Panda Security’s weekly report on viruses and intruders
February 2009 by Panda
This week’s PandaLabs report looks at the P2PWorm.AA and Waledac.J worms and the dangerous Sality.AO virus.
P2PWorm.AA is a worm that combines adware and downloader features. On infecting a computer, the malicious code shows ads about software and application downloads. Click here to see an example.
Also, the worm downloads other malware strains onto the infected computer. These files are downloaded to P2P file-sharing folders so that they are later on downloaded by other users to infect them. To do this, it disguises the codes as program cracks, applications, etc.
"It has become increasingly common to see malicious codes presenting features of two or three malware types (worms, adware, Trojans,…). This way, cyber-crooks try to increase the profitability of their infections, attacking users in many different ways", explains Luis Corrons, Technical Director of PandaLabs.
Waledac.J is a worm that sends email thanks to its own SMTP engine. These emails include a copy of the worm in order to spread it. Waledac.J sends these emails to all of the infected user’s contacts, whose addresses it has previously stolen.
The worm is also designed to download other malware strains onto the targeted computer. The downloaded files pass themselves off as images and even have a .JPG extension in order to trick users.
Sality.AO is a virus that combines the features of traditional viruses with the objectives of new malware, i.e. generating financial returns for cyber-criminals.
Sality.AO uses some techniques which haven’t been seen for years, such as EPO or Cavity. These techniques relate to the way in which the original file is modified in order to infect it, making it more difficult to detect these changes and to disinfect it. EPO allows part of a legitimate file to be run before infection starts, making it difficult to detect the malware. Cavity involves inserting the virus code in blank spaces within the legitimate file’s code, making it both more difficult to locate and to disinfect infected files.
In addition to these techniques related with early malware, Sality.AO includes a series of features associated with new malware trends, such as the possibility to connect to IRC channels to receive remote commands, potentially turning the infected computer into a zombie. Such zombie computers can be used for sending spam, distributing malware, denial of service attacks, etc.
Similarly, infections are not just restricted to files, as was the case with old viruses, but also look to propagate across the Internet, in line with new trends. To this end, it uses an iFrame to infect PHP, ASP and .HTML files on the computer. The result is that when any of these files are run, the browser is redirected, without the user’s knowledge, to a malicious page that launches an exploit in order to download more malware onto the computer.