This week saw the emergence of a Trojan horse that tries to shock recipients into believing their telephone conversations are being recorded, in a ruse to ultimately scare people into buying bogus security software for their computer, says Brett Myroff, CEO of Netxactics.
The Troj/Dorf-AH Trojan horse has been spammed out attached to an e-mail claiming the sender is a private detective listening to the recipient`s phone calls, he says.
According to Myroff, the "detective" claims he will reveal who has paid for the surveillance at a later date, but for the mean time the recipient should listen to a recording of a recent phone call, which is attached to the e-mail as a password-protected RAR-archived MP3 file.
"In reality, however, the MP3 file is not an audio file of a telephone conversation, but a malicious executable program that installs further malware onto the victim`s computer which it downloads from a dangerous Web site.
"Among these is a piece of scareware which displays a fake Windows Security Centre alert and tries to convince the victim to purchase bogus security software. Listening to the alleged recordings of your phone conversations will result in unwittingly installing malware directly onto your PC," he adds.
More fun and games
Also making appearances this week are Troj/Horst-JQ Trojan and Troj/LegMa-Gen, password-stealing Trojans for the Windows platform that attempt to steal information from the game Legends of Mir.
Troj/Kaiten-W, a backdoor Trojan affecting the Unix OS, has also been noted. Its aliases include Linux/DDoS-Kaiten and Backdoor.Kaitex, and it allows others to access victims` computers.
"Troj/Kaiten-W allows a remote attacker to control the infected computer through IRC channels," Myroff says.
Troj/RSTDoor-B is also causing some concern for Unix users, he says. It is a backdoor Trojan for Unix-based platforms running PHP and HTTPD.
"The Trojan accepts commands via HTTP request strings and allows remote attackers to access and control the infected computer. It also allows a Web-based interface to control the backdoor functionality."
The Trojan can be instructed by remote attackers to perform various tasks, including:
* Collect information from the infected computer, such as database servers, directory structures, files and permissions, etc
* Open a remote shell (BASH)|
* Upload/download arbitrary files
* Execute arbitrary files
* Scan for vulnerabilities
* Change file attributes (owner, permissions)
* Run arbitrary SQL commands
* Send e-mail
* Start an FTP server
The W32/Drowor-A virus has also been noted, and is spreading via removable storage devices and infected files. It is affecting Windows users and installs itself in the registry.
W32/Drowor-A spreads via removable shared devices by copying the infected file to <Root>New Folder.exe on the removable drive. A number of registry entries are created to run aut0exec.bat, Regedit32.com and Shell32.com on startup.
"Malware authors seem to be going to great lengths to ensure people fall for their tricks. Troj/Dorf-AH is a good example of how anyone might try to run the attachment purely out of curiosity, or by assuming it is a joke recording without realising the danger it presents.
"Home users and businesses alike need to defend their e-mail with protection against the latest virus and spam attacks," Myroff says.
Share
Editorial contacts