This week’s Panda Software’s weekly report looks at the Banker.FLO and TnegA.A Trojans, the IrcBot.AIV worm and the WKSSVC hacking tool.
Banker.FLO is a Trojan that monitors Internet traffic generated when the user accesses web pages related with the following online banks: Banco do Brasil, Bradesco, Itau y Santander Banespa. The Trojan logs keystrokes made when logging into these websites. It thereby captures the user names and passwords, which are sent by email to the creator of the malicious code.
Banker.FLO cannot spread automatically using its own means and therefore, needs an attacker to distribute it. Typically it is spread using floppy disks, peer-to-peer networks, email messages, Internet downloads, etc.
This Trojan is difficult to detect as it does not display any type of message warning of its presence.
The other Trojan is TnegA.A. This is a backdoor Trojan that connects to a server in order to provide remote access to infected computers, compromising confidentiality and preventing users from operating the computer normally.
This malicious code prevents users from accessing certain web pages, in particular those belonging to antivirus companies, it also prevents certain monitoring and configuration tools from running, such as Windows Registry Editor.
TnegA.A requires the intervention of an attacker in order to spread. As is typical in this type of malware, it can propagate on a range of media including CD-ROMs, Internet downloads or IRC channels.
The IrcBot.AIV has backdoor characteristics, as it connects to an IRC to receive remote commands and execute them on the computer on which it is hosted. To infect other systems, this worm installs its own FTP server on the infected computer.
IrcBot.AIV uses two means of propagation. Firstly, it creates copies of itself in shared network resources to which it has access. Alternatively, it spreads across the Internet exploiting the LSASS, RPC DCOM, and UPnP vulnerabilities. For this reason, it is advisable to download the security patches that fix these vulnerabilities from Microsoft’s website.
WKSSVC is a malicious code, based on a vulnerability in the WKSSVC.DLL file on computers with Windows XP/2000. If a computer is vulnerable to WKSSVC, it could allow hackers to run code remotely.
To fix this vulnerability, it is advisable to download and install the patch for the vulnerability in the Workstation Service, included in the Microsoft MS06-070 bulletin. This update can be downloaded free of charge from: http://www.microsoft.com/technet/security/bulletin/ms06-070.mspx.
All users that want to know whether their computers have been attacked by these or other malicious code can use ActiveScan, the free solution available at: www.pandasoftware.com/activescan . Users can carry out a complete inspection, free of charge, of all the areas of their computers that they suspect may be infected.
For further information about these and other computer threats, visit Panda Software’s Encyclopedia or contact Panda Software Cyprus on +357 22441514, email: [email protected] .
