Panda Security’s weekly report on viruses and intruders
May 2009 by Panda Security
PandaLabs’ report this week focuses on three worms: IRCBot.CNE, BckPatcher.C and Boface.BJ.
IRCBot.CNE sends messages to the infected user’s MSN Messenger contacts. Message subjects include:
· Me miro boracho en video que me tomaron en youtube (I see myself drunk in a video on youtube).
· Esta es mi casa de suenos!! (this is my dream house)
· Mira que pedo andaba ayer en la fiesta (look how drunk I was at yesterday’s party)
· No me acuerdo si me dormir con esta vieja??no se que hacer? (I can’t remember if I slept with this woman yesterday. I don’t know what to do)
· Santo Dios creo que eres tu!!!! (Oh my God, I think it’s you!)
These messages include an attachment which is a copy of the worm. On running the file, users are infected with a copy of the worm.
BckPatcher.C on the other hand, is designed to modify the desktop background, the Windows Explorer background and the folder icons. Additionally, every time files with certain extensions are executed (DLL, EXE, JPG or RAR) the worm is run instead of the applications associated to those extensions.
BckPatcher.C spreads through shared, mapped and removable drives, copying itself to them.
You can see images of the modifications carried out by the worm here: http://www.flickr.com/photos/panda_...
The Boface.BJ worm reaches computers in a different way: through email messages with attachments, Internet downloads, files transferred via FTP, IRC channels, P2P file-sharing networks, etc. Users are unaware of the infection.
Once the PC is infected, it takes approximately four hours to trigger its payload. It does so when users access log into their Facebook account. Then, it uses the network to send them a message, including the affected user.
On clicking the link users are directed to a page that resembles YouTube (called "YuoTube") in which a video "should" be displayed. However, in order to do so, users are asked to download a player. If users accept, the fake antivirus is downloaded.
Once the download is accepted, the fake antivirus is installed on the computer. It then starts sending users messages informing them their PC is infected and telling them they should buy a solution.
Finally, Panda Security has launched a page for users to relate their experiences with malware (whether they have fallen victim to money or data theft, etc.). Users who send their comments will receive a free download of Panda Internet Security 2009 with two-month services.