In this week’s virus report we are going to focus on three Trojans -IRCBot.D, Ruledor.A and Pup.A-, the worm Gaobot.S and two new versions of Gibe.C.
IRCBot.D sends itself out via e-mail in a message with the subject ‘Last Update’ and an attachment called ‘NAV32.EXE’, which tries to trick the user into thinking that it has been sent by an antivirus company. When the attached file is run, IRCBot.D goes memory resident and connects to an IRC channel. From this channel, this malicious code receives commands to carry out the following actions, among others: redirect ports, download and run files, scan ports, launch Denial of Service (DoS) attacks and send itself to other IRC channels.
The second Trojan in today’s report is Ruledor.A, which installs different variants of the Trojan Istbar, adds a toolbar to the Internet Explorer browser, displays advertising pop-up windows and, due to programming errors, sometimes ends the process belonging to Internet Explorer. When the user types a web address in Internet Explorer, Ruledor.A checks if there is a similar address among its advertisements and if there is, it redirects the user to this web address.
Today’s third Trojan, Pup.A goes memory resident and opens different advertising web pages in Internet Explorer whenever it is run. When the user tries to close them, the Internet Explorer window is minimized, pointing to a web page that contains a PHP routine. This routine accesses certain web addresses, without the user realizing, and sends out information on the creator of the Trojan, who receives money in exchange for the number of visits received.
The first worm we are going to describe is Gaobot.S, which has backdoor characteristics and infects Windows XP/2000/NT computers. In order to spread to as many computers as possible, this worm exploits the RPC DCOM and WebDAV vulnerabilities. It also spreads by trying to copy itself to shared network resources, which it tries to access using typical passwords. When it is run, Gaobot.S connects to a specified IRC server through port 6667 and waits for control commands.
Gaobot.S ends processes belonging to antivirus programs, firewalls and system monitoring tools, leaving the affected computer vulnerable to the attack from other viruses or worms. It also ends the processes of Nachi.A, Autorooter.A, Sobig.F and several variants of Blaster. Due to its backdoor characteristics, Gaobot.S can also obtain information on the affected computer, run files on it, launch Distributed Denial of Service (DDoS) attacks, upload files via FTP, etc.
We are going to finish this report with two new versions of the Gibe.C worm. This malicious code spreads via e-mail, the P2P file sharing program, KaZaA, shared network drives and IRC. The differences between the original worm and these new versions are that they are compressed with UPX and the texts displayed when the worm is run and sent.