Panda Security’s weekly report - Virus, Alerts
May 2008 by Panda
PandaLabs’ report this week focuses on the Perwall.A and Radulambu.C worms, and the Ceckno.J, and HostChange.B Trojans.
Perwall.A is a Trojan that spreads to all removable and mapped drives on the computer. When run, Perwall.A creates copies of itself in several places. It also generates the autorun.inf and Boom.vbs files and creates several entries in the Windows registry to run on every system restart.
One of its symptoms includes opening the c:\windows\web\wallpaper folder which stores desktop wallpaper images.
The Radulambu.C worm reaches computers with a typical image file icon, called Palma.exe. When run, it copies itself in several computer locations and mapped drives. It also creates a folder in C: called Images, where it creates several copies of itself under different names, and creates an autorun.inf file on the hard disk and mapped drives.
Additionally, Radulambu.C generates several entries in the Windows registry. This way, it modifies the Internet Explorer title bar, disables the system recovery or conceals file extensions.
Ceckno.J is a Trojan is designed to download other malware onto affected computers and act as a backdoor.
This malicious code has a downloader component for downloading malware, and a backdoor component downloaded by the downloader. . When installed on the computer, it creates copies of itself and scans ports until it downloads a backdoor or exhausts the number of possible attempts (15).
With each attempt, the port through which it tries to download malware increases by one.
Once the backdoor component is downloaded, the downloader stops running, preventing the system from detecting infection symptoms. Later on, the backdoor is run and listens on a port.
Finally, HostChange.B is a Trojan that spreads through emails that falsely report the death of, Hugo Chavez, president of Venezuela.
These messages purport to come from a famous communication channel in Venezuela, to gain users’ trust. Additionally, they include links to an alleged video of the fake news story.
However, on clicking the links, a file that contains HostChange.B is downloaded. This Trojan modifies the computer host file, associating the website of a well-known financial company in Venezuela to another one with a false page designed to capture users’ confidential data.