Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Dec 1st, 2008, 8:42pm
   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   Nachi.A, Panol.B and Caraga		 « Previous topic | Next topic »
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: Nachi.A, Panol.B and Caraga  (Read 368 times)
Ian
Stole All the Forum Stars
********



Good things come to those who wait ...

   


Posts: 2913
Nachi.A, Panol.B and Caraga
« on: Aug 22nd, 2003, 12:39pm »		 Quote Quote  Modify Modify
Nachi.A (W32/Nachi.A), Panol.B (W32/Panol.B), and the  
Caraga (W97M/Caraga) macro virus. Just make sure you don't run the Nachi.A virus thinking it's doing you any favours by removing Balster...
 
Nachi.A is designed, like the infamous Blaster worm, to exploit the RPC DCOM vulnerability that affects some versions of the Windows operating system. Nachi.A does not spread by e-mail. It incorporates a TFTP (Trivial File Transfer Protocol) server that allows it to attack remote computers via TCP/IP in order to cause a buffer overrun in the targeted machine. As a result, the affected computer will download a copy of the worm. Nachi.A, whose origin seems to be China, can also exploit the WebDav vulnerability.  
 
Nachi.A has an unusual feature, it uninstalls the Blaster worm from computers affected by this malicious code, killing its processes and deleting the file that contains the worm. Besides, it downloads and installs the Microsoft security patch that fixes the RPC DCOM vulnerability. Finally, it deletes itself when the year of the system date is 2004.  
 
Panol.B looks in the infected computer's hard drive for files with an extension starting with HTM. Then, it searches these files for e-mail addresses which begin by the string "mailto:." and sends itself out to them. Once installed on the affected computer, Panol.B stays memory resident and tries to carry out different actions depending on the system date: restarting the computer or disabling the mouse and the keyboard.  
 
Caraga infects Word documents using the normal means of infection used by macro viruses. Firstly, it infects the global template (NORMAL.DOT file) and then it infects all the documents that are opened, closed or saved in the affected computer.  
 
Caraga also hides or disables many options of the Tools menu: Visual Basic Editor and toolbar, Macros, Control Box toolbar, shortcut keys, etc.
IP Logged
... but crap arrives pretty much straight away.
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register