A backdoor Trojan that gives an attacker unauthorized access to your computer and modifies your system registry is a minor threat, according to Symantec.

Backdoor.Hitcap consists of two components: An executable file packed with ASPack v1.06.; and A .dll file packed with PECompact 1.50. Symantec Security Response has received several submissions of Backdoor.Hitcap, which has been distributed in the form of an email message with a viral VBScript. Symantec antivirus products detect the script that drops Backdoor.Hitcap as Trojan dropper or Trojan.Downloader.Inor.

In addition to compromising security settings, Backdoor.Hitcap modifies the system registry. Symantec is giving the Trojan an overall low threat rating. For technical details, check here.

Bagif Worm Attempts to Infect EXE, SCR Files

Bagif is a polymorphic parasitic virus-worm that utilizes EPO (entry point obscuring) techniques, according to F-Secure.

Once the infected file is run, it creates a file named NTLOADER.EXE in Windows System folder and modifies the EXE file startup key in System Registry:

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@ = %winsysdir%\ntloader.exe "%1" %*"

The NTLOADER.EXE file acts as a virus dropper and it is activated every time a user of an infected computer runs an EXE file. Then the virus creates a file named WIN32S.EXE in the startup folder for current computer user:

\Start Menu\Programs\Startup

This folder is located in main Windows folder on 9x systems. In Windows XP and 2000 this folder is located in the following location:

\Documents and Settings\%profile%\

In Windows NT this folder is located in the following location:

\WinNT\Profiles\%profile%\

The %profile% is the current user's profile name. Copying the dropper to Startup folder is done to make the virus dropper start every time Windows starts. Read more about the worm's impact on this F-Secure Web page.

Friend Greetings E-Card a New Form of Spam

F-Secure is also reporting a huge number of inquiries about the Friend Greetings software, which is not a virus or a worm, but an unsolicited e-mail advertisement. According to reports, the suspicious email messages began arriving at the end of last October and looked like this:

From:
To:
Subject: you have an E-Card from .
Greetings!
has sent you an E-Card -- a virtual postcard from FriendGreetings.com. You can pickup your E-Card at the FriendGreetings.com by clicking on the link below. http://www.friendgreetings.com/pickup/pickup.aspx?code=&id= Message:
------------------------------------------------------------
,
I sent you a greeting card. Please pick it up.

In many cases the was missing from a message. When a recipient clicked on the link, the Friend Greetings Setup software was downloaded and activated on his computer. That software package was created by Permissioned Media Inc. for advertising purposes. This company appears to be operating from Panama.

During installation the Setup program shows a disclaimer that the software would access a user's Microsoft Outlook address book to send a message to all e-mail addresses it contained. If a user clicks 'Yes' button, installation continues and the software sends e-mails from a user's name to all his contacts.

If you've been hit by Friendgreetings and want to get rid of it, check this F-Secure page.

Compiled by Esther Shein.