Worm with SMTP and dialer engine

The focus of this week’s PandaLabs report are RegisteredLetter.A worm and ZLFake.A backdoor. RegisteredLetter.A is designed to make a series of changes on infected computers: it changes Internet Explorer’s home page and modifies the browser’s list of trusted sites, adding new pages to it.

Also, it makes changes to the Windows registry. For example, if the user tries to access the “My Pictures” folder, they are redirected to a web page that looks the same as the folder.

RegisteredLetter.A has its own SMTP and dialer engine. This allows it to send out emails with a link that takes victims to a page that downloads a copy of the worm. This email is sent to all the contacts in the infected computer’s Microsoft Outlook address book.

ZLFake.A is a backdoor. On reaching computers, it connects to a certain web page in order to inform its creator that it has infected a system. This malicious code is not memory resident, which would make it easier to detect, but runs every hour, staying active for just one minute.