This week’s report on malicious code will focus on three worms -Lohack.C, Flop.A and Sexer.A-, a Trojan called Sdbot.N and the virus Vix.A.
Lohack.C spreads via e-mail and across network drives. The message carrying this worm tries to trick users by referring to the Spanish Information Society and E-business Services law. It also spoofs the sender’s address, so that it seems to have been sent from the Spanish Ministry of Science and Technology or Panda Antivirus.
Lohack.C automatically activates when the message carrying the worm is viewed through the Preview Pane in Outlook. It does this by exploiting a vulnerability -known as Exploit/Iframe- that affects versions 5.01 and 5.5 of Internet Explorer and allows e-mail attachments to run automatically. Finally, one of the effects of Lohack.C is that it moves the mouse pointer around the screen.
Today’s second worm is Flop.A, which spreads by copying itself to all the floppy disks used on the affected computer, provided that they are not write-protected. When this malicious code is run, it displays a message in Spanish describing how to enlarge the male member. The file carrying Flop.A has the same icon as Word documents.
Sexer.A is a worm that spreads via e-mail in a message written in Cyrillic characters and includes an attachment called WIN2DRV.EXE. When Sexer.A has infected a computer, it sends a copy of itself to all the contacts it finds in the Windows address book and changes the Windows wallpaper for a text with Cyrillic characters.
The fourth malicious code in today’s report is a Trojan called Sdbot.N. This Trojan has been mass mailed in a message with the subject: “Microsoft Security Update” and an attachment called MS03-047.EXE. The message text also tries to trick the user into believing that the message has been sent by Microsoft. However, when the attached file is run, Sdbot.N goes memory resident and connects to an IRC channel. This channel sends the Trojan remote control commands in order to carry out the following actions, among others: scan ports, download and run files, launch Denial of Service (DoS) attacks, etc.
Finally, Vix.A is a virus with worm characteristics that infects PE files and spreads via the P2P (peer-to-peer) file sharing programs KaZaA, iMesh and Shareaza. A file that has been infected by this virus cannot be disinfected and will therefore be rendered unusable.