Weekly Report on Viruses and Intruders – Sober Worm, Mitglieder.GB,SpyMon
This week saw millions of email messages infected with Sober.AH in circulation. In fact, this threat became one of those most frequently detected by Panda ActiveScan, the free online antivirus solution from Panda Software. The reasons for this enormous proliferation lie, in part, in the use of social engineering to attract users’ attention and trick them into running the infected file. The ‘bait’ used by Sober.AH to entice users includes email texts alluding to videos of Paris Hilton and Nicole Richie and others purporting to be warnings from the FBI or CIA about access to illegal Internet sites.
Sober.AH spreads in email messages with variable characteristics and with a ZIP attachment. When users run this file, the worm infects the computer and displays a false error message. If the recipient’s address domain extension is: de (Germany), ch (Switzerland), at (Austria) o li (Liechtenstein), the email appears in German. Otherwise, the text is in English.
Sober.AH terminates several processes, including those of certain security tools, and in the case of the latter, displays the message “No viruses, Trojans or Spyware found! Status OK”. It also creates several files, including SERVICES.EXE, CSRSS.EXE and SMSS.EXE, which are all copies of the worm. When the last two are running, the associated processes appear as children of the process belonging to SERVICES.EXE. This therefore passes as a legitimate Windows process, in order not to arouse the suspicion of advanced users checking the list of processes.
The next threat we’re looking at today is Mitglieder.GB, a Trojan that began to spread rapidly, and overtook Sober.AH in the ranking of the threats most frequently detected by Panda ActiveScan.
Mitglieder.GB does not have its own means of propagation, and therefore has to be distributed manually. The examples received so far have come from emails with variable characteristics and a ZIP attachment. When this Trojan is run, it opens the default Windows image viewer and displays a Windows logo. Once installed on the computer, Mitglieder.GB tries to download a file every four hours via a PHP script and different web pages.
The second worm in today’s report is Mops.A, which spreads via Yahoo Messenger and AOL Instant Messenger. It does this by sending itself in messages with a link. If a user clicks on the link, a self-extractable RAR file is downloaded containing several files belonging to Mops.A, to Sdbot.FAR and to a toolbar for Internet Explorer.
We end today’s report with SpyMon, a ‘potentially unwanted program’ that could offer remote control of computers. It could allow a series of actions on computers such as keylogging, viewing of running processes and capturing screendumps.