Ridnu.C is certainly among the more romantic examples of malware detected by PandaLabs. Its main function is to write affectionate notes in Notepad whenever the application is opened by users. Such messages include “dear my princess, I wanna take you to my palace” or “I miss you cute smile”. It also creates a file called “Message for my princess” on the desktop. When run, this worm opens Notepad and displays the messages above.
Ridnu.C also writes a message (MR COOLFACE!) when users try to use the Run option in the Windows Start menu. “Although romantic, it can still be annoying. It opens the CD tray and switches the monitor on and off every few seconds,” explains Luis Corrons, Technical Director of PandaLabs.
This worm spreads in emails that it creates itself. The file containing the worm has names like “Sahang dan Timah.scr”, “Bangka Island.scr” or “Pantai Pasir Padi.scr”.
PandaLabs has made a video of the behavior of this worm which you can see at http://www.pandasoftware.com/img/enc/Ridnu.C.wmv
The Evilx.A Trojan modifies Windows registry entries corresponding to the firewall, so that it can then access a web page and download all types of files, including malware.
To make it more difficult to detect, the Trojan has two rootkits that hide its processes and the entries and files it creates. Evilx.A also covers its tracks by deleting the original file it reached the computer in.
Clagge.G is also designed to download malware from the Internet. This Trojan accesses different URLs from which it downloads a copy of the Cimuz.BE Trojan, designed to steal information from computers.
Clagge.G creates a copy of itself on the system. It also creates a key in the Windows Registry to ensure it is run every time the system is started up.