Panda Security’s weekly report on viruses and intruders
March 2009 by Panda
This week’s PandaLabs report looks at the Nabload.DLU Trojan, the Renus2008 adware and the MSNworm.FZ worm.
Nabload.DLU passes itself off as a funny video to trick users while downloading another malicious code to the target computer in order to steal online banking details. The process is as follows:
The Trojan reaches the targeted computer as a greetings video. When the user opens the file, the Trojan loads a funny video from the Internet, while simultaneously downloading another malicious code: Banker.LRX. This malware is designed to steal login credentials for several online banking entities.
You can watch a video showing what the targeted user would see while being infected: http://www.youtube.com/watch?v=OaQhFhVX6yI
Nabload.DLU also modifies the Windows Registry in order to activate every time the user restarts the computer. This way, it ensures it is always active on the system.
Renus2008 is a fake antivirus type of adware. Once run, it shows a screen simulating a computer scan. The malicious code gives the possibility of performing a quick or an in-depth scan of the computer. Also, users can configure different aspects of the fake antivirus as if it was a real one.
Once the fake scan finishes, a warning message is displayed indicating that some infected files have been found on the system. However, these files do not exist.
Users are offered the option to disinfect their computers through the "Remove Viruses" button on the scan screen. If they do so, a window is displayed inviting them to register and buy the paid version of the fake antivirus (see image here: )
"If the user buys the paid version, they are paying for a product that actually does nothing and which, in some cases can’t even be downloaded", explains Luis Corrons, Technical Director of PandaLabs. "This is one more example of how cyber-crooks try to trick users in order to get their money".
MSNworm.FZ is a worm that spreads by using the instant messaging program MSN Messenger. It attaches itself to messages passing itself off as a picture file, and sends itself to the victim’s contact list.
To trick users, once run it shows an error message indicating that the "picture can not be displayed".
The worm also modifies the Microsoft Internet Explorer home page and creates a key in the Windows Registry to ensure it is run every time the session is started.