Weekly Report on Viruses and Intruders – Ppdropper.A and Sinowal.BS trojans and Spybot.ADW and Netsky.BR worms
Ppdropper.A is a Trojan that exploits an, as yet unpatched, vulnerability detected in several versions of Microsoft PowerPoint, which could allow a remote attacker to access computers with the same privileges as the active user account. It is distributed through a specially-crafted PowerPoint document, reaching users in several ways including email, the Internet or P2P networks. Once it has infected a system, Ppdropper.A allows other threats to enter the computer, such as Bifrose.QN, a backdoor Trojan that enables the computer to be controlled remotely. Given that there is no patch available to resolve the vulnerability exploited by this Trojan, it is advisable to act with caution when opening PowerPoint documents, regardless of their source.
Sinowal.BS is a Trojan that creates a series of files on the system and injects itself in the explorer.exe process to collect user information, including email passwords for the Ak-Mail, Eudora and The Bat applications, as well as in those stored in Protected Storage. It also gathers information about FTP servers configured in FlashFXP and about the Favorites links stored in Internet Explorer and Firefox, among others. The information compiled is sent to a website, along with other data such as the computer’s IP address and open ports. It also monitors data that users send when using the Internet. Sinowal.BS cannot propagate automatically by itself and therefore needs user interaction in order to infect a computer.
Spybot.ADW is a worm with backdoor characteristics that connects to IRC servers, allowing an attacker to get information about the compromised system, including its IP address. It can also install its own FTP server. This worm cannot propagate automatically by itself and therefore needs user interaction in order to infect a computer. However, an attacker can instruct it to spread via email to addresses taken from the Outlook address book. These emails have the subject “Critical Update”, in an attempt to convince recipients to run the attached file under the pretence that it is a Microsoft patch to resolve a security problem.
Netsky.BR is a new worm from this notorious family that spreads via email using addresses taken from the infected computer. Apart from this, there are no other detrimental effects. The emails it sends include an attachment that appears to be a harmless text document, with the corresponding icon, but is actually an executable file with a double extension. When the document is opened, Netsky.BR makes copies of itself under the name Jammer2nd.exe, along with other MIME format files.