During this week, Tearec.A hit computers around the world, becoming the malware most frequently detected by the Panda ActiveScan free, online scanner.
Tearec.A is a worm that spreads across computer networks and via email. The subject, text and attachment name of the emails it spreads in are variable and chosen at random from a long list of options. Nevertheless, all the messages have a common feature: erotic references in order to trick recipients. If a user runs the attached file, the worm uses its own SMTP engine to send itself out by email. It also takes a series of actions on the affected computer including:
– If it detects that any one of several antivirus programs specified in its code are installed on the computer, it terminates and disables them, displaying the text “Update Please wait” in the taskbar. If it does not detect any antivirus program installed, it opens a compressed file called SAMPLE.ZIP, which is empty.
– It tries to delete files belonging to several antivirus programs, P2P file-sharing programs and other Internet applications, preventing them from working.
– In order to obtain passwords, it monitors network traffic on certain connections related with antivirus programs and mail services.
The second worm we’re looking at today is Mytob.MM, which spreads via email in a message with a .ZIP attachment.
Once it is installed on a computer, Mytob.MM connects to an IRC Server to receive remote control orders to carry out on the affected computer. It also terminates processes belonging to certain security tools -such as antivirus products and firewalls-, and prevents users from accessing certain pages, in particular, those belonging to antivirus companies. Similarly, Mytob.MM terminates processes belonging to other malware.
We end today’s report with the Banbra.BQT Trojan, which needs the intervention of third-parties in order to spread (using email, Internet downloads, FTP file transfers or other means). Once installed on a computer, it monitors users’ Internet movements to see if they access certain banking web pages in order to steal the passwords and then it sends this data to an email address.