This week’s report focuses on four worms -Klys, Gruel.B, Lohack.B and Mofei.C-.
Klys spreads through IRC channels and across network shares. Although it is a worm, it also acts as a dropper, copying a file belonging to the Cult worm to the computers it infects, and as a Trojan, opening IRC ports that allow a hacker to gain remote access to the resources on the computer.
If Klys infects a computer that is connected to a network, it deletes the share from the majority of shared resources, and as a result, applications that need these resources will stop working.
Gruel.B spreads via e-mail and the P2P (peer-to-peer) file sharing program KaZaA. The most outstanding characteristic of this worm is its payload, as it deletes a large number of Windows files, which are essential to it functioning correctly. Gruel.B also carries out other actions, such as: opening windows in the Control Panel; disabling the Taskbar; hiding the C: drive; displaying messages on screen; etc.
The third worm in today’s report is Lohack.B, which spreads via e-mail, KaZaA and shared network drives. This worm tries to trick users into thinking the message has been sent by a trustworthy organization (such as the Spanish Ministry of Science and Technology or Panda Software).
Lohack.B activates when the message carrying the worm is viewed through the Preview Pane in Outlook. It does this by exploiting the Exploit/iFrame vulnerability detected in versions 5.01 and 5.5 of Microsoft Internet Explorer. However, if the corresponding patch has been applied to the browser, Lohack.B cannot automatically run itself.
We are going to close this report with Mofei.C, which spreads via e-mail and across shared network drives. This worm also acts as a backdoor type Trojan, allowing a hacker to gain remote access to the computer in order to obtain information. Similarly, it also allows an attacker to carry out a series of actions such as, changing the password and deleting files and directories. When Mofei.C goes memory resident, it tries to connect to different web pages through ports 8080 and 1080.