Weekly Report on Viruses and Intruders – Oscarbot.KD worm and the Nabload.JC and Banker.EEA Trojans

Oskarbot.KD is the first malicious code to infect systems by exploiting the Microsoft MS06-040 vulnerability. According to information from PandaLabs, Oscarbot.KD searches for computers with this vulnerability. If it finds them, it causes a buffer overflow on the system and executes the code needed to download a copy of itself onto the computer in a file called wgareg.exe. However, Oscarbot.KD can also spread using the AOL instant messenger service and across shared drives.

When the worm is installed on a computer, it opens port 18067 and connects to certain IRC servers. This could allow a remote attacker to communicate with Oscarbot.KD to download and run all types of software on the compromised computer or launch attacks on other computers, among many other actions.

Oscarbot.KD also edits a series of Windows registry keys to disable the firewall included in certain versions of the operating system.

Nabload.JC, like many Trojans, cannot spread automatically using its own means and therefore needs an attacker to distribute it. Propagation methods are various and include floppy disks, CDs or email messages with attachments. Nabload.JC is designed to download the malicious code that we will describe below: Banker.EEA.

Banker.EEA is a Trojan that modifies the authentication page displayed in users’ browsers of the website of Postbank, a German bank. The Trojan modifies it so that in addition to requesting the username and PIN, it also asks for the TAN (Transaction Authorization Number). When it gets this information it sends it to a server where it can be accessed by malicious users and used for criminal purposes.

Bear in mind that although Banker.EEA is aimed specifically at clients of Postbank, it also monitors and collect information entered in forms from other sources, such as other banks or web mail services.