subscribe: Daily Newsletter

 

Weekly report on viruses and intruders

0 comments

The LunchLoad.A and FakeGoogleBar.M Trojans are the two new strains of malware in this week’s PandaLabs report.
It also includes information about four new security patches published by Microsoft. LunchLoad.A reaches systems under the name backup2_36. When run, it drops several files onto computers which contain the information needed by the creator to identify the malware on connecting to the computer.

To make the connection, the Trojan connects to a server from which it receives the orders about the malware to download, when to run it, etc. It also records the MAC address of each of the computers infected.
FakeGoogleBar.M is designed to alter the Google toolbar. When this toolbar is not installed on a PC, the file creates several other files that allow it to operate all the same. Malicious action begins with the editing of several Windows Registry entries to allow a DLL library to be injected in the browser, so that whenever it is used, the Trojan is run.
The Trojan also opens a port on the computer and establishes an HTTP connection through which to send confidential information to the creator.
To obtain this data, FakeGoogleBar.M logs words entered by the user in several search engines including Google or Yahoo. It also copies all URLs containing key words like bank or .gov. This stolen information is then sent to the creator of the malware through a purpose-built website.
Finally, this week Microsoft has published four security patches to fix several vulnerabilities in its products. One of these affects Microsoft Agent and has been classed as critical. This problem could allow a remote attacker to run arbitrary code on affected systems.
The remaining vulnerabilities have been classified as important. One of these affects Visual Studio, another Windows Services for UNIX and the last one MSN Messenger and Windows Live Messenger. For more information and access to the security patches go to: http://www.microsoft.com/technet/security/current.aspx.