Panda Weekly - viruses and intruders - 11/11/05

- Panda Software's weekly report on viruses and intruders -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)​

Madrid, November 11 2005 - This week's report looks at a backdoor Trojan -Ryknos.A-, three vulnerabilities in the Windows graphics rendering engine, a worm -Lupper.A-, and a Trojan -Zagaban.H-.

Ryknos.A is a backdoor Trojan that opens port 8080 and connects to several IP addresses to receive remote control commands -such as downloading or running files- to take on the affected computer.

Ryknos.A installs itself on the Windows system directory under the name "$SYS$DRV.EXE". In this way, in systems with Sony Digital Rights Management software installed, it uses the rootkit included with this software to hide any file whose name starts with "$SYS$" from Windows Explorer.

The three security problems we are looking at today are: Graphics Rendering Engine, Windows Metafile (WMF) y Enhanced Metafile (EMF). They could allow a remote user to take control of the affected computer with the same privileges as the user that started the session, or to launch denial of service attacks against the computer.

These vulnerabilities, which are classified as 'critical', lie in the processing of Windows metafile (WMF) image formats and enhanced metafiles (EMF). They could affect any application that renders WMF or EMF images in Windows 2000, Windows XP and Windows Server 2003.

These security problems could be exploited by an attacker using a specially-crafted image that could be sent by email, hosted on a web page, embedded in an Office document or stored on a shared network drive. An attacker could exploit these vulnerabilities if they managed to start a local session and run a program create for that purpose.

To prevent these security problems, Microsoft has released updates for Windows 2003, Windows XP and Windows 2000 (the affected systems). Users are advised to refer to bulletin MS05-053 published by Microsoft - at http://support.microsoft.com/default.aspx?scid=kb;en-us;896424 - for the download addresses of the updates, or use Windows Update.

Lupper.A is a worm that affects Linux systems, exploiting two security problems: AWStats Rawlog Plugin Input Vulnerability and XML-RPC for PHP Remote Code Execution Exploit. Lupper.A downloads a copy of itself from an IP address, which it saves (in /tmp/lupii) and runs. In addition, this worm opens a backdoor in port 7111 which could allow remote control of the computer.

We end today's report with Zagaban.H which, like all Trojans, cannot spread under its own steam and needs to be distributed manually by third-parties (by mail, Internet download, FTP file transfer, etc.).

Zagaban.H takes a series of actions on affected computers including:

- Monitoring web addresses (those that the user accesses through Internet Explorer), searching for text strings related to banks. If it registers any such text string, it records the address and logs the keystrokes entered on the page, thereby obtaining confidential information (passwords, account numbers, pin numbers, etc.). It then sends the stolen data to a web server.

- It creates, in the Windows system directory, two files: IPREG.EXE, which is a copy of itself, and SPDR.DLL, which it injects in all processes launched.

For further information about these and other computer threats, visit Panda Software's Encyclopedia: http://www.pandasoftware.com/virus_info/encyclopedia/