Shark 2, a Trojan creation tool, is the main subject of this week's
PandaLabs report, which also covers Addon.B and MSNPoopy.A, two worms
that use MSN Messenger to spread.
Shark
2 is distributed for free in various Internet forums and is very easy
to use, which makes it particularly dangerous. The Trojans created with
this builder could steal all kinds of confidential data from users'
computers if they are not well protected.
"These Trojans pose a
threat to users' privacy as cyber-crooks could activate the victim's
webcam, if they have one, and watch what they are doing", explains Luis
Corrons, Technical Director of PandaLabs.
Shark 2 allows
criminals to specify the server the Trojan must connect to, and set the
Trojan to run on every system restart, show error messages or run other
files. Also, the tool allows malicious users to perform specific
actions for processes and services, such as stop certain services, shut
down or delete the user server, etc.
Once it has infected a
computer, the Trojan created by Shark 2 connects to the server the
hacker has chosen and displays a screen that allows them to take
various actions, including commanding the malware to steal all kinds of
passwords (for instant messaging services, email, banking services,
etc.).
The cyber-criminal can also run a large number of
utilities on the infected computer, for example, to modify the registry
or edit the host file. By doing this, they could redirect users to
phishing or infected pages.
Trojans created with this tool can also take screenshots, capture audio and log keystrokes.
"Malware
creators can use this tool to build Trojans capable of attacking users
on several fronts, but always with the same goal: get information that
they can easily turn into some kind of financial gain", states Corrons.
The
first worm covered in today's report is Addon.B, a malware specimen
that sends a .zip file called Foto_celular by MSN Messenger. If the
user opens it and runs the file inside, they will be installing a copy
of the worm on their computer.
Addon.B copies itself to all
drives under the name Foto_celular.scr. Once run, this file downloads
the second component of the worm, sexy.wm. This malware, in turn,
connects to two web pages waiting for commands ranging from downloading
other malicious codes onto the infected computer to updating itself.
MSNPoopy.A
uses similar techniques to Addon.B to spread through MSN Messenger. In
this case, it uses sentences like "look @ my cute new puppy :-D" or
"look @ this picture of me, when I was a kid " to entice users into
opening the attached file, which has names such as img1756 and is
compressed in .zip format.
If the targeted user opens it and
runs the file inside, they will become infected. Also, all the users in
the victim's Address Book will receive the message the worm sends, with
the possibility of becoming infected.
MSNPoopy.A edits the
Windows Registry to ensure it is run every time the system is started
up. It also tries to connect to other instant messaging channels to
send out information or continue spreading.
"It shouldn't
surprise anyone that cyber-crooks are increasingly using instant
messaging to distribute their creations. These are services used by
millions of people every day, so they make a very easy and quick way of
infecting a huge number of users", explains Corrons.