Weekly Report on Viruses and Intruders – Banker.AXW and Format.A Trojans, Sober.Y email worm

Format.A is a Trojan that passes itself off a tool developed to run unsigned code in the console PSP (PlayStation Portable). However, when it is run, it deletes key files for the correct functioning of the console, which as a result, will not be able to start up. In order to spread, Format.A describes itself as an application for changing -by using an exploit- the BIOS version of the PSP consoles to an older version in order to run pirate games.
 
Banker.AXW is a Trojan that monitors windows with title bars containing certain text strings, mostly related to banks. It then logs the keystrokes entered in those windows to capture passwords and other sensitive data. This Trojan uses several PHP scripts in order to send the information it has gathered. As with most Trojans, Banker.AXW cannot spread automatically using its own means. It needs an attacking user’s intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, email messages with attached files, Internet downloads, etc.

Finally, Sober.Y is a new variant of this family of worms, which, like its predecessors, can spread rapidly via email. Just a few hours after it had first appeared, PandaLabs began to detect cases in users’ computers around the world. To prevent Sober.Y from continuing to spread, in paticular to tose computers without adequate anti-malware protection, Panda Software has made the free PQRemove application available to users to detect and remove this worm from any computer it may have affected.

Sober.Y uses two types of mail to propagate: firstly, an email in English with the subject “Your new password”, which tries to make users think it is notification of a change of password, asking them to check the data in an attached file, pword_change.zip. Secondly, an email written in German claiming to contain a photograph of old school friends in the file KlassenFoto.zip. Both compressed files contain the executable PW_Klass.Pic.packed-bitmap.exe, which is a copy of the worm itself.

If the file is run, a false CRC error is displayed, even though the action has already started. The worm collects email addresses from files with certain extensions on the compromised computer, and sends itself out to them in the emails described above using its own SMTP engine. It will only use the German version of the email if the addresses end in .de (Germany), .ch (Switzerland), .at (Austria), or .li (Lichtenstein).