Panda Security’s weekly report on viruses and intruders
October 2008 by Panda
This week’s PandaLabs report looks at the Lydra.AO Trojan, the Redvoz.A backdoor Trojan and the Autorun.AHS worm.
Lydra.AO records users’ activity on the infected computer and sends it to the malware author. To do so, it remains active in the Windows memory and starts capturing keystrokes and mouse movements. It also collects email addresses found in files with certain extensions.
It stores the information gathered, together with the PC hardware and software data, and sends it to the malware author via email. To do so, it uses its own SMTP or MAPI engine.
Redvoz.A is a backdoor Trojan that connects to a remote server, which allows the creator to run arbitrary commands on the infected computer and take control of the system.
This new malicious code creates a system service for managing network policies displayed by default by system services and third-party applications. This service is run continuously and cannot be stopped, making it difficult to remove. As the service is in a loop, the threat is recreated if it is deleted.
Autorun.AHS is a worm designed to spread through the floppy disk drive.
When run on the computer, it modifies specific Registry entries to make it seem as though the Task Manager, Windows Registry, Folder options and Explorer files have been enabled. What it really does though, is replace the Internet Explorer start page for a malicious page. It also modifies the Windows Registry to run on every system startup.