Panda Security’s weekly report on viruses and intruders
May 2009 by Panda Security
KillAV.KP is designed to prevent users from accessing websites of antivirus companies and IT security forums. This way, users cannot check security-related issues nor download updates.
This malicious code reaches computers in what looks like an image file with an icon of a cat. To avoid being detected, once run KillAV.KP shows users a .GIF animation
Meanwhile, it downloads a file to the system which modifies the Windows Registry to prevent users accessing websites of security companies, etc.
The PasswordStealer.BM worm on the other hand, steals users’ confidential information, i.e. passwords stored on Internet Explorer. It also steals information regarding the affected computer (version of the operating system, user name and IP address). The information is stored and sent to its creator later on via IRC.
There are several tell-tale signs of the presence of this worm. When run, it displays an image of a young person smoking a cigarette (image here: http://www.flickr.com/photos/panda_...). It also modifies the homepage of Internet Explorer.
PasswordStealer.BM uses several techniques to make it more difficult to delete:
It hides files and folders.
It conceals file extensions.
It conceals operating system files.
Additionally, PasswordStealer.BM tries to spread through IRC channels. To do so, it sends random messages with a file called MYPIC.ZIP which contains a compressed copy of itself, to all the users connected to the channel the affected user connects to.
Finally, the MSNWorm.GI worm is designed to spread through MSN Messenger. To do so, it sends an instant message to the infected user’s contacts, tempting them to view a photo.
The message includes a link with a URL that resembles Facebook’s. On clicking the link, a download window is opened for users to run or save the file (supposedly a photo). The file has a double extension (JPG and EXE) to fool users. This file really consists of an up-to-date copy of the worm.
If users open the downloaded file, Facebook’s legitimate page will open to fool them and get them to believe there has been an error when they cannot find the new photo.