Weekly Report on Viruses and Intruders – Sober.J, Bropia.E and Gaobot.CTX, and the Trojans Locknut.A and Downloader.ALQ
This week’s report on viruses and intruders will focus on the worms Sober.J, Bropia.E and Gaobot.CTX, and the Trojans Locknut.A and Downloader.ALQ.
Sober.J is a new variant of the Sober family of worms that is very similar to its predecessors. It spreads via email in an attachment to an email message that could be written in English or German, depending on the domain of the recipient’s address of the message. What’s more, the address of the sender of the message is spoofed.
If the user runs the attachment, Sober.J looks for email addresses in the files with certain extensions in the affected computer and sends itself out to them using its own SMTP engine. This worm also tries to carry out other actions like accessing the POP3 mail accounts of a well-known German Internet service provider, downloading malware updates from the Internet or restoring Windows Registry entries modified by other malicious code.
Bropia.E and Gaobot.CTX are two worms that spread together. Bropia.E sends itself out using the instant messaging program MSN Messenger disguised as an image file with a variable name taken from a long of options and a .pif or .scr extension. Some examples of the name of this file are: bedroom-thongs.pif, LMAO.pif or LOL.scr. If the user runs the file, it displays a curious image of a roast chicken on screen. However, this image is just a cover up to hide the real actions carried out by the worm. This malicious code sends itself out to all the contacts in MSN Messenger and creates various files on the computer, including a file called winhost.exe, which actually contains the Gaobot.CTX worm.
Gaobot.CTX carries out the actions that pose the biggest threat to the integrity of the computer, as it connects to IRC channels and waits for commands from a remote user. This allows a hacker to download all kinds of files to the affected computer: spyware, adware, other viruses, etc.
Locknut.A is a Trojan that only affects cellular phones that use the operating system Symbian 7.0S or later. This malicious code tries to trick the user into running it by passing itself off as a patch for the cellphone. Once it is run, Locknut.A replaces the operating system components, which prevents some applications from being run and blocks the phone. Some variants of Locknut.A also install a copy of Cabir.A, another worm that targets mobile devices which appeared last year.
Finally, Downloader.ALQ is a new member of the huge family of Downloader Trojans. Like the rest of the variants, this malicious code is designed to download and run all types of malicious code on the system, mainly spyware.