This week’s PandaLabs report includes information about two worms, RogueMario.A and USBWorm.A, and about the Kangen.F Trojan.
RogueMario.A is a worm that displays a very basic version of the Super Mario brothers game. It does this to hide the malicious action that it is taking on the computer.
“Imagine a user that received an email with a file supposedly containing the Super Mario game. If he runs the file, and seemingly accesses the game instead of getting an error message, there is less reason to suspect that the computer is infected”, explains Luis Corrons, technical director of PandaLabs. RogueMario.A changes aspects of the user environment, such as currency and country settings, default user name, etc. It also closes several monitoring programs including HijackThis – v1.99.1 and Multikiller2.
This worm creates keys in the registry to ensure it is run every time the system is started up. Similarly, it modifies the Windows registry to change the performance and aspect of the system. It creates a scheduled task to run at a certain time every day.
In addition, it makes several copies of itself on infected computers, using names like Explorer.exe or Mario.exe. To spread, it makes copies of itself with names such as Legend.exe or Kartu.exe on mapped removable drives and it also sends itself out as an attachment to an email.
USBWorm.A is a worm that spreads by copying itself to removable drives, such as USB memory sticks. It does this by copying two files to the drives: autorun.inf and more.exe. The first of these execute the second, which carries out a series of malicious actions every time the drive connects to a computer. One of these is the modification of the appearance of the Windows folder and the desktop.ini file, with the following message, “^_^ Hello, I'm a hot boy but I am very cool ^_^”, added to the title bar of all Windows folders. This worm also makes copies of itself on the system under random names and tries to insert the autorun.inf file –which allows it to run- in the right-click menu.
Kangen.F is a Trojan that appears on a system with a tank icon. It makes several copies of itself on the computer, and also downloads several files corresponding to a web page that displays a message in Indonesian. It modifies the Windows registry to maker sure it is run every time the system restarts. It also tries to change the name and organization name with which the operating system is registered.Kangen.F can reach targeted users as an email attachment or as part of an Internet download.