Today’s report on malicious code centers on the Trojans -Hatoy.A, Petala.A and six variants of Istbar-, and three worms -Dozer.A, Simbag.A and Holar.I-.
Hatoy.A reaches computers when users access a malicious web page. To do this it exploits the ‘Object type’ Microsoft Internet Explorer vulnerability, which allows files in certain pages to be run locally. Once it is executed, and when users try to access certain search engines, Hatoy.A redirects them to an IP address that could host different pages.
Petala.A, is a backdoor Trojan that spreads across networks and IRC. This malicious code could give hackers remote access to the computer with which they could use IRC commands in order to copy files, terminate processes, etc., thus compromising confidential data and interfering with the use of the PC.
The B, C, D, E, F and G variants of the Istbar Trojan install spyware and dialers on the computer without users knowledge. They also display different screens with advertising for pornographic websites and add a toolbar to the Internet Explorer browser.
The first worm we’ll be looking at in today’s report is Dozer.A, which sends itself to all MSN Messenger contacts in the compromised PC. In order to trick users, it sends itself in an e-mail, which claims to contain a patch for MSN Messenger sent by Microsoft. However, when this file is run, a false error message is displayed to confuse the victim. Dozer.A creates various Windows registry keys and intercepts and terminates antivirus and firewall processes.
Simbag.A also spreads via MSN Messenger, sending a copy of itself to all contacts it finds. It also creates links to different erotic websites and generates the following files in the Windows directory: SMB.EXE, ADMAGIC.EXE, TEST.TXT, SM.DLL, RAW32X.DLL and UZ.EXE.
Finally, Holar.I spreads via e-mail and the KaZaA file sharing program. It changes the home page of Internet Explorer and when it has run more than thirty times it disables the mouse and the keyboard.