A closer look at Burglar.A. trojan and the USBToy.A and Naiba.A. worms
The Burglar.A Trojan can be damaging for users. It spreads by email announcing that Australia’s Prime Minister has suffered a heart attack or some other illness. Some of the subjects of these emails are: “Prime Minister survived a heard attack” or “The life of the Prime Minister is in grave danger”.
Burglar.A has two infection methods. One of them consists of a junk mail offering users a link to click on. When they do, they are redirected to a website where the Trojan is located. In the second method, the Trojan is hidden in an attached executable file. When the file is opened, Burglar.A installs itself on the computer.
When the Trojan infects the system, it sends its creator information (IP, country it is located in, latitude and longitude, etc.). The Trojan uses the Google Maps application to present this information. When the cyber-crook opens the city map using the application, the location of the infected computers will be shown.
The Trojan downloads various samples of malware. One of them is the Keylog.LN Trojan. This malicious code is designed to capture keystrokes, searching for users’ login details. Burglar.A also downloads the Banker.CLJ Trojan, which stops certain bank pages from loading and replaces them for one it has created asking users for their confidential data.
The list does not end here. Burglar.A also downloads a third Trojan named FileStealer.A. This Trojan installs a web server on the infected computer. Cyber-crooks can control computers remotely by gaining access to the server through the web page.
Sters.P is the last Trojan downloaded onto the system by Burglar.A. Its aim is to prevent users or security programs from accessing the update websites of specific anti-malware companies.
The USBToy.A worm uses USB devices to spread and infect computers. If one of the devices (a memory stick, an MP3 player, etc.) is connected to a computer infected by USBToy.A, the worm copies itself in a hidden file. Later, when the device is connected to a different computer, it will also be infected.
USBToy.A is run every time the computer is started, displaying a message using Chinese characters in the Windows desktop. It uses the Windows “SetFileAttributesA” application to conceal its presence and make its detection more difficult.
The Naiba.A worm also spreads using USB devices. It copies itself and an autorun.exe. file in all the computer’s mapped or physical drives. In this way, the file manages to run every time it infects a drive.
Naiba.A stops the processes of certain security solutions and modifies the Windows registry entries. One of the modifications is used for hiding. Another modification prevents the Cryptsvc service from notifying users that modifications are being made.
This worm also carries out various annoying actions. For example, it does not allow the notepad to open and it prevents viewing the files hidden in Windows explorer.