat channels. When it spreads via e-mail, the message always contains an attached file called WARS.EXE.
Naco.B also sends an e-mail message containing information on the affected computer to the following address: firstname.lastname@example.org. The information it sends includes the operating system installed, the version of Internet Explorer installed, the machine name, number and type of drives installed, etc.
Finally, Naco.B disables the security programs installed on the affected computer. In order to do this, it carries out the following actions:
– It ends active processes belonging to antivirus and firewall programs, among others, in the affected computer.
– It looks for files related to different antivirus and security programs and deletes them.
Holar.H is a worm that spreads rapidly via e-mail and uses ‘social engineering’ to trick users into opening the infected file.
The subject, text and name of the attached files of the message in which Holar.H reaches computers are variable, as they are selected at random from a long list of possibilities. In addition to this file, the e-mail message also includes another attachment, which is selected at random from the affected computer. The sender of the infected message is always: Dispatch@McAfee.com.
Finally, Auric is a worm whose effects are more annoying than damaging, as after it has infected a computer it makes it difficult to move the mouse, so that the user cannot place it on the toolbar; changes the color of the windows; every so often, it opens the CD-ROM tray; it creates files on the Windows desktop. However, the greatest danger lies in the fact that it detects and disables certain antivirus programs.
Auric spreads rapidly via e-mail, IRC channels and P2P (peer-to-peer) file sharing programs.