Panda Security’s weekly report on viruses and intruders
August 2009 by Panda Security
This week’s PandaLabs report looks at the Koobface.EA worm, designed to spread using Facebook, the Pidief.A Trojan, which takes advantage of an Adobe vulnerability to infect users and P2Pworm.BJ, a worm designed to steal the information entered on online forms.
To spread via Facebook, the Koobface.EA worm publishes a video on the infected users’ Facebook page, for all their friends and contacts to see it. On trying to watch the video, users are redirected to a page similar to YouTube’s.
Then, they are asked to download an Adobe Flash version necessary to watch the video. This file is actually a copy of the worm.
To make the attack even more dangerous, the worm downloads another malicious code to the infected computer: the AntiSpyware Pro 2009 fake antivirus. This malicious adware simulates a fake system scan detecting dozens of actually non-existing malware strains. Then, it offers users the option to eliminate them using a paid version of the fake antivirus. As you can see, the objective is to get financial returns from this malicious code.
The Pidief.A Trojan uses the Adobe CVE-2009-1862 vulnerability to infect users. The exploit takes advantage of a known vulnerability when trying to open a PDF document with an embedded flash object.
The Acrobat file viewer has a feature to run flash objects included in .PDF files. Thanks to the authplay.dll library, the file reader can open the flash viewer and display the content. In this case, the information sent to the viewer includes the instruction to download a malware file (Trj/Pidief.A). Then, no flash object is displayed to the user.
Pidief.A can be used by its creator to download more malware to the affected computer, or to gain total or partial control of the infected system.
P2Pworm.BJ is a worm designed to steal the information entered on online forms through the Internet Explorer and Firefox browsers.
The worm uses the following means to spread:
Peer-to-peer (P2P) file sharing programs: It creates copies of itself in the shared directories of several programs (Ares, BearShare, Emule, Imesh and Shareaza).
The users of these programs can access the shared directories remotely and download some of the files belonging to P2Pworm.BJ to their computers.
Removable drives: It copies itself to the RECYCLER folder of removable drives. Also, it creates an AUTORUN.INF file on these drives to run every time they are accessed.
MSN Messenger: It sends messages with a copy of itself to the user’s contacts connected at the time of the infection.