Weekly Report on Viruses and Intruders – Application/WeatherBug, AKeyLogger, ActiKeyLogger and SvrAny.A, and two worms Mytob.KN and Sdbot.FJA
This week’s report looks at four hacking tools -Application/WeatherBug, AKeyLogger, ActiKeyLogger and SvrAny.A-, and two worms -Mytob.KN and Sdbot.FJA-.
Application/WeatherBug is a program that shows, in the system tray, the weather and temperature for a chosen location along with the weather forecast for the next few days and adverts. Application/WeatherBug installs a toolbar -detected as Application/Myway-, makes entries to the Windows registry and creates several files.
AKeyLogger and ActiKeyLogger are two applications that take a series of actions on infected computers including:
– Logging user keystrokes, so they can therefore be used to obtain passwords or other confidential information which can then be sent out by email.
– They can run in stealth mode so they can’t be seen after installation. If they run visibly, the icon appears in the System Tray.
– They go memory resident.
– They can be configured to run every time Windows starts up.
– They create several files in a subfolder of the Programs File directory.
The fourth hacking tool we’re looking at today is SvrAny.A, which can manage services from the command line. Its actions include allowing executables to run as services, and starting, blocking, creating or eliminating services.
The first worm in today’s report is Mytob.KN, which spreads in a variable email message. Once it is installed, it connects to an IRC Server to receive remote control commands.
Mytob.KN terminates processes belonging to several security tools -such as antivirus programs and firewalls-, as well as processes belonging to other malware. It also prevents the user of the PC from accessing certain web pages, mainly those of antivirus companies. In computers with Windows XP Service Pack 2 it disables the firewall included with this operating system.
We end today’s report with Sdbot.FJA, a worm that exploits the LSASS, RPC DCOM, Workstation Service and Plug and Play vulnerabilities to spread across the Internet.
Sdbot.FJA connects to several IRC servers to receive remote control commands. It can download and run files, obtain Outlook and Internet Explorer passwords stored in Protected Storage, start and stop Windows services, list and finalize processes, etc.