Malware of the week: Piggi.B worm, ReverseClick.A trojan and VideoCach adware
The Piggi.B worm, the ReverseClick.A Trojan, the VideoCach adware, and the potentially unwanted program (PUP) XPCSpy are the subject of this week’s PandaLabs report. The laboratory has also revealed this week how rootkits are increasingly being used by malware creators.
The ReverseClick.A Trojan is designed to reverse the functions of the primary and secondary mouse buttons and prevent executable files from being run. It also has many other annoying
effects for users: hiding the My Computer disk drives and Desktop icons, and disabling the Windows Registry Editor and the Task Manager. It removes other features, such as the Windows Explorer Search button or the Desktop’s Recycle Bin, and disables the menu displayed when right-clicking on an item.
It is very easy to know when ReverseClick.A has infected a computer. As soon as the malicious code is run, the Recycle Bin disappears and the functions of the mouse buttons are reversed. Then, the next time that the computer is started up, ReverseClick.A deletes all the icons in the Desktop and opens Notepad.
ReverseClick.A needs intervention from an attacking user in order to spread. The means of distribution used vary and include floppy disks, CD-ROMs, email messages with attachments, Internet download, files transferred via FTP, IRC channels, P2P file sharing networks, etc.
VideoCach is an adware designed to fraudulently promote certain security applications. This adware includes the novelty of using rootkit techniques to hide its actions.
VideoCach creates shortcuts on the desktop and displays false infection alerts. It also opens Internet Explorer windows falsely telling users that there is malware installed on the computer. This adware includes links to web pages from which dubious security applications can be downloaded or bought. When run, these tools scan computers although the results are at best dubious. Then, they prompt the user to buy the products they offer.
XPCSpy also uses rootkit techniques to conceal its activities. This is a potentially unwanted program (PUP) designed to spy on users that have it installed on their computers. It carries out harmful actions such as capturing screenshots or keystrokes and keeps a log of web pages visited, emails sent or conversations held via instant messaging.
Since XPCSpy has rootkit features, it doesn’t show any visible symptoms of infection. It hides running processes and the folders that store the program’s components and reports. This makes the application extremely difficult to detect.
This week’s last malicious code is the Piggi.B worm, which also uses rootkit techniques to conceal the system’s infection. This worm spreads via email and uses false sender addresses of Internet-related or security companies.
Piggi.B copies itself as iexplore.exe to the Programs Files folder, as it moves the original file (belonging to the well-known Internet browser) to a subfolder in the Windows system directory. This results in the user running Piggi.B first, every time they run Internet Explorer.