Panda Security’s weekly report on viruses and intruders
February 2009 by Panda Security
The Sinowal.VZR and NoVideo.A Trojans and the Autorun.INJ worm are the focus of this week’s PandaLabs report.
On infecting computers, Sinowal.VZR deletes the cookies and browser history to get users to type the address, user name and password of the Web pages accessed. This is because this Trojan monitors the user’s Internet activity and needs the user to re-enter the passwords to record them.
The information stolen is then sent to the malware creator through FTP.
To spread, this Trojan sends emails, which claim to come from various airlines, informing the recipients they have charged an amount of money against their accounts. The emails have a file attached called eTicket_5NUMBERS.zip which supposedly includes the details of the ticket purchased by the user, but it is really a copy of the malware that will be activated when the user opens the file in the .zip file.
NoVideo.A is a Trojan designed to change folder options and disable the Windows Registry tools. In addition, it disables the programs for blocking pop-ups, and even eliminates the image preview of pictures on websites, and videos of the pages visited by users.
This Trojan also drops a copy of the Suurch adware onto the computer.
Finally, Autorun.INJ is a worm that passes itself off as photo files, reaching the computer with names like:
Like all the worms of this family, it copies itself to all the computer’s drives (shared and removable), and in this case, on all the user’s folders.
It also adds entries to the Windows Registry, to run with every Windows start-up, to prevent users from changing the Windows Explorer and Control Panel folder options. Additionally, it disables the registration tools and the MSDOS (CMD) console.