Weekly Report on Viruses and Intruders – 32.Semapi.A, W32.Codbot.AL, and W32.Mytob.GV Worms
W32.Codbot.AL is a worm that has been detected a significant number of times since it appeared. According to the online anti-malware solution, Panda ActiveScan, it is one of the top five most active threats this week. This malware spreads using known vulnerabilities in the SQL Server LSASS and RPC-DCOM processes. In order to install itself on the computer, it registers itself as a system process, which is run whenever the computer is started up. When it is running, it connects to various IRC servers and waits for commands. It can receive all types of commands such as commands to obtain information from the computer, enable keylogging or FTP services or even download and run other types of malware. This worm was blocked by TruPreventTM Technologies, even before the signature file was made available.
The second worm, W32.Semapi.A, spreads via email in a message with a variable subject, sender and other characteristics, included in an attachment with a variable name and extension. When it is installed on the computer, it copies several files to the hard disk and creates a series of entries in the Registry in order to ensure that it is run whenever the computer is started up. Then it looks for addresses in files with certain extensions on the affected computer and sends itself out to the addresses it finds. This worm is easy to recognize, as when it is run, it displays a dialog box informing the user that the file “semapi.dll’ cannot be found.
The final worm in today’s report is a member of the Mytob family, or to be more precise the GV variant. This worm opens a backdoor and spreads via email (sending itself to all the addresses it finds on the affected computer with a spoofed sender’s address) and through shared resources protected with weak passwords. What’s more, it ends certain processes on the affected computer, the majority of which belong to antivirus applications, and blocks access to the websites of IT security companies. As a result, it leaves computers vulnerable to infection from other types of malware.
To prevent these malware or any other malicious code from affecting your computer, Panda Software recommends keeping antivirus software up-to-date. Panda Software clients can already access the updates to detect and disinfect these malicious code.