The latest incarnation of the poisoned e-card attack (also known as Storm), which has dominated the malware scene for months, is making another appearance - this time to take advantage of Halloween festivities, and so infecting innocent users` PCs.
"Malicious spam e-mails being sent across the Internet are directing users to a Halloween-themed Web site, offering a download of a dancing skeleton game, but really designed to install a Trojan horse that gives hackers remote access to the PC," says Brett Myroff, CEO of Sophos distributor, Netxactics.
The Trojan con
Also raising concerns this week is the Troj/ConHook-AH Trojan, which is affecting the Windows operating system. Its side effects include installing itself in the registry, monitoring browser activity and installing a browser helper object.
It also occurs as TROJ_CONHOOK.FM and includes functionality to access the Internet and communicate with a remote server via HTTP.
The Troj/ConHook-AH DLL is registered as a COM object and Browser Helper Object for Microsoft Internet Explorer, creating a number of registry entries.
Wicked worms
The W32/Rbot-GUR worm has also been noted, again, affecting Windows users. It allows others to access the computer and installs itself in the registry. Aliases include Backdoor.Win32.Rbot.bll and New Win32.g2.
"W32/Rbot-GUR runs continuously in the background, providing a backdoor server that allows a remote intruder to gain access and control over the computer via IRC channels," says Myroff.
When first run, W32/Rbot-GUR copies itself to <System>lczty.exe. and creates a number of registry entries to run nlczty.exe on start-up. "It also disables the automatic start-up of other software," he adds.
"Worth noting is that disabling auto-start for the SharedAccess service deactivates the Microsoft Internet Connection Firewall."
The W32/Rbot-GUP worm is showing low to medium prevalence this week. It allows others to access the computer, installs itself in the registry and exploits system or software vulnerabilities.
"It includes IRC backdoor functionality for the Windows platform. It spreads to other network computers by exploiting common buffer overflow vulnerabilities and by copying itself to network shares protected by weak passwords," Myroff explains.
"This worm also runs continuously in the background, providing a backdoor server, which allows a remote intruder to gain access and control over the computer via IRC channels."
When first run, W32/Rbot-GUP copies itself to <Windows>Msnhelper.exe and creates the file <Windows>images.zip, which contains a copy of the worm executable with the PIF extension.
"With spammers exploiting every opportunity to gather personal information from recipients, as is evidenced by the latest Halloween e-mails, and the ongoing spread of malware, companies need to protect themselves with a consolidated security solution that can control network access and defend against all types of threats," Myroff says.
Share
Editorial contacts