IRCBot.D, Ruledor.A and Pup.A, plus new worms - Mischel Internet Security Forum

Jobs | About | Blog | Contact

Download TrojanHunter Now
Free 30-day trial!

Latest TrojanHunter Version:
TrojanHunter 5.0

Order Now
License file delivered within minutes.

Welcome, Guest. Please Login or Register.

Nov 21^st, 2008, 5:16pm

   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   IRCBot.D, Ruledor.A and Pup.A, plus new worms

« Previous topic | Next topic »

Pages: 1

Notify of replies

Send Topic

Author

Topic: IRCBot.D, Ruledor.A and Pup.A, plus new worms (Read 590 times)

Ian
Stole All the Forum Stars

Good things come to those who wait ...

Posts: 2913

IRCBot.D, Ruledor.A and Pup.A, plus new worms
« on: Oct 10^th, 2003, 7:53pm »

Quote

Modify

Trojans -IRCBot.D, Ruledor.A and Pup.A-, the worm Gaobot.S and two new versions of Gibe.C.

IRCBot.D sends itself out via e-mail in a message with the subject 'Last Update' and an attachment called 'NAV32.EXE', which tries to trick the user into thinking that it has been sent by an antivirus company. When the attached file is run, IRCBot.D goes memory resident and connects to an IRC channel. From this channel, this malicious code receives commands to carry out the following actions, among others: redirect ports, download and run files, scan ports, launch Denial of Service (DoS) attacks and send itself to other IRC channels.

Ruledor.A installs different variants of the Trojan Istbar, adds a toolbar to the Internet Explorer browser, displays advertising pop-up windows and, due to programming errors, sometimes ends the process belonging to Internet Explorer. When the user types a web address in Internet Explorer, Ruledor.A checks if there is a similar address among its advertisements and if there is, it redirects the user to this web address.

Pup.A goes memory resident and opens different advertising web pages in Internet Explorer whenever it is run. When the user tries to close them, the Internet Explorer window is minimized, pointing to a web page that contains a PHP routine. This routine accesses certain web addresses, without the user realizing, and sends out information on the creator of the Trojan, who receives money in exchange for the number of visits received.

Gaobot.S, a worm that has backdoor characteristics and infects Windows XP/2000/NT computers. In order to spread to as many computers as possible, this worm exploits the RPC DCOM and WebDAV vulnerabilities. It also spreads by trying to copy itself to shared network resources, which it tries to access using typical passwords. When it is run, Gaobot.S connects to a specified IRC server through port 6667 and waits for control commands.

Gaobot.S ends processes belonging to antivirus programs, firewalls and system monitoring tools, leaving the affected computer vulnerable to the attack from other viruses or worms. It also ends the processes of Nachi.A, Autorooter.A, Sobig.F and several variants of Blaster. Due to its backdoor characteristics, Gaobot.S can also obtain information on the affected computer, run files on it, launch Distributed Denial of Service (DDoS) attacks, upload files via FTP, etc.

Two new versions of the Gibe.C worm have been detected. This malicious code spreads via e-mail, the P2P file sharing program, KaZaA, shared network drives and IRC. The differences between the original worm and these new versions are that they are compressed with UPX and the texts displayed when the worm is run and sent.