subscribe: Daily Newsletter

 

Weekly report on viruses and intruders

0 comments

According to data gathered at the Infected or Not website (http://www.infectedornot.com through the NanoScan and TotalScan online solutions, 33.23% of users with a security solution installed were infected. As for unprotected users, 46.16% were infected.

“This does not mean that traditional security tools are useless, it means that they need to be complemented by other types of online solutions such as NanoScan or TotalScan which have access to a larger database and can therefore detect more malware,” explains Jeremy Matthews, CE of Panda SA.
Among computers scanned by Totalscan, the Gator adware has been this week’s top malware followed by the Altnet PUP (Potentially unwanted program) and the SaveNow adware.
All three are malicious codes designed to put users’ privacy at risk, for example, by monitoring their activity online. As for this week’s malicious codes, PandaLabs underlines the Nabload.CHW and Maran.DJ Trojans and the Ganensar.A and Mimbot.A worms.
Nabload.CHW spreads through emails that claim to come from Gmail’s support service. The email text, in Portuguese, tries to trick users into downloading a new antivirus tool claiming that if not, they will be unable to use their email account. When users click on the download link, they copy the Trojan onto their computer.
Nabload.CHW is designed to download a banker Trojan onto infected computers, which then sends an email to its creator indicating the name of the compromised computer. It also monitors users while they use the Internet to steal their banking passwords when logging onto specific online banks, and emails the data to the creator.
The Maran.DJ Trojan adds several passwords to the Windows registry. This way, it runs on every system startup and changes the LSP layers (Layered Service Provider, a system controller related to network services) to monitor Internet data traffic.
Thanks to the changes made, it steals user and system information by reading passwords, user names and other confidential information that victims type on websites and documents.
The Ganensar.A worm reaches computers with a Windows Media file icon. It creates several copies of itself on the system and downloads several malicious files. This worm makes several modifications in the Windows registry so it runs every time a session is started. It also creates other entries, aimed among others, at disabling the task manager and the registry editor, and inserts an image and a text on the system properties window informing that the computer has been infected.
It also blocks programs with specific window names and disables the Windows file protection, replacing several files with notepad copies and maintaining their original names. This way, when a file is run, the notepad will open.
Finally, when the ‘intro’ button is pressed, a window is displayed showing a message from the worm’s creator.
Mimbot.A is designed to close MSN Messenger windows while it sends messages for contacts to accept an infected file with a copy of the worm.
It uses several sentences in different languages to create the messages, for example: “Debo utilizar este cuadro en msn?”; “Was denken Sie an diese?“; “que pensez-vous” or “check it out, i shaved my head :|”.