Panda Software weekly report on viruses and invasions

This week in the traditional report of PandaLabs, Trojans Cimuz.EL and Gogo.A, and also two worms: UsbStorm.A and Nurech.Z are examined. In addition, this week Microsoft has released 5 new security patches. To 57% of all malware samples hourly entering PandaLabs last week fall to Cimuz.EL. Cimuz.EL is designed to steal all types of passwords from the computers. This malicious code is distributed step-by-step. First, the computer is infected by the part of the code, which then installs other components of Trojan which perform most malicious actions on the computer: steals and saves information about the infected computer (passwords to e-mail and other programs, data on the hardware and software, IP, location, etc.) and also embeds DLL in Internet Explorer and collects all the data that users enter in online forms. Then all collected information Cimuz.EL periodically sends through web-server to its creator. Gogo.A Trojan â€“ new malicious code designed for stealing the data users enter on keyboard in the Internet. For that, it is installed as additional module to Internet Explorer and keeps records of user activity. When a user tapes some keywords Gogo.A is activated and begins to record keystrokes. Then, through web-page, Gogo.A sends the collected information to its creator. This Trojan also uses rootkit properties in order to hide its processes and avoid the detection, thus becoming more dangerous. â€œTheft of passwords, which is the purpose of these two Trojans, is precisely in the lines of the dynamics of malicious software. Using the information obtained cyber-criminals can gain access to confidential information or bank accounts. Now Trojans are tend to be used precisely for such purposes, because these codes are more hidden than others - for example, phishingâ€, explains Luis Corrons, the technical director of PandaLabs. UsbStorm.A is a worm, which is distributed by copying itself on portable media, such as USB memory cards. When one of these media is connected to a computer the worm is activated and infects PC. UsbStorm.A is recorded to computer memory, where it hides in wait of new media for distribution. It remains on the computer and tries to be updated by downloading its new versions from various web pages. Nurech.Z is a worm, which enters computers with electronic messages under different titles connected with the massive spread of malware: Attack of worms! , Spy Alert! Viral Alert! etc. The sender is 'Customer Support' in order to make the user believe that the message came from a reliable source. The worm is hidden in protected by password .ZIP-file attached to the message, and looks like security patch to protect against malicious software, which supposedly was the reason of the alarm. Password is contained in the file of .gif format and not in a text file in order to make it difficult to discover. "In order not to arouse suspicions, the creator of this code explains, that the patch was archived to protect against the worm. Thus, he tries to trick the naive users, and convince them to open a fileâ€, explains Corrons. Nurech.Z also designed for the completion of some security solutions, monitoring and debugging. It searches in the computer e-mail addresses to send the infected messages. Moreover, the worm has two rootkits: one of them helps to hide processes for the difficulty of detection, and the other is looking for e-mail addresses, creates.gif files with passwords and sends spam. Microsoft has released April security patches: they are five, and four of them have been rated as â€œcriticalâ€. One of them eliminates two vulnerabilities in Microsoft Content Management Server. The third gap is in Universal Plug and Play, and it affects only Windows XP, the fourth gap was found in Microsoft Agent, and is typical of the latest versions of Windows, except for Vista. The fifth vulnerability has been found in CSRSS (Windows Client / Server Runtime Server Subsystem), it effects the latest Windows versions, including Vista and Vista x64. All these vulnerabilities allow plotters to run code or control remotely the target computers. The fifth patch, which was described as not â€œcriticalâ€, but merely â€œimportantâ€, fixes vulnerability in Windows core. This security gap may be used by a remote hacker to increase the privileges on an infected computer.