Updates

A compilation of the latest information about viruses and worms, security issues and patches to rectify the same

Sophos reports W32/Poebot-JT

W32/Poebot-JT reported by Sophos is a worm and Internet Relay Chat (IRC) backdoor that attacks the Windows platform. The worm also has aliases such as Backdoor.Win32.IRCBot.ul, W32/Backdoor.NYG, W32/Gaobot.worm.gen.e and Win32/IRCBot.TS. Once installed, it runs in the background, providing a backdoor server and allowing a remote intruder to gain access and control over the computer via an IRC channel.

Trend Micro reports WORM_IRCBOT.NK

WORM_IRCBOT.NK propagates by taking advantage of the Windows vulnerability listed in Microsoft Security Bulletin MS03-049. Using a random port, it connects to an IRC server and joins a specific channel, where it listens for commands from a cracker. These commands are then executed locally on infected machines leaving them ripe for further attack. The worm waits or an active Internet connection and attempts to access a specific Web site to download and execute malware on the affected system.

Trend Micro reports BKDR_HAXDOOR.KW

BKDR_HAXDOOR.KW is a backdoor Trojan that is either dropped onto a system by another piece of malware or is downloaded unwittingly by a user who is tricked into visiting a malicious Web site. It uses rootkit technology to hide its presence on an infected system and is able to run even when the said system is running in safe mode.

It listens to ports, 16016 and 16661, as well as two other random ports and allows a remote user to execute commands on the compromised machine. Moreover, this Trojan monitors the number of times that an infected system connects to Web sites that contain the following strings: bay, gold or pal.  It also logs keystrokes to steal information, typically user names and passwords and sends the stolen information to a remote URL by way of a server-side script.

McAfee reports BackDoor-BAC!55436

BackDoor-BAC!55436 is a Trojan that is delivered via spam that is purportedly coming from Walmart. Its aliases are Backdoor.Haxdoor.R (Symantec) and BKDR_HAXDOR.AU (Trend Micro). It opens a backdoor port on the compromised computer giving remote attackers unauthorised access to the machine and it also posts logged keystrokes and stolen passwords back to the attacker.

F-Secure reports Viking.H

Viking.H, a variant of Viking, is a virus that creates files in the Windows directory and downloads and runs a file from http://www.54088.org/backup/[REMOVED]1.exe. Viking.H kills processes belonging to anti-virus and security software. Once an infected file is executed, Viking.H will drop the following files in the Windows directory. It infects files with the extension exe.

In order for the host file to execute, Viking.H creates a backup copy of itself in the current directory as [filename].exe.exe and then drops and executes the original uninfected host file as [filename].exe. After which, it deletes the uninfected host file and renames the backup file to the original filename. The virus is able to do this with the help of a temporary batch file created in the temporary folder as $$.bat. It terminates the processes that are often related to anti-virus products.