A look at the MSN photo worm and a trojan with 9 different malware inside

This week’s PandaLabs’ report focuses on Conycspa.AJ, a dangerous Trojan that downloads nine malicious codes onto computers. It also focuses on Briz.X, a Trojan that has infected more than 14,000 users, and on the MSNPhoto.A and Ridnu.D worms.  
The Conycspa.AJ Trojan is designed to show adverts to users. To do so, it changes several Windows registry entries and modifies the results of online user searches. This way, it redirects users to specific web pages, mostly related to medicine.

This Trojan also connects to a specific web address from which it downloads various files. One of them is mm4839.exe, which is designed to send spam about medicines from users’ computers.

It also downloads a long list of infected files from the Internet which correspond to the following malware: the MalwareAlarm adware, the potentially dangerous programs DriveCleaner, WinAntivirus2006 and PsKill.J, the Stox.A and Cimuz.EI Trojans, and the DriveCleaner, MediaPlex and DriveCleaner cookies.

“Cyber-crooks seek profit with their malware attacks. In each infection they manage to insert malicious codes on users’ computers, increasing the possibility of profiting from stealing confidential data, visiting web pages that sell specific products, sending spam, hijacking computers, etc.”, explains Luis Corrons.
Conycspa.AJ creates more changes in the Windows registry, one of which makes sure it is run on every restart. It also creates a BHO (Browser Helper Object) which allows it to record users’ browsing activity.
It also modifies the firewall to open a random port and the win.ini file to automatically run when a session is started.
The Windows operating system has a protection called Windows File Protection (WFM), which checks there are no corrupt files, replacing them for the original copies if there are. This dangerous Trojan modifies the file restoration folder by establishing its own. Consequently, when the operating system tries to restore the corrupt library, it will be replaced by the one created by the Trojan. This way, it protects its modifications and prevents the operating system from deleting it.
Briz.X has also played an important role this week. PandaLabs found a server that received confidential information stolen by this Trojan.  More than 14,000 users have been affected by this variant which infects 500 computers a day on average.
Briz.X has a parser module which allows cyber-crooks to handle all the stolen information, searching for terms or IP addresses or creating filters to obtain data quickly.
MSNPhoto.A is a worm that spreads through MSN Messenger. This malware reaches the computer with the icon of an image, but it is really an .exe file.

When run, MSNPhoto.A shuts all the MSN Messenger windows opened by the user and sends a message to its contacts tricking them into opening a file called           fotos_posse.zip, which is really a copy of the worm.
This worm also prevents the task manager from opening, therefore preventing the user from closing MSN Messenger. It also tries to download several files from the Internet. Finally, it modifies the Windows registry to maker sure it is run every time the system restarts.
“Instant messaging services like MSN Messenger, Yahoo!Messenger, AIM, etc. are increasingly used by home users and businesses. And the fact that they are so widespread has made them an excellent means of propagation for malware, which uses it to spread to as many computers as possible,” explains Corrons.
Ridnu.D is the second worm in this report. This malware, like other variants of the Ridnu family, is characterized by displaying annoying messages. This way, it replaces “run” for “Mr_CoolFace Has Come!”. It also changes the name of the “My Documents” to “Mr_CoolFace” and writes messages like “Dear my princess” every time the user opens the Notepad.
One of the malicious actions carried out by Ridnu.D is to create several entries in the Windows registry to change the aspect of the Windows Explorer taskbar and make sure it runs every time the computer is restarted.

Don't miss