Weekly Report on Viruses and Intruders – Nabload.U, Banker.BSX and AKStealer.A

This week Nabload.U and Banker.BSX have caused thousands of incidents in computers around the world and have become the malware specimens most frequently detected by the free Panda ActiveScan online antivirus solution.

Nabload.U and Banker.BSX are too closely linked Trojans that combine to attack users computers. The attack starts when a message is received through MSN Messenger which seems to come from one of the contacts stored in this application and invite the user to visit a certain web page. When users go to this web page, Nabload.U is downloaded onto the system along with Banker.BSX, which takes a series of actions on the computer it infects, including:

– Sending MSN Messenger messages with a link from which Nabload.U is downloaded.

– Opening port 1106 and going memory resident.

– Checking if users access certain web pages related to Spanish-language online banking institutions. If they access one of these, information they enter on the site is captured (such as passwords) and is then sent out to an email address.

The third Trojan we’ll look at today is AKStealer.A, which cannot spread by itself, but needs to be distributed manually (by email, Internet download, FTP file transfer, or other means). After it is installed on a computer it carries out several actions including those mentioned below.

– It gets user names and passwords for the following services: Internet Explorer proxies, Outlook, Google accounts (Gmail, Orkut), ebay, Monster.com, Paypal, e-gold, Careerbuilder.com, GMX.net and Passport. It stores the information in the Windows Registry and then sends it to a website via a PHP script.

– It installs a proxy server on the computer it affects and logs the IP address so that the proxy server can be accessed and used later.

– It creates several Windows Registry entries and through some of them will become the default debugger for other common applications such as Internet Explorer, Windows Explorer and Windows multimedia player, etc. In this way, AKStealer.A is activated automatically every time any of these programs is run.

We end today’s report with Metafile, an exploit designed to take advantage of a security problem in the GDI32.DLL library -used by programs such as Windows Picture and Fax viewer-, and affecting Windows: 98, Millennium Edition (ME), 2000, XP and Server 2003, according to Microsoft.

This vulnerability can be exploited by creating a WMF (Windows MetaFile) file, and distributing it by any means, such as hosting it on a website and convincing users to access the website. If the victim uses Internet Explorer, visiting the malicious website could allow arbitrary code to be run. However, if they are using another browser, the user may be warned of the file download.

Until Microsoft has released the patch to resolve this problem it is advisable to avoid using Windows Picture and Fax viewer to open potentially malicious WMA files.

Don't miss