Weekly Report on Viruses and Intruders – Lebreat worm variants, RemoteLogger and AFXFireWall.A and E-Eliminator malware

Lebreat.A, Lebreat.B and Lebreat.C are three email worms with variable characteristics that can also spread via Internet, exploiting the LSASS vulnerability.

The A, B and C variants of Lebreat take a range of action on infected computers including:

– Downloading other malware.

– Launching denial of service attacks against a web page.

– Disabling several Windows tools, such as the task manager and the firewall in Windows XP.

– Creating a mutex to ensure that only one copy of the malicious code is active at any time.

The first hacking tool we’re looking at today is RemoteLogger, which can be remotely installed by sending a small installer to the target computer and getting the user to run it. Once installed, it logs keystrokes and can be used to collect personal data -such as passwords- with the threat that this represents for user privacy. This hacking tool can also monitor different users of the same PC.

Information compiled by RemoteLogger can be sent out via email or uploaded to a certain FTP server.

AFXFireWall.A, filters SYN (SYNchronize) packets. When an SYN packet is sent to an unauthorized TCP port, AFXFireWall.A responds with an RST packet, automatically closing the connection. The files of this hacking tool can normally be found in a firewall called FIREWALL.ZIP.

We end today’s report with E-Eliminator, an adware installed on computers when users visit certain pages with adult or illegal content. Once it has infected a computer, it displays a page in the browser announcing that all information about what the user has been doing online has been logged. To resolve the situation, the page recommends that users access certain software.

In order to further create a sense of insecurity, and therefore encourage the user to buy the recommended software, E-Eliminator changes the Internet Explorer home page. This adware also changes the search page.