Weekly Report on Viruses and Intruders – Clickbot.A and Kitty.Kat Trojans and the Hoots.A worm
Clickbot.A is a Trojan which is part of a system for defrauding ‘pay per click’ systems, registering fraudulent clicks on adverts which are not actually receiving hits. PandaLabs has uncovered a network with thousands of compromised computers being used for this purpose. It does not spread automatically, but requires user interaction in order to infect the system. These actions can include opening files attached to e-mails, downloading files from the Internet or from P2P file-sharing networks. When run, the Trojan registers as a BHO (Browser Helper Object), allowing it to activate every time Internet Explorer is started. Clickbot.A can update its own code, notify the controller of the botnet that the computer is infected and available, and can be used fraudulently to click on-demand.
KittyKat.A is a Trojan that cannot spread on its own, but needs user intervention in order to activate, e.g. opening e-mail attachments, downloading files from the Internet or across P2P networks. It always appears compressed in a RAR file, which also includes the original packaged files and a series of files with random sizes and names, along with another file called Start.bat. If the latter is run, a new executable called Nrk.exe is created which searches for all RAR files and inserts its code. When this process is complete, the following message is displayed on screen: Eppur si muove! – Defend your opinion!. The infection has no other malicious effects.
Hoots.A is a worm that spreads across shared resources and mapped drives on a local network. It is easily recognized because it sends a picture of a snowy owl to network printers with the text “O RLY?” written across the image. The worm creates a file called O RLY.exe in the Start folder, in order to run every time Windows starts up and another file called Check.exe, both of which are copies of its own code. Once the worm detects a network, it starts various actions in order to spread, such as using commonly used passwords to try to gain access to shared drives, creating an inventory of mapped drives in order to create a copy of itself in all of them.