subscribe: Daily Newsletter


Weekly report on viruses and intruders


According to data gathered at the Infected or Not website ( <> ) this week, over 30 percent of computers with protection installed, and scanned by NanoScan or TotalScan (the online tools from Panda Security available on that website) were infected by some kind of malicious code.

This doesn’t mean that current antivirus protection is not valid, but that it should be complemented by in-depth scanning with online tools such as NanoScan or TotalScan, which are able to detect much more malware”, explains Jeremy Matthews, CE of Panda Security South Africa.
Adware and PUPs (Potencially Unwanted Programs) account for most of the Top Ten malicious codes detected by TotalScan ( Both types of malware can obtain confidential data from users and then exploit this, for example, to display personalized adverts to users as they browse the Web.
“Both Adware and PUPs can be extremely annoying for users, as on many occasions they can change computer settings, display a constant stream of adverts, or modify Internet search results. They also jeopardize the confidentiality of user information, as in some cases, they are specifically designed to spy on users”, says Matthews.
The two most frequently detected examples this week were both PUPs: MyWebSearch and FunWeb. The Downloader.MDW Trojan, designed to download other malicious code, was in third place.
Of the thousands of new malicious code that appeared this week, the PandaLabs report looks at the Lina.D Trojan, the Kimo.A worm and the Gnome.D virus.
Lina.D reaches computers with the icon of a Word document. However, when the document is opened, the Trojan is executed, displaying a document with HTML text.
This Trojan creates copies of itself in several directories. It also releases a series of files on the system. One of these is detected by PandaLabs as the Leword.A Trojan, while the other runs a copy of the Trojan every day at a specific time.
Lina.D creates a key in the Windows registry to ensure it is run every time the system is started up.
The Kimo.A worm is highly annoying to users, as it causes computers to shut down every so often, closing sessions a few seconds after restarts and causing the system to slow down.The worm creates an Autorun.inf file in each mapped drive of the computer. This allows it to run every time a user double clicks on the drive. In addition, if the user clicks on any of the right-click menu options, the worm will run. Kimo.A makes several modifications to the Windows registry, restricting access to Internet Explorer options, preventing use of the “Folder options” and allowing the worm to run on every system restart.
Gnome.D is a virus with worm characteristics. The file is distributed with the Windows default icon for executable files, with the name: “cool_screen_saver”. If users run this file, they will really be executing the virus. This malicious code copies itself to the system with names like Winexegn.exe and Winscrgn.exe. It also drops several files on the infected computer. If mIRC is installed on the computer, the virus will make a copy of itself and create two new files in the directory containing this program.
All files created and dropped on the computer are aimed at helping Gnome.D to spread. Those created in the mIRC directory aim to spread the worm through this channel. Every time the user connects to a IRC server, the virus sends a message with the user’s nick and a random text. Examples include: “see this screen saver so i send you” or “ i just get new $chan screen saver“. The message includes the infected file. Gnome.D also spreads via email. It sends a message with the infected file attached and the following text: “Hi dear friend, I want to show you what I has found in the Internet! L check the att ached file for more info. V I have incluyed a program which illustrates hm y opinion  a bout  things you wrot e me a few  days ago. check this nice. bye. ; – )”
Also, when an application is opened, the virus injects itself into the code and modifies the entry point so that when it is run, the virus will be activated as well.