Panda Weekly - viruses and intruders - 06/09/06

- Panda Software's Weekly Report on Viruses and Intruders -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)​

Madrid, June 9 2006 - Trojans Ldpinch.RE and Rizalof.DC, backdoor Trojan Lootseek.DD, worm Ircbot.ZN and the adware PornMagPass are the subjec of this week's PandaLabs report:

Ldpinch.RE is a Trojan that steals passwords and other confidential data from the computer it infects. To do this, it logs the user's keystrokes and monitors web pages visited. It cannot spread automatically, but it needs user intervention, like opening email attachments, downloading files from the Internet or P2P networks, and opening files received through instant messaging programs. Its malicious actions include stealing the passwords for accessing the operating system, through the Windows SAM (Security Access Manager) file. It also tries to obtain passwords stored in programs such as Outlook or The Bat, and several ICQ programs. Also, Ldpinch.RE monitors web pages visited, and, if the Trojan detects that the user accesses pages of certain banking entities, it proceeds to store the information submitted , like passwords. All the information gathered by the Trojan is later on sent to the attacker by email. The Trojan goes resident on the system, informs its creator that the target computer is infected, and can also download some other malicious files.

Rizalof.DC is a Trojan that cannot spread by its own means, but is dropped by the backdoor Trojan Lootseek.DD into target systems. Once run, it turns the affected computer into a platform for sending out spam. To do this, connects to several web pages to download lists of names and email addresses that it will use as spam senders or recipients.

Lootseek.DD is a backdoor Trojan that downloads and runs the Trojan Rizalof.DC. To do this, it connects to an IRC server, waiting to receive commands from a remote attacker, like downloading potentially dangerous files into the system. It needs user intervention to infect the system, like opening email attachments or downloading files from the Internet or P2P networks. In order to avoid being detected and eliminated, Lootseek.DD ends processes related to antivirus programs and Windows updates. Finally, it creates files Smss.exe (a copy of the backdoor Trojan), and Nvsvcd.Exe on the affected computer, and registers on the system as a service called "Windows Log".

Ircbot.ZN is a worm with backdoor functionalities, that spreads using certain LSASS, RPC DCOM and UPnP Windows operating system vulnerabilities. Also, it installs an FTP server on the target computer to spread to other systems. The worm can connect to an IRC server, waiting to receive commands from a remote attacker, like downloading files or running commands.

PornMagPass is an adware that can be downloaded from several web pages, and offers free access to pornographic contents. During installation, it will be necessary to accept an end-user license agreement that authorizes the program to offer plugins and other components. However, what the program actually installs on the target computer is a spyware code, together with an anti-spyware application called SpywareQuake. Then, it informs the users that their computer is infected, offering them to buy the application to solve the problem. Also, PornMagPass installs an Internet Explorer plugin that redirects the browser to a bogus error page, that tries to trick the user by informing them that an adware program has blocked access to the webpage requested, offering them to buy a security solution to solve the problem.

For further information about these and other computer threats, visit Panda Software's Encyclopedia.