This week’s report on viruses and intruders looks at four worms (Lovgate.AT, Mydoom.N, Zindos.A and Mabutu.B), a Trojan (Dropper.O), a spy program (Ndrv) and an exploit (MhtRedir.N).
Lovgate.AT is a worm that uses a wide range of propagation techniques, such as email messages, the KaZaA file sharing program, shared network resources, etc. It also opens a backdoor on the computer, and sends a message by email to a remote user letting them know that the system has been infected and is accessible through a backdoor.
The most significant event this week has been the appearance of Mydoom.N. This worm is designed to spread rapidly via email to addresses that it finds in infected computers. However, it also uses the four main Internet search engines to search for all these addresses, thereby trying to saturate them with traffic. One of them, Google, suffered serious problems for some hours at the beginning of the week.
Mydoom.N also uses a communication port to create a backdoor on the infected computer. This backdoor is exploited by the Zindos.A worm in order to spread. The worm appeared one day after Mydoom.N, which makes it seem likely that both malicious code are the work of the same person. In addition, Zindos.A launches DDoS (Distributed Denial of Service) attacks against Microsoft’s website.
Mabutu.B is a worm that connects to different IRC servers to notify its creator that the computer has been affected and to receive messages from remote users. The email messages that it uses to spread have variable characteristics.
Dropper.O is a Trojan that downloads the Adware/Nsearch application onto the computers it infects. Dropper.O spreads via web pages previously infected by the MhtRedir.N exploit, which was also detected for the first time this week. MhtRedir.N has been designed to exploit a vulnerability in Microsoft Outlook Express, which it uses to install Dropper.O on computers.
Finally, Ndrv is a spyware program offering use of a program in exchange for viewing a series of advertising messages. Ndrv is made up of a DLL which loads along with Internet Explorer, so that every time the browser is opened, the spyware is activated.