Madrid, October 20, 2006 – This week’s report looks at the Sinowal.CR and Briz.R. Trojans and at the Sohanat.U worm.
Sinowal.CR is designed to collect confidential information from the computers it infects, such as passwords and other data stored in Protected Storage, or from email clients including Ak-Mail, Eudora and The Bat.
Sinowal.CR also compiles information about the compromised computer, such as the IP address, the name, its geographical location, open ports, etc. The Trojan then sends the stolen information to certain Internet servers.
As with most Trojans, Sinowal.CR is not able to spread by itself, and therefore needs the intervention of a malicious user. Distribution vectors vary and include floppy disks, infected CD-ROMs, email messages with attachments, Internet downloads, files transferred via FTP, IRC channels, P2P file sharing networks, etc.
Briz.R is a highly dangerous Trojan designed to give cyber-crooks complete remote control of compromised computers, and to redirect users to spoofed web pages designed to steal confidential data. The origin of this malicious code is related to the scam of creating and selling customized versions of Briz detected and dismantled by PandaLabs a few months ago.
The Briz.R attack begins with the installation of a file called iexplore.exe, which is designed to detect whether or not there is an Internet connection. If so, it downloads another file called ieschedule.exe, used to store parameters associated with the Trojan, such as the port used for sending stolen data.
Another component downloaded is ieserver.exe, which creates a web server in the computer. The aim of the web server is to redirect users to spoofed web pages -designed to steal personal data- whenever they try to go to certain Internet addresses, mostly related with online financial services. If a user were to enter data on these pages, the Trojan would capture the information and sent it to the cyber-crooks. This web server also gives remote control over the computer via the installation of an application programmed in PHP called phpRemoteView.
Briz.R also modifies the system hosts file to prevent access to numerous security-related web pages.
Finally, Sohanat.U is a worm that spreads via instant messaging programs including Yahoo Messenger, AIM or Windows Live Messenger. It sends messages such as "Download free MP3s", with a link that downloads a copy of the worm onto the computer when users click on it.
Once it has infected the computer, the worm disables processes corresponding to certain security applications. It also changes the Internet Explorer home page.
Sohanat.U disables the Windows task manager, as well as the regedit.exe program in order to prevent users removing it from the computer.
For further information about these and other computer threats, visit Panda Software’s Encyclopedia.
About PandaLabs
Since 1990, its mission has been to analyze new threats as rapidly as possible to keep our clients safe. Several teams, each specialized in a specific type of malware (viruses, worms, Trojans, spyware, phishing, spam, etc.), work 24/7 to provide global coverage. To achieve this, they also have the support of TruPrevent(tm) Technologies, which act as a global early-warning system made up of strategically distributed sensors to neutralize new threats and send them to PandaLabs for in-depth analysis.
According to Av.Test.org, PandaLabs is currently the fastest laboratory in the industry in providing complete updates to users (more info at www.pandasoftware.com/pandalabs.asp).
For more information: http://www.pandasoftware.com/virus_info