Weekly Report on Viruses and Intruders – BodyonLoad, AVKiller.V and Samony.B

BodyOnLoad is a program developed to exploit the Javascript remote code execution vulnerability in Internet Explorer. Its aim is to download any type of file (with the obvious danger that this entails when such files are malware) hosted on certain websites with adult content. The infection process begins when users visit one of these pages, which redirect to a second page containing BodyOnLoad.

BodyOnLoad has already been used to download and run a copy of a Trojan that Panda Software detects as Downloader.DLE. By exploiting this security problem, the exploit installs -KVG.exe-, a file belonging to the Trojan which downloads and runs two other files -all.exe and XPsys.exe-. The last two are components of Downloader.DLE and are designed to reduce the security level of the browser; act as an entry point for other malware and install several files belonging to PicsPlace, a program that continually opens pages with adult content.

The second threat we are looking at today is AVKiller.V, which like other Trojans cannot spread by itself and therefore depends on others to distribute it manually (by email, Internet downloads, FTP file transfers, or other means). The action that this Trojan takes on the computers it infects includes:

– Trying to download SERVER.EXE from a website. This file is actually a Trojan detected by Panda Software as Banker.BHD.

– Deleting Windows registry entries corresponding to security programs, to prevent them from running when Windows starts up.

– Deleting from the “Program files” folder, all files in the MICROSOFT ANTISPYWARE sub-folder.

– Creating two files: STRT.EXE, a copy of itself; and VM2.DLL, a component of AVKiller.V which installs on the computer and runs every time Internet Explorer starts.

– Generating a Windows registry entry to ensure it runs whenever the system starts up.

Samony.B is a worm with backdoor characteristics that spreads via email in a message with the subject: “Account # 394875948JNO Wed, 28”, and includes a file called “MAIN_23_C.EXE”.

After it installs on a computer, Samony.B takes a series of actions including:

– Listening on Port 321 to receive remote control orders (download, run, copy and delete files, list directories, etc.), which allow the infected computer to be administered remotely.

– It obtains passwords stored on the computer, for example in Protected Storage, where the Outlook, Internet Explorer, etc. passwords are kept.

– Logging keystrokes.
– It downloads a certain web page in which there is a number. If that number is equal to or greater than 0013, Samony.B will try to update itself by downloading the DOWNLOAD.EXE file from the web page.

– It sends a copy of itself to all contacts in the Windows Address Book and the addresses it finds in files with HTML extensions.

Don't miss