This week’s PandaLabs report focuses on the Xp-Shield adware and the Ridnu.H and DisaCKT.B worms.
Xp-Shield is an adware (or advert-displaying program) which tries to pass itself off as an antivirus tool and uses the typical icon of the Security Center included in some Windows versions.
When the file containing Xp-Shield is run, it creates several files on the system and a series of entries in the Windows registry. Once installed on the computer, it simulates a computer scan, falsely warning users that the system is infected and prompting them to register (by paying) the software to clean it. Also, it inserts a Security Center icon in the taskbar and displays pop-ups reminding users that the software has not been registered and the computer is still infected.
Ridnu.H disables numerous program processes, many of which belong to security applications. Love messages such as “Dear my princess when the stars fill the sky, I will meet you my lovely princess ” displayed on opening the Notepad are a clear indication that the computer is infected by Ridnu.H.
This worm carries out several actions on the computer: it causes the Start button to vibrate on clicking it, changes the appearance of all windows opened on the system by covering them with an image similar to the Windows ‘cloudy’ desktop theme, etc.
Finally, the DisaCKT.B worm reaches computers as a file with a Microsoft Office document icon. When run, it changes the name of the Windows Start button to ‘NUM’, and copies itself under the name Microsoft Office Word 2003.exe to the computer’s start menu. .
Once installed, it prevents users from accessing certain system programs, like the registry and policy editor and the operating system’s console and maintenance utilities. It also blocks access to the folder properties.