Weekly Report on Viruses and Intruders – ASPLux.A and Dengis.A viruses, Snifsteal.A triojan and Prokeylogger
This week’s PandaLabs report on viruses and intruders focuses on several, very different, codes. These include the ASPLux.A and Dengis.A viruses; the Snifsteal.A Trojan and the potentially unwanted program Prokeylogger.
ASPLux.A is a virus without a destructive payload. Its main objective is to spread by inserting its code in ASPX files, used on many web pages. In order to infect, it searches for ASPX files hosting the web page created by the user and adds its own code. Because of this, some ASPX files become unusable. Infected files are marked “” in order to prevent them from being reinfected.
In order to spread, it infects other files, inserting its code in ASPX files that it finds in a certain directory on the affected computer. The usual infection channels are used in order to enter computers: floppy disks, CDs, email messages with attachments, Internet download, files transferred via FTP, IRC channels, P2P file sharing networks, etc.
The other virus in this week’s report is Dengis.A, which also has no destructive payload. It infects source files in the “Matlab’ numerical computation program. To do this, it creates a COM object using the “actxserver’ function. This object allows code not present in the virus to be executed. Dengis.A has pseudo-polymorphic encryption, which uses an XOR operation and a key that varies with each infection.
Snifsteal.A is a Trojan, and consists of a modified version of the Mozilla extension called NumberedLinks 0.9, which is a component of Mozilla used to follow the links included in websites through the keypad instead of the mouse.
This Trojan obtains information entered by users in forms (through Firefox), such as passwords for the ICQ instant messaging program, the FTP server and IMAP and POP3 mail clients. This data is then sent to the creator of the code. It connects to: http://81.9-blocked-6.133/sutra/in.cgi4_, to check if it has already been downloaded.
Finally, today’s report looks at Prokeylogger, a PUP or Potentially Unwanted Program. Its functions include logging keystrokes entered by the user, obtaining passwords and capturing screenshots. It can also monitor remote desktops and webcams, the clipboard, email messages, chats and instant messages. The information it gathers is stored in a log file, which is sent out via email or FTP in RTF or HTML format.