Death of the Nothing Doing Worm

We've been following it's evolution, however it seems the last version only has one additional feature: it can update itself to the latest version. It does this by exploiting the adodb.stream vulnerability in Internet Explorer to download a file from several hosts which contain instructions on the location of the new version. Although BitDefender detects this e-threat since January under the name VBS.Worm.Runauto.E it has not changed ever since. Seems like it's development stopped at version 10.0.

 

Nevertheless, this weeks malware evolution hasn't stopped with our friendly worm. Next we will look at a worm called Win32.Antiman.N. If infected with it, the victim will surely be ridden of a certain genre of music called "manele". It searches the entire hard disk for most "manele" artists and and will delete them. Next it will add a lot of entries to the %windir%\system32\drivers\hosts  file to block social networking websites, like hi5 and netlog, and many free download websites that provide this genre of music. It will also send itself to the whole Yahoo Messenger list using a set number of strings in Romanian language that state something like: “I found a great new program for winamp (or for pictures)”.

 

Trojan.JS.Encrypted.A

This Trojan is probably part of the Storm Worm spreading network. It is using several layers of encryption in order to hide itself from antivirus products. After deciphering it's content BitDefender Security Labs revealed that it tries to download and execute a piece of malware on the victims computer using three different Internet Explorer vulnerabilities. We strongly advise keeping the software and security solutions on your computer up to date unless you want to have a zombie computer in the house.

 

Trojan.Peed.JVL

Shortly after the Trojan.JS.Encrypted.A made its appearance, this new version of Peed (also known as Storm Worm) has shown up and has started creating havoc among its victims. After infection it copies itself in the windows directory and adds registry entries to run at system startup (under the name “msserv.exe” or “msssecurity.exe” ). It synchronises the system time in order to be “in tune” with the rest of the infected network. It also adds itself to the Windows Firewall exception rules so that users don't notice it's presence when working online.

 

This e-threat also has backdoor capabilities, a remote attacker can send spam emails by using its SMTP engine, send system information from the compromised computer, download and execute other malware and update itself.

 

It will search the hard drives for email addresses in certain email message files and sends emails to those addresses except some if found (it will not send emails to addresses containing the strings: @microsoft, f-secur, kasp, @messagelab a.s.o.)

 

Trojan.Obfuscated.LA

This e-threat is a trojan downloader. It is opening a new instance of Internet Explorer,  which it injects with it's own code in order to avoid firewall detection, and uses it to download new malware. In the wild it has been associated with  Trojan.Swizzor which basically means, it is downloading Trojan.Swizzor on to the victims computer. Trojan Swizzor is an add serving trojan. It has also been reported that Trojan.Obfuscated.LA opens certain websites with Internet Explorer at random times.

 

 

Discovered in the 28th May this exploit has gone a a long way since reaching out top10 on the 8th place. It is a exploit for the Adobe Flash Player up to, but not including, version 9.0.124.0. If a malformed swf object is supplied, arbitrary code can be executed on vulnerable machines. As such, it has been spotted in the wild downloading and running password stealing trojans, mostly for online games like WOW and Lineage.