Panda Security’s weekly report on viruses and intruders
September 2009 by Panda Security
This week’s PandaLabs report looks at a worm, a program for creating Trojans and a new fake antivirus.
Vobfus.A is a worm that spreads through USB drives and shared folders. The first action it takes when run is to make a series of copies of itself in several directories and connect to certain Japanese Web pages, from which it downloads files related to adware. When a USB device is connected, the worm creates a series of shortcuts through which the infected file –which is hidden- is run. It also creates an autorun file on the USB drive in order to spread. One interesting thing about this malicious code is that is makes certain modifications to the registry, installing language packets that allow the operating system to recognize characters in Chinese and Japanese. Thanks to this, the worm can redirect the Internet browser to pages in Chinese, interpreting them and downloading files. It also creates a key in the registry to ensure it is run every time the system is started up.
KeyLogger.FT is a program for building keylogger Trojans. These programs capture keystrokes and then send the information to an email account, with details about where the information has been entered. The Trojan builder lets users include features such as automatic activation on system restarts or uninstallation on a certain date. It also includes the option to disable the Task Manager on the infected PC or close it as soon as it is opened.
We end this week’s report with WinPolicePro, a new example of rogueware. As is typical of these fake antivirus programs, it tries to convince users that their systems are infected, being hacked or contain vulnerabilities. Users that fall for the ruse are taken to a screen in which they are asked to enter their credit card details. This way, in addition to paying for a disinfection they will never receive, they have also handed over confidential information to cyber-crooks.