This new malicious code is a variant of Redlof.A, which tops the list of viruses most frequently detected in Asia. Although it has similar characteristics to its predecessor, Redlof.B uses a different encryption routine and is classified as a polymorphic worm, meaning it occurs in several distinct forms.
The new worm has no destructive effects -- its main objective being to infect as many computers as possible, which it does quite effectively. Once installed in the computer, Redlof.B copies its code into HTT files, which are used by the operating system to view system folders in web page format. Every time the user opens a folder, the worm code executes, infecting any of the following file types: ASP, HTML, HTM, VBS, PHP and JSP.
Redlof.B spreads using e-mail and hides its code inside the background design sent by users with Microsoft Outlook e-mail client. Once the e-mail has been received it takes advantage of a known component vulnerability in VM ActiveX, through which it is possible to execute the virus by viewing an infected HTML page.
Finally, Redlof.B will create new entries in the Windows registry so that it can execute itself every time the computer is booted.
For more information, visit this Trend Micro page.
Backdoor Trojans Appear
Symantec is reporting the appearance of two backdoor Trojans: The Backdoor.Zdemon and The Backdoor.Talex. The former allows a hacker to remotely control your computer.
Backdoor.Zdemon can listen on any port, though, by default, it listens on ports 31,556 and 6,051. Although Symantec is rating Backdoor.Zdemon as a low distribution threat, the damage potential is significant. The Trojan opens a port allowing a hacker to remotely control the infected computer and do any of the following:
-- ICQ information including your Unique Identification Number (UIN).
-- Computer system information.
-- Dial-up networking passwords.
Read technical details and recommendations here.
Backdoor.Talex allows complete access to an infected computer. It is written in the Delphi programming language and is packed with ASPack. Symantec is rating the Trojan as a low damage and distribution threat.
For technical details on what happens when Backdoor.Talex is launched, visit this Symantec page.
Backdoor Novabot Allows Remote Control
Novabot, an IRC backdoor, allows remote control of the system via an IRC channel, according to F-Secure. Upon request, the IRC part can be asked to scan a block of IP addresses from an infected machine. The scanning attempts to connect each IP address using a predefined list of username and password combinations.
If authentication passes, the "files.exe" is executed on the remote machine thus infecting it. The "files.exe" is a setup package that installs the backdoor to "C:\winnt\INF\other" and runs "taskmngr.exe" which is a repacked mIRC client. The mIRC client will then run "nt32.ini" instead of standard "script.ini" used by mIRC client.
Then the backdoor joins the predefined channel by connecting to the IRC server. It generates a random nickname consisting of four characters and five digits, for each infected machine. It sets itself to start on the reboot via registry by adding the following key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Run32dll
Then the backdoor waits for commands. These commands include ability to download and execute programs. To view the list of predefined usernames and password combinations, visit this F-Secure page.
Compiled by Esther Shein.
Loading Comments...