Today’s virus report will focus on three Trojans -Esepor.A, Mafia.A and the ‘K’ variant of Istbar-, and a worm called Logpole.A.
Esepor.A is a Trojan that reaches computers in a file called TMKSRVL.EXE. When this file is run, this Trojan checks if there is an open connection to the Internet and, if there is, it automatically downloads and runs a file called XPINSTALL.EXE. This file creates and registers a dynamic link library called XPLUGIN.DLL, which is an Internet Explorer plugin, and goes memory resident when the user connects to the Internet through this browser. Esepor.A is easy to recognize, as it displays a pop-up ad with pornographic content.
The second Trojan in today’s report is Mafia.A, which looks for password for Outlook Express mail accounts (SMTP, POP3 and HTTP-Mail) in the Windows Registry and obtains information on the hard disks, memory installed, operating system, user name, microprocessor, etc. In computers running Windows .NET Server/XP/2000/NT it also looks for passwords in the memory cache. This malicious code then sends out the information it has obtained via e-mail.
Istbar.K is a Trojan that when the user visits certain web pages, displays a message on screen prompting the user confirm if ActiveX code can be run on the computer. If the user clicks on Yes, the ActiveX code downloads and installs several spy programs and malicious dialers and displays advertising web pages with pornographic content. Istbar.K also adds a toolbar to Internet Explorer and changes the home page of this browser.
The last malicious code in today’s report is Logpole.A, a worm that spreads through the peer-to-peer (P2P) file sharing program KaZaA. When it is run, this malicious code goes memory resident. Logpole.A is difficult to recognize, as it does not display any warnings or message that indicate that it has infected a computer.