Weekly Report on Viruses and Intruders – Saros.C worm and ComWar.M hostile mobile code

This week’s report from Panda Software on the malicious code that has attracted most attention during the week focuses on three radically different examples of malware. One is a Trojan and the other two are worms, although with markedly different characteristics.

The first of these is the Saros.C worm, which, like others of its kind, causes security programs installed on systems to stop. This technique, by preventing antiviruses, firewalls and other security programs from operating, allows the malicious code to carry out its actions. It also prevents users from connecting to web pages (including those of antivirus companies).

In order to spread, Saros.C uses the now classic system of sending itself out by email; as well as using P2P file-sharing programs and the mIRC chat program. It can also spread across computer networks, which represents an additional risk for companies without protection in workstations and for the ever-increasing number of home networks.

The second malicious code in today’s report, another worm, is called ComWar.M. This code is designed to spread via cell phones, although only those using the Symbian 60 series operating system.

To spread from phone to phone, ComWar.M uses MMS messages. Unlike the SMS system (which only uses text), MMS can be used to transmit multimedia files, such as images, text messages, videos, etc. In this case, this feature is exploited to attach and resend the infected file. Another system used by ComWar.M is transmission via Bluetooth, taking advantage of the direct connection between two phones.

Propagation of ComWar.M is very limited, as in order to receive the infected messages, users have to voluntarily accept them. This security measure is implemented in Symbian 60 series to prevent the spread of possible malicious code and therefore the classic precaution for PCs of not opening files from unknown or unreliable sources is particularly relevant for cell phones.

Finally, today’s report looks at the Banking.G Trojan, which opens and listens on a random communication port. It also logs user keystrokes. The potential consequences of these actions are extremely serious, as Banking.G could enable the details that the victim uses to access online banking services to fall into the hands of hackers. All passwords (and other information, such as email addresses, IP addresses, etc) collected are sent to different servers for the hackers to collect.

This malware is yet another example of the danger inherent in the new types of malware, which are directly related to the world of cyber-crime. Hackers are no longer content with intruding on computers or deleting information, but are now engrossed in illicit use of IT resources.

Don't miss