Panda Security’s weekly report on viruses and intruders
May 2009 by Panda Security
This week’s PandaLabs report includes information about the IRCBot.CNK, Autorun.IYQ and Joleee.F worms.
IRCBot.CNK is designed to connect to an IRC server to receive remote commands, including:
Capturing network traffic.
Downloading any type of file, including malware.
This worm also adds itself to the list of authorized applications in the Windows XP firewall.
It spreads by exploiting the MS04-011 Microsoft vulnerability. It does this by generating random IP addresses which it then scans looking for computers with port 445 open. If it finds a vulnerable system, it downloads a copy of itself.
This worm also spreads by copying itself to all mapped, shared and removable drives on the system.
Autorun.IYQ is a worm that makes a series of modifications to the Windows registry, with the following effects:
• It prevents a session being started up in safe mode.
• It blocks writing to removable devices, preventing files from being copied to the device.
• It prevents numerous files corresponding to security programs from being run.
• It disables several services in the Windows Security Center.
It adds two new entries at the start of the contextual menu for the drives in My computer, which point to a copy of the worm
Joleee.F is a worm that spreads through an email advertising pharmaceuticals.
It connects to the Internet to download a series of addresses to which it sends spam and consequently, tries to infect the recipients.
This worm also creates a series of copies of itself on infected computers.