Panda Security’s weekly report on viruses and intruders
April 2009 by
This week’s PandaLabs report looks at the Hiloti.A Trojan, PersonalAntivirus and IRCBot.CML worm.
When run, the Hiloti.A Trojan sets the Mandatory Integrity Control level (MIC) to low. This way, it can run any file downloaded without the user noticing. In this case, it downloads the Lop adware, designed to show advertising messages.
Additionally, Hiloti.A logs onto Internet Explorer as a BHO (Browser Helper Object), monitoring Internet browsing. If users use Firefox, the malware injects a code on the pages monitored (over a hundred) to redirect searches carried out on those domains to pages that contain more malware to be downloaded.
PersonalAntivirus is a fake antivirus. As with all such adware, PersoanlAntivirus is designed to convince users that the system is infected with malware. To do so, it performs a false scan of the affected system, during which it detects several malware samples
If users click "Remove", a form will be displayed asking users to pay for the license, and a false warning message will appear indicating the computer is at risk
Finally, IRCBot.CML is a worm that allows remote intruders to access and control the computer via IRC. This worm passes itself off as a photo to reach computers, but once run displays an error message with the text: "Picture can not be displayed".
Next, IRCBot.CML opens several ports and tries to connect to an FTP server to send the user’s data, keystroke captures, etc.
This worm spreads through MSN Messenger, trying to infect all the user’s contacts.