PandaLabs: week report on viruses and intrusions

This week on the traditional report of PandaLabs Trojans Therat.B and Alanchum.UG, backdoor-trojan Redirection.A and worm TellSky.A are considered. Therat.B is keyboard trojan elaborated for a record of keys pressed by user. It gets to a computer through e-mail, downloads, etc. It also has an extremely dangerous function, which allows it to steal passwords stored in AutoComplete of user â€˜s internet-browser, which is used to automatically inserting of userâ€™s name and password in online forms after entering of the first one or two letters. The aim of Therat.B is stealing usernames, passwords, web-addresses, etc. Then the collected information is sent to the developer of trojan by e-mail. Therat.B also modifies the contents of Windows registry in order to be run when you boot computer. Alanchum.UG is one of the members of Alanchum family, one of the most active species of malicious software in the latest months. This software usually gets to computer with another malicious code, which in spite of Alanchum.UG loads also advertising program CWS. It changes the contents of Windows registry in order to be launched when you boot computer. Alanchum.UG is elaborated for sending spam. It searches for all e-mail addresses stored in the infected computer, and then places them on web page. In order to conceal its processes and thus to complicate its detection, trojan uses routkite technology. Malicious code called Redirection.A, like all backdoor-trojans opens in the infected computer â€œbackdoorâ€, and then connects to IRC-server as a result of which the computer is available for remote management. This code could perform a variety of malicious acts: collection of information on the infected system (IP, characteristics, etc.); activation of FTP-server to download and perform on the computer the other malicious files. Redirection.A also elaborated to scan IP ranges in search for computers with the installed VNC-program. This program allows remote control of a computer. If Redirection.A finds computer with installed VNC-program, it is immediately installing in this system. Besides, this trojan can be uninstalled from the computer independently, at the same time removing all created records on the registry, which makes it even more difficult to detect it. And finally, the worm TellSky.A can be copied to the hard drive under such names as Girl.exe or Downloader.exe. It also modifies the contents of Windows registry, in order to start when you boot computer. The first time of booting the worm displays an error message. The purpose of this message is to distract the user, while TellSky.A carries out malicious actions, among which there is the disturbance of the correct work of security. Then the worm tries to connect to a web page from which it can download other malicious files. TellSky.A cuts off some system options, such as â€œlaunchâ€; â€œstartâ€ and â€œfolder stateâ€. Most of these modifications are made in order to reduce the security or block the functions, which can help to localize threat.