This week’s PandaLabs malware report looks at three new malicious codes designed to compromise the security of computers: two worms and a Trojan.
Gronev.A is a worm with a taste for music. On infecting a computer, it opens Windows Media Player and plays a song called “Lagu’. It also opens an MS-DOS window with the word “Vergon,’, when CMD console is executed. While showing this window, Gronev.A creates a new user account on the system, which cannot be accessed by the legitimate user.
It also creates several folders on the system called Backup, Doc, Secret and tools, and copies itself to them. In order to spread, this worm also copies itself to every system drive.
Finally, Gronev.A performs other malicious actions, such as closing Internet Explorer or modifying the Windows Registry to ensure it is run whenever the computer is started up.
Antihost.A spreads by copying itself to all the physical drives connected to the computer. If it copies itself to a USB memory stick, the worm will infect every computer that the device is connected to.
If no DVD or CD is inserted in the drive when it infects the computer, Windows shows a message asking user to insert it.
Antihost.A creates several hidden files on the infected computer and creates a key in the Registry Windows to ensure it is run whenever the computer is started up.
Finally, BotVoice.A is a Trojan that uses the Windows text reader to play the following sentence over and over again: “You has been infected I repeat You has been infected and your system files has been deletes. Sorry. Have a Nice Day and bye bye”.
While it uses this original way of informing users that they have been infected, BotVoice.A deletes all shortcuts from the desktop and from the “My Documents” folder, as well as all the files on the C drive until it finds something it cannot delete. Then, it stops eliminating files but continues to play the voice message.
It also modifies the Windows Registry in order to prevent any program from running, rendering the computer unusable.
BotVoice.A spreads like most Trojans, that is, it is downloaded by other malware or via a malicious web page, through storage devices, such as USB memory sticks, CD-ROMs or floppy disks, via email, via P2P networks, etc.