Weekly Report on Viruses and Intruders – Killfiles.AC, Killfiles.AD and Banker.AEP Trojans, Ip-Harvester and Redhand

Today’s report looks at three Trojans -Killfiles.AC, Killfiles.AD and Banker.AEP-, a worm called Mytob.IJ and two hacking tools -Ip-Harvester and Redhand-.

The most significant aspect of the AC and AD variants of Killfiles is that both of these remove files that are key to system functionality, preventing the system from starting up. In particular, the Trojans delete:

– All files in the Windows directory.
– All files in the SYSTEM32, SYSTEM, INF and SERVICEPACKFILES subfolders of the Windows directory.
– The NTLDR, NTDETECT.COM, IO.SYS y COMMAND.COM files of the C: drive root directory.

Administrator rights are needed in order to remove these files from computers with Windows 2003/XP/2000/NT.

Killfiles.AC and Killfiles.AD are often used by other Trojans to delete data from the affected computer. They also, depending on the version of Windows, display the following message on screen: FALTA NTLDR.

The next Trojan we are looking at today is Banker.AEP, which monitors access to certain web pages, mostly Brazilian financial institutions. To do this it looks for Windows called “IErame” and if it finds any, it attempts to access the text indicating the web address of the page. If the address coincides with certain Brazilian banks, Banker.AEP closes the Internet Explorer window and displays a page in Portuguese which is similar to the web that the user is trying to access and requests confidential data such as passwords. If the user enters these details, the Trojan sends them to two email addresses.

The worm we are discussing today is called Mytob.IJ and uses its own SMTP to send itself out. It also has an IRC client through which it connects to a certain IRC server. In this way it can receive commands that can enable the computer to be administered remotely. It also exploits the LSASS vulnerability.

In those computers it infects, Mytob.IJ searches for email addresses in files with certain extensions and files in the Internet Temporary Files folder. It avoids however, sending itself to addresses that contain certain texts.

The first time a file containing Mytob.IJ is executed, the worm checks to see if there is already an active copy of itself on the computer, and if so it terminates it. This worm also makes copies of itself in several files. One of these files, called hellmsn.exe, it uses to send the files “funny_pic.scr see_this!!.scr” and “myphoto_2005.scr” out via MSN Messenger.

To prevent the user from communicating with certain Internet sites, Mytob.IJ modifies the %windir%\system32\drivers\etc\hosts file, adding several entries. Because of this, when any program tries to resolve a DNS query to the specified sites, a non-valid address is returned.

Finally in today’s report we will be talking about two hacking tools. The first is Ip-Harvester, which is based on Messenger Service, a feature of Windows XP and 2000. Ip-Harvester sends advertising messages out to computers connected to the Internet. These messages appear as pop-ups, which because no IP is shown, are of unknown origin.

The second hacking tool in today’s report is Redhand. It logs the names of the programs used, along with the time they were executed. It also logs keystrokes and can monitor use of the computer by different users.

Don't miss