Panda Security’s weekly report on viruses and intruders
November 2009 by Panda Security
This week’s PandaLabs report looks at the Autoit.HW and Autorun.JOE worms, and the PersonalProtector adware.
Autoit.HW is a worm that spreads through spoof Web pages and emails which trick users into installing the malware on their computers. It can also spread through removable USB drives. In this case, it takes advantage of the autoplay feature of removable drives to execute even if users have not run the executable file.
Once the computer has been infected with this malware, it disables the task manager, so that users cannot see active processes on the system. The worm does this in order to hide itself.
With the same aim, it also disables the Windows Registry editor and folder options, so that users cannot change the option to see hidden files or file extensions.
This worm leaves a file called Virus Information.txt on the desktop with the following message:
Hi fri "Administrador"
It is nice to meet you . . . .
I ko thi lar, see yin kaw kin mar lar, i ka talk khin tat tal nor . . . .
I ka girl nor, chit mar lar . . . . .
I ka u computer ko bar ma, ma loat par buu khin lo Virus write pi talk sa tar ko , he` he` . . .
Sate so ya buu nor i ka di lo pae` . . . . ya tal ma hote lar I name ko thi chin lar? pyaw pya par buu; bar lo pyaw pya ya mar lae` u ka boy lar, age ka kaw?
i ka 18age girl i gamil ka email@example.com bye bye . . . luu soe . . . fly kiss . .
After the malware has been running for a while, a dialog box appears with the following message:
I am 18 girl Loikaw
Write by comput5r3razygirl@XXX.com
"Loikaw hacing day"3D virus for you USER NAME
Autorun.JOE is another worm which, like the previous one, spreads via email and removable drives. After infecting a computer, it takes the following malicious actions:
Disables the task manager
Disables Windows Registry management tools
Disables the option to view hidden files.
Disables the option to view hidden system files.
Finally, we look at PersonalProtector, a fake antivirus (a type of adware). As with all such malware, it simulates the scan of the computer and claims to detect a series of threats, which is completely untrue. It then offers users the option to eliminate the (non-existent) malware using a pay version of the fake antivirus.