Weekly Report on Viruses and Intruders – BlackAngel.B worm, Trojans Banker.DJH and Xorpix.O, the Detnat.A virus

This week’s PandaLabs report focuses on the BlackAngel.B worm, Trojans Banker.DJH and Xorpix.O, the Detnat.A virus and twelve vulnerabilities reported by Microsoft -MS06-21, MS06-22, MS06-23, MS06-24 MS06-25, MS06-26 MS06-27, MS06-28 MS06-29, MS06-30, MS06-31 and MS06-32-.

BlackAngel.B is a worm that spreads through the instant messaging program MSN Messenger. To do this, it sends a message with the text “jaja look a that” and a link to file called ‘fantasma.zip’, which passes itself off as a Windows Media Player file. The file has a double extension, which is hidden from users if the option to hide the extension of known file types is enabled. When this file is run, the worm ends a series of processes related to antivirus and firewall tools, leaving the computer vulnerable to other attacks. It also disables access to operating system administration tools, such as Control Panel, Registry Editor, Task Manager and System Restore. Finally, BlackAngel.B shuts down the affected computer, resulting in the loss of any information that had not been saved.

Banker.DJH is a Trojan that steals confidential information from affected computers. To do this, it monitors the web pages accessed by users and if it detects that they access web pages of certain banking entities, it collects the data entered. What’s more, it steals information about the email accounts on the computer. In order to hide its actions, this Trojan disables the Windows file protection feature and modifies the files userinit.exe and sfc_os.dll. Banker.DJH cannot spread through its own means, but requires the user to open an infected file received via email, downloaded from a web page, or through instant messaging programs or P2P networks.

Xorpix.O is a Trojan that converts the affected computer into a proxy server. What’s more, it opens a random port to notify the attacker that the computer is available. It cannot spread through it own means, but requires the user to carry out an action in order to spread, such as opening a file attached to an email or running infected files downloaded from the Internet, FTP servers or P2P networks. When it is run, Xorpix.O injects itself into the system process winlogon.exe and creates a process called iexplore.exe to pass itself off as an instance of Internet Explorer. Similarly, it creates a series of entries in the Registry to ensure it is run whenever the operating system starts up.

Detnat.A is a virus that infects PE (Portable executable) files that are not compressed. It uses a packed algorithm so that the infected file maintains its original size and a polymorphic routine to encrypt the data differently in each infection. Detnat.A spreads across the shared network resources to which it gains access. Similarly, it requires user intervention to infect computers, such as opening files attached to email messages or downloaded from the Internet or other means.

This week, Microsoft has published 12 security bulletins about a series of vulnerabilities, of which 8 are classified as critical, detected in different applications and components of its operating system: MS06-21, MS06-22, MS06-23, MS06-24 MS06-25, MS06-26 MS06-27, MS06-28 MS06-29, MS06-30, MS06-31 and MS06-32. The affected programs include Internet Explorer, Windows Media Player and several versions of Microsoft Word and PowerPoint. If these vulnerabilities are exploited successfully, a remote attacker could gain total control of the affected computer. For this reason, it is recommendable to download the security patches that fix these vulnerabilities from Microsoft’s website.

Don't miss