Weekly Report on Viruses and Intruders – Sinowal.CR and Briz.R. Trojans and Sohanat.U worm.
Sinowal.CR is designed to collect confidential information from the computers it infects, such as passwords and other data stored in Protected Storage, or from email clients including Ak-Mail, Eudora and The Bat.
Sinowal.CR also compiles information about the compromised computer, such as the IP address, the name, its geographical location, open ports, etc. The Trojan then sends the stolen information to certain Internet servers.
As with most Trojans, Sinowal.CR is not able to spread by itself, and therefore needs the intervention of a malicious user. Distribution vectors vary and include floppy disks, infected CD-ROMs, email messages with attachments, Internet downloads, files transferred via FTP, IRC channels, P2P file sharing networks, etc.
Briz.R is a highly dangerous Trojan designed to give cyber-crooks complete remote control of compromised computers, and to redirect users to spoofed web pages designed to steal confidential data. The origin of this malicious code is related to the scam of creating and selling customized versions of Briz detected and dismantled by PandaLabs a few months ago.
The Briz.R attack begins with the installation of a file called iexplore.exe, which is designed to detect whether or not there is an Internet connection. If so, it downloads another file called ieschedule.exe, used to store parameters associated with the Trojan, such as the port used for sending stolen data.
Another component downloaded is ieserver.exe, which creates a web server in the computer. The aim of the web server is to redirect users to spoofed web pages -designed to steal personal data- whenever they try to go to certain Internet addresses, mostly related with online financial services. If a user were to enter data on these pages, the Trojan would capture the information and sent it to the cyber-crooks. This web server also gives remote control over the computer via the installation of an application programmed in PHP called phpRemoteView.
Briz.R also modifies the system hosts file to prevent access to numerous security-related web pages.
Finally, Sohanat.U is a worm that spreads via instant messaging programs including Yahoo Messenger, AIM or Windows Live Messenger. It sends messages such as “Download free MP3s”, with a link that downloads a copy of the worm onto the computer when users click on it.
Once it has infected the computer, the worm disables processes corresponding to certain security applications. It also changes the Internet Explorer home page.
Sohanat.U disables the Windows task manager, as well as the regedit.exe program in order to prevent users removing it from the computer.