News
Panda Security’s weekly report on viruses and intruders
July 2008 by Panda
PandaLabs’ report this week focuses on the DdonAba.A worm, the Torpig.VIC Trojan, and the OSX/AsTHT.A backdoor Trojan.
DdonAba.A reaches computers with a characteristic icon. When users run the file, it copies an image alluding to the worm’s creator in the C:\ drive.
Simultaneously, it creates an Autorun.inf file in the PC’s root directories, from the F:\ letter onwards. It also creates a copy of itself on the c:\windows\system32 folder called Abaddon.exe.
Finally, DdonAba.A deletes all the files with the .mp3 extension (audio) and the .doc extension (text documents) on the infected drives.
Torpig.VIC on the other hand, is a banker Trojan designed to steal financial data from specific online banks.
When users run a file infected by the Trojan, the Trojan waits until users type specific text strings (bank names). Then, it intercepts the data entered in the forms, redirects network traffic and modifies replies to browser requests.
It then sends the information to an Internet server so the hacker can access the stolen data and carry out fraudulent operations.
Finally, the OSX/AsTHT.A backdoor Trojan is designed to affect Apple operating systems such as MacOS, Leopard or Tiger.
When run, the backdoor Trojan uses an Apple Remote Desktop Agent vulnerability to gain privilege escalation and administrator permissions. It then copies itself onto the system and sends a mail to its creator reporting the infection. It also associates the victim’s IP address to a Dynamic DNS service to continue having access to the infected computer even if the address is modified.
OSX/AsTHT.A accesses the computer through a VNC server (Vine Server) it includes, and through SSH. It also enables a web server where the remote control tool is hosted.
This malicious code drops a keylogger on the system which can capture images through the iSight integrated camera.
Additionally, if more than one user is registered on the PC, it tries to guess their credentials using a brute force program. It is also designed to disable the firewall and disable, delete and modify several system log files to prevent leaving trails and impede detection.
