Weekly Report on Viruses and Intruders – Goldun.KR, Downloader.KCC, Downloader.KBR Trojans and the Eliles.A worm
Goldun.KR is a Trojan that monitors Internet traffic generated when the user accesses web pages related with several online banks. In this way, it steals the user names and passwords for these services and sends them to its creator.
This Trojan reaches computers inside a double extension file called ASSET.TXT.EXE. It tries to trick users into thinking that it is really a text file, as if the option to hide extensions of known file types is enabled, users will only see ASSET.TXT. If run, it opens Windows notepad.
The Downloader,KBR and Downloader.KCC Trojans are sent in files attached to spam messages which simulate receipts of purchases made by the user or chargebacks to credit cards.
If the user runs the message attached to any of the two above messages, the Trojan will be installed on the computer. Downloader.KCC and Downloader.KBR carry out similar actions and download the Spyforms.A Trojan to the system, which is designed to steal data from infected computers, such as the IP address or the Internet access password.
Finally, Eliles.A is a worm that tries to send messages to Movistar and Vodafone cell phones. These messages include a link to download a malicious file to the phone. Eliles.A has been programmed in Visual Basic Script and reaches computers in email messages with the Spanish subject Curriculum Vitae para posible vacante and the following text body (also in Spanish): Adjunto Currilum Vitae, por estar interesado en alg??n puesto vacante en su empresa,me encantaria que lo tuviera en cuenta, ya que estoy buscando trabajo por esa zona. Sin m??s, reciba un cordial Saludo.
If the target user runs the attached file, the worm copies itself to the computer under the name C.Vitae.zip, and sends itself out to all the email addresses it finds on the system. It also disables some antivirus programs that could be installed on the computer and inserts entries in the Windows Registry to ensure it is run on every system start-up.
Finally, the worm tries to send messages to cell phones from the Vodafone and Movistar companies with a link to download a malicious file called Antivirus.sis, and which could affect cell phones running the Symbian operating system.