Weekly Report on Viruses and Intruders – Spamta worms, Bck/WebMic.A and Trj/Rizalof.KD
This week’s report from Panda Software once again looks at the numerous variants of Spamta that continue to appear. In addition, PandaLabs reports on other malicious codes including Bck/WebMic.A and Trj/Rizalof.KD.
The creators of Spamta seemingly don’t let up. According to PandaLabs, new variants of this worm are appearing at a rate of about 10 a day. The variants are similar to each other, with the only difference being the message used as bait and in some cases, the message displayed when the worms are run.
According to Luis Corrons, Director of PandaLabs, “this could be a kind of trial, an attempt to find a malicious code able to spread rapidly across as many computers as possible”. Once it has spread, according to Corrons, “the creators could include a new function to make it much more dangerous.”
Next in this week’s report comes the Bck/WebMic.A backdoor Trojan. This malware from Germany opens two ports on infected computers and tries to connect to a server through port 1338. One of the most notable features is its ability to record audio and video on the infected computer, using the internal sound system and the web cam (if installed on the system). In order to do this, it waits for commands from the server it connects to.
In order to go unnoticed, WebMic.A disables the update mechanism of the Avira antivirus, modifying the hosts file on the computer, and disguising its registry entries as “Windows XP Manager”. Its behavior means it can be detected proactively by Panda Software’s TruPreventâ„? Technologies.
Finally, PandaLabs has reported the appearance of the Trj/Rizalof.KD Trojan. This malicious code has an IRC client that it uses to connect to a server from which it receives orders to take a series of basic actions, such as downloading and running a file from a URL.
Some versions of the Trojan, the text strings in the executable file are encrypted with a simple algorithm in order to impede detection. However, Panda Software’s TruPreventâ„? Technologies can detect this code as malicious without having previously identified it.