A sophisticated Trojan-worm hybrid threatens users’ privacy and their bank accounts, reports Panda Software

PandaLabs has reported the appearance of a new kind of hybrid malware species, with both worm and Trojan features, which could be used to steal confidential information of any kind, such as banking information, personal details or other type of information entered in Web registration forms.

This Eyeveg.D is a sophisticated hybrid with two sides to it: it carries out Trojan actions against the infected computer, and acts as a worm to spread. This type of hybrid of two malware species is becoming more and more habitual, as malware creators look for increased capacities and versatility in their creations.

Eyeveg.D installs on the system through a DLL file and an EXE executable file, with a random name (which makes identification and disinfection more difficult), and modifies keys in the Windows Registry to ensure it is run on every system startup. Once run, Eyeveg.D carries out actions in order not to have its process displayed in the Task List in order to go unnoticed by users. However, this only works on Windows 9x (95, 98 and Millennium) systems.

Eyeveg.D’s Trojan actions start by loading the DLL file as a “plugin’ (or additional component) of the browser, by taking advantage of one of its features. This allows the malware to capture events and actions carried out on the computer, as well as user session properties. In this way, it manages to log in a file every user attempt to send information to remote servers through secure servers, as found in banking web pages. This is just another example of phishing, through which Eyeveg.D can gather data such as bank account numbers, passwords, or credit card numbers. This functionality has been confirmed by PandaLabs, which means that attacks to users’ accounts could have already started. Similarly, it logs the keystrokes entered by the affected user in the infected computer, compromising their privacy as it steals all sorts of confidential information, from personal emails, to bank account information sent to online banking entities.

It also has backdoor features, as it can open a channel to receive commands from a remote user silently, which gives Eyeveg.D great functionality. This malicious code tries to connect to a certain URL, disabling the Windows XP firewall if necessary. Once the connection is established, the affected computer is ready to receive commands, or even files that could correspond to another malware species.

As a worm, the malware has its own mail sending engine, which allows it look for email addresses in a series of computer files listed in its code and send itself out as a compressed attachment to all of them. Messages sent by Eyeveg.D have the name of the attached file as subject and seem to have been sent by the affected user themselves.

People that use Panda Software’s TruPreventTM Technology proactive protection have been protected at all times, as these technologies can neutralize this threat without having to know it. These technologies have been available in Panda’s products from the 2005 versions, and you can even combine them with antivirus programs from other vendors, through TruPrevent Personal 2005.

To prevent infection from Eyeveg.D or other malicious code, Panda Software advises all users to keep their antivirus software up-to-date. Panda Software has already made the corresponding updates to detect and eliminate this malware specimen available to clients.

In order to help as many users as possible scan and disinfect their computers, Panda Software offers Panda ActiveScan, free of charge, at http://www.pandasoftware.com. ActiveScan is also available to webmasters that want to include it on their websites. Those who would like to include it on their sites can request the HTML code from http://www.pandasoftware.com/partners/webmasters/

Panda Software also offers users Virus Alerts, an e-bulletin in English and Spanish that gives immediate warning of the emergence of potentially dangerous malicious code. To receive Virus Alerts just visit Panda Software’s website (http://www.pandasoftware.com/about/subscriptions/) and complete the corresponding form.

For further information about the malicious code mentioned above, visit Panda Software’s Virus Encyclopedia at http://www.pandasoftware.com/virus_info/encyclopedia/.

About PandaLabs

On receiving a possibly infected file, Panda Software’s technical staff get straight down to work. The file is analyzed and depending on the type, the action taken may include: disassembly, macro scanning, code analysis etc. If the file does in fact contain a new virus, the disinfection and detection routines are prepared and quickly distributed to users.

For more information: http://www.pandasoftware.com/virus_info/