Panda Security’s weekly report on viruses and intruders
January 2010 by Panda Security
This week’s PandaLabs report looks at a worm, a Trojan and a new fake antivirus.
TwittWorm.A is a worm that uses Twitter and Messenger in order to spread, sending a malicious message to all contacts of the infected user. These messages appeal to the curiosity of users, with subjects such as "I just got a piercing and you’ll never guess where! Take a look at the photo. ;) " or "You’re going to be mad at me for sending you this photo, but you NEED to see it :3". The worm edits the registry so the system cannot be restored or started in safe mode. It also makes a series of changes to the host file to prevent users from accessing certain Web pages, particularly those related with antivirus companies. Another feature is that it prevents the running of certain programs for viewing active processes or monitoring network traffic. Twittworm.A also spreads through USB devices, creating an autorun.inf to automatically infect computers on connection.
Sinowal.WTF is a keylogger Trojan, designed to capture keystrokes with an aim to stealing passwords and other information from infected systems. This Trojan reaches computers through an email claiming to have been sent from MySpace. The message warns victims about a change to the user’s password and contains a .zip file attachment which supposedly contains the new password. The attached file, once extracted, has an Excel icon, but is really malware. When run, the system is infected and the icon disappears.
Finally, GhostAntivirus is a new strain of fake antivirus. As with other malware of this kind, it tries to fool users by displaying false infections, remote connections and vulnerabilities that do not exist. If users fall for the trap, they are directed to a screen where their credit card details are requested to carry out the transaction. This way, as well as obtaining money for a service that will never be provided, cyber-crooks steal users’ credit card details.