A closer look at ArmyMovement.A and SpamtaLoad.DO trojans

The SpamtaLoad.DO Trojan spreads via email using subjects such as “Error”, “Good day” or “hello”.  The body text varies, usually containing an error message from the sender.  The Trojan itself hides in an executable attachment with varying names.

When the infected file is run by users, the Trojan displays an error message.  On other occasions, it shows a text in Notepad.  This malicious code is designed to download the Spamta.TQ worm onto the affected computer and to resend SpamtaLoad.DO to all the email addresses it finds on the infected system.

ArmyMovement.A is this week’s second Trojan.  It can reach computers by email or by file downloads, copying itself onto the system when it’s run.  Designed to steal email addresses that users store in the Outlook, it sends a hoax to the addresses announcing that the Turkish government has decided to increase soldiers and civil servants’ wages by 50 percent.  The subjects and texts of the emails are written in Turkish.

ArmyMovement.A causes several errors on infected computers.  For example, it modifies the boot file to display a message prompting users to format the hard drive.  It also changes the ntldr file, preventing the computer from restarting.  This malicious code overwrites files with different extensions (.jpg, .xls, .doc, .zip-¦), causing information losses.

The Lozyt.A Trojan reaches computers by email or file downloads.  Once it runs on the computer, it connects to a remote server and downloads an executable file which installs the Errorsafe adware on the infected computer.

Lozyt.A also kills several processes, including those of certain security solutions.  Its aim is to make detection more difficult.

The Muhi.A worm is the third malicious code in the report.  In order to spread, it copies itself in all the system’s drives, including the extractable drives (USB memory sticks, etc.).  This worm eliminates the content of the different drives it copies itself in.

Muhi.A also spreads via shared folders, using names such as “I_LOVE_YOU.exe”, “download.exe” or “window shopper.exe”.  The copies of the worm appear with the Notepad icon in order to trick the user.

This worm terminates the processes of several security solutions.  It also modifies the registry in order to prevent the system from warning about solution errors.  Muhi.A also changes Internet Explorer’s start page.

Source:




Share this