Weekly Report on Viruses and Intruders – Sdbot.FHG Worm, Multidropper.AYC, Tahen.A and Tahen.B Trojans

This week’s report from Panda Software looks at one worm, Sdbot.FHG, three Trojans, Multidropper.AYC, Tahen.A and Tahen.B, and the vulnerabilities covered in Microsoft bulletins MS05-044 to MS05-052.

Sdbot.FHG is a worm from the prolific and notorious Sdbot family which acts as a backdoor, connecting to several IRC servers in order to receive remote control commands. It can be instructed to download and run files, start Windows services, etc. Sdbot.FHG exploits the LSASS, RPC DCOM, Workstation Service and Plug and Play vulnerabilities to spread across the Internet and it is therefore highly advisable that users keep their systems up-to-date as well as having a reliable antivirus solution installed to keep threats at bay.

Multidropper.AYC is a Trojan that acts as an entry point onto the computer for other malware in the same way as other members of this family. This variant installs the Siboco.A downloader Trojan and the spyware Omi, which carry out a series of actions on the computer, including the appearance of numerous pop-ups, the creation of a download file, connections to remote websites, and even terminating the EXPLORER.EXE process.

Tahen.A and Tahen.B are in a similar vein to the PSP.Format.A Trojan that affects videogame consoles. Unlike the latter, which was aimed at PlayStation Portable (PSP), these affect NintendoDS. Simulating homebrew applications for this console, once installed they overwrite certain areas of the firmware (software embedded in certain hardware) preventing the console from being started after it has been switched off. Tahen often reaches these devices in a file called R0MLOADER.NDS (in the case of Tahen.A), TAIHEN.ZIP or TAIHEN.NDS (in the case of Tahen.B), and affects Nintendo DS, G6, XGFlash, SuperFlash and GBAMP devices. Tahen.B is easily recognized as it displays an on-screen message in a hentai presentation. Tahen.A however displays no clear symptoms of infection.

Finally in today’s report we look at vulnerabilities dealt with in Microsoft security bulletins. Of these, the vulnerabilities considered critical are:

+ MS05-050 is a critical vulnerability affecting versions 7.0, 8.0, 8.1, 8.2 and 9.0 of DirectX, allowing arbitrary code to be run on vulnerable systems.
+ MS05-051 is a group of vulnerabilities in three Windows services, MSDTC (Microsoft Distributed Transaction Coordinator), COM+, and TIP (Transaction Internet Protocol)
+ MS05-052 is a cumulative patch for Internet Explorer, versions 5.0, 5.5 and 6, to prevent COM objects, on being instantiated as ActiveX controls, from altering system memory and allowing arbitrary code to be run.

There are also another four remote code execution vulnerabilities, considered important, affecting Microsoft Collaboration Data Objects, Windows Shell, Client Services for NetWare, and Plug and Play, in the latter case, this could lead to local privilege escalation. These threats are dealt with in bulletins MS05-48, MS05-49, MS05-46 and MS05-47, respectively. Finally, there are two vulnerabilities classified as moderate, dealt with in bulletins MS05-044 and MS05-045, and which affect the FTP client, which could affect the service, and the Network Connection Manager, which could lead to denial of service. More details on all of these are available on Panda Software’s website.

Don't miss