In this week’s report we are going to look at six worms -Plexus.A, Cult.J and four variants of Korgo-, and at Protoride.gen.
Plexus.A spreads via the Internet by exploiting the RPC DCOM and LSASS vulnerabilities -in the computers that have not been patched- and sending itself out to the addresses it finds on the local machine and in mapped drives.
Plexus.A overwrites the host file, preventing the computer from connecting to certain web addresses of an antivirus company, and therefore, the PC will not be able to update the protection installed. Plexus.A obtains the shared directory for KaZaA and copies itself to it, and also creates copies of itself in the shared folders in the network.
Cult.J spreads via e-mail in a message with the subject: ‘Hello, I sent you a beautiful love card. ^_*’ and an attached file called: ‘BEAUTIFULLOVE.PIF’. When this file is run, the worm sends a copy of itself to a series of addresses using its own SMTP engine.
Cult.J goes memory resident and tries to connect to an IRC channel. If it manages to establish a connection, this malicious code will give an attacker remote access to the affected computer, allowing the attacker to carry out the following actions, among others:
– Attacks through IRC.
– Send out confidential and system information.
– Download and run files.
– Send worms to other IRC channels.
Protoride.gen is a generic detection routine for the variants of the Protoride worm, which could emerge in the future. The malicious code in this family have the following characteristics:
– They spread across computer networks by copying themselves to the network resources they manage to access.
– They connect to an IRC channel through port 6667 and wait for a hacker to send remote control commands (to download and run files, hide active processes, uninstall themselves, etc.).
– They modify a Windows Registry entry, preventing EXE files from running. As a result, certain application will not work.
The next worms in today’s report are the C, D, E and F variants of Korgo, which spread via the Internet by exploiting the LSASS vulnerability. All four variants open port 3067 and listen in on it. They also try to connect to IRC servers and are designed to prevent the computer from shutting down.