Aiphone.A is a Trojan that takes advantage of the anticipation surrounding iPhone to steal users’ banking data. This will be the subject of this week’s PandaLabs report, together with Hairy.A, a worm related to Harry Potter, and PornWorm.A, a worm that uses pornography to entice users and spread.
To steal users’ banking data, Aiphone.A installs as a BHO (Browser Helper Object). When an infected user tries to visit the iPhone official page, the Trojan redirects them to a false web page. The user will have to enter their banking data on this page to buy the phone, and the data will immediately be in the hands of the malware creator.
The Trojan can reach targeted computers as an email attachment or as part of an infected Internet download.
Hairy.A is a worm that modifies the system, disabling important security items such as the Windows firerwall, the registry management tools and the system restore tools.
The worm displays annoying messages at certain times and during session start. One of these messages, displayed in a text document when the Trojan is run, reads Harry Potter is dead. It also shows a message in an MS-DOS screen on every system startup which insults J.K Rowling, Harry Potter’s creator.
After restarting the computer there are three new “users”, one of them named Harry Potter.
Hairy.A copies itself to the system under the name HarryPotter-TheDeathlyHallows.exe, running itself from time to time to re-infect the computer. To spread, it makes copies of itself on any drive with letters between C: and J:. In the case of removable drives, as soon as the drive is connected to a computer the worm will run and infect it.
PornWorm.A is a worm that uses pornography to spread. To do this, the worm copies itself to directories belonging to file sharing applications with erotic names and jpg.rar extension.
Once unzipped, the copies have names such as Gratis_Sex.exe or Free _Porno_ Access.
PornWorm.A creates a key in the Windows Registry to run on every system restart. Also, it makes several copies of itself on the system and connects to a URL to download more malware onto the computer.