Weekly Report on Viruses and Intruders – SdBot.FME Worm, Naiva.A macro Trojan, IRCBot.NT Trojan and Mirkov tool
SdBot.FME is a worm that spreads by exploiting the following four security flaws that appear here with the number of the Microsoft bulletin that describes them: execution of remote code in Plug and Play -PnP-(MS05-039); RPC-DCOM (MS04-012); LSASS (MS04-011); and a vulnerability in WorKStation Service (MS03-049).
SdBot.FME contains a backdoor Trojan that connects to several IRC servers, through which it can receive different commands including: download and run files via HTTP, register and delete services, set the level of the security policies or carry out denial of service attacks.
The second threat in this week’s report is Naiva.A which, like all Trojans, cannot spread using its own means but needs to be distributed manually by third-parties (via email, Internet downloads, file transfers via FTP or other means). This Trojan reaches computers as a Word document informing about the bird flu epidemic.
Naiva.A uses two Word macros. The first calls five kernel functions, which allow it to modify create and delete files. It uses the second macro to install Ranky.FY on the computer, a Trojan that will allow a potential attacker to gain remote control of the affected computer.
To avoid falling victim to Naiva.A, users should ensure that the macro security level is set at medium to receive a warning when they are run or high to stop them from running.
IRCBot.NT is a backdoor Trojan that cannot spread using its own means, although it can receive remote control commands to get into other computer by exploiting the Plug and Play vulnerability.
Once installed on computers, IRCBot.NT carries out several actions including:
– Connecting to two IRC servers to receive remote control commands (IP scanning, Denial of Service attacks and download and run files).
– Creating several files. One of these aims to bypass process oriented firewalls.
– Registering itself as a Windows service.
We are going to finish this week’s report with Mirkov, a hacking tool that allows an attacker to gain remote control over the affected computer through a web browser. It can receive various control commands, such as download files or end process. It can also capture the keystrokes entered by the user, which can be used to collect passwords or other confidential information, compromising user privacy.