Combined Spamta and Spamtaload attack and the look at Grum.A worm
This week’s PandaLabs report looks at the dangerous combined attack carried out by Spamta.VK and Spamtaload.DT, the Ldpinch.AAI Trojan and the Grum.A worm. It also reports this week’s Microsoft security patch.
The combined attack launched by Spamta.VK and Spamtaload.DT has been one of PandaLabs’ main concerns this week. Spamta.VK is a worm designed to connect to several servers and send out massive amounts of emails. These emails include a file, generally an executable file, which hides a copy of Spamtaload.DT. When this Trojan infects a computer, it downloads a copy of Spamta.VK, thus starting the entire infection cycle all over again.
“Combined attacks ensure widespread distribution of malicious codes. In this case, the worm’s propagation features are used to spread the Trojan. This attack accounted for up to 80 percent of malware infections reported to PandaLabs every hour”, explains Luis Corrons, Technical Director of PandaLabs.
Spamtaload.DT shows an error message every time it is run and hides in a file with the typical text file icon. Spamta.VK downloads several malicious files from the Internet and connects to several servers to send out emails.
Ldpinch.AAI is a Trojan aimed at stealing passwords belonging to several programs: email clients, browsers, FTP clients, etc. To do this, the Trojan reads the configuration files and Registry entries of these programs.
Ldpinch.AAI also steals data from the Internet dialup connections configured on the affected computer, as well as from active processes. All this information is then sent to the malware author through a Web form.
To do this, the Trojan prevents certain firewalls from working properly.
The Grum.A worm hides in emails offering a false beta of Internet Explorer 7. The infected email shows a large image which supposedly allows users to download the beta. However, when users click on the image, they are actually downloading the worm.
After it has run, the malicious file is deleted. Grum.A infects executable files (.exe) and makes copies of those files under the same name and the “.rgn” extension to make them more difficult to remove from the target system.
Grum.A can hide its processes using rootkit techniques. This makes it more difficult to detect with security solutions. Also, to hide its presence even more, the worm intercepts several system DLLs and copies itself to others (system.dll, ntdll.dll, kernel32.dll, etc).
Grum.A is also designed to open a backdoor in infected computers. As a result, an attacker could access the computer and control it remotely. Finally, the worm connects to a certain website in order to update itself.