Continued from our last post — Virus Encyclopedia vol.3Q
Win32.Worm.Autoit.AL is a highly malicious computer worm discovered by well-known virus researcher Lita Catalin. This worm was discovered on 24th July 2008 and has damaging impact of medium intensity, although it spreads quite slowly. The worm impersonates itself with applications meant to protect removable drives from malware. Thus, it is hard to detect this worm because it remains as a malware removable application whereas it is itself a worm.
Win32.Worm.Autoit.AL proposes the presence of the following files:
- Writes Autorun.inf on removable drives
- creates certain registry keys such as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\FlashGuard with the value “%windrive%\FlashGuard\FlashGuard.exe” –run and others.
Win32.Worm.Autoit.AL is a tricky worm, which tries to impersonate a friendly application. It targets those applications that are meant to protect your removable drives from malware. This worm copies itself to %programfiles%\FlashGuard\FlashGuard.exe and includes a readme file that reads:
“This tiny software is used to protect removable storage devices from worms that are spread from one PC to another.”
Then it copies the readme file to “%windrive%\FlashGuard\ReadMe.txt.” It checks if any of the following processes are running:
If any of the above mentioned processes is running, then the app will terminate it and rename it with a “.bak” extension. Win32.Worm.Autoit.AL will remove all files from C:\heap41a that are related to other malicious programs and will get the TaskManager enabled, if it is disabled. Eventually, it will infect the removable drive by writing autorun.inf.
Trojan.Swizzor.1 was discovered on 24th July 2008 by Dan Anton. It spreads at a very alarming rate and imposes medium-intensity damaging impact. Basically, Trojan.Swizzor.1 is the generic name for an obfuscated downloader, which usually comes bundled with other software such as 3wPlayer.
Trojan.Swizzor.1 executes the following symptoms on the victim PC:
- Increased network activity
- Presence of specified names
- Computer slowdowns
- Internet Explorer pop-ups
Trojan.Swizzor.1 gets downloaded when such a tool like obfuscated downloader gets installed in a computer. The downloaded copy Trojan.Swizzor.1 saves itself as %Temp%\minime.exe.
When %Temp%\minime.exe gets executed, it starts a new “iexplore.exe” process that operates within a hidden window. Later, it injects its code into the newly started process. This starts the downloading of other copies of Trojan.Swizzor.1 in the %Temp% folder. These other copies save them to %AppData%\[random-folder-name]\[random-file-name] or %User-AppData%\[random-folder-name]\[random-file-name].
Trojan.Swizzor.1 also creates a new registry key with a random name under:HKCU\Software\[random-subkey-name].
A new hidden Windows task with a random name like: A3B0D938919B5400.job also might get created. These tasks initiate the downloading of Trojan.Swizzor.1 file every hour.
Discovered on 21st July 2008 by Daniel Chipiristeanu, Trojan.Downloader.Wimad.A is a highly dangerous virus as it spreads at an alarming rate and causes severe damage to the infected PC. Basically, the worm is a copy of Trojan.Downloader.WMA.Wimad, hence it behaves in a similar way. It gets downloaded from www.fastmp3player.com. Its authors are exploiting it for a long time and haven’t made any alteration in the attack scheme.
The presence of this Trojan executes the following symptoms:
If you try accessing the media files with “.wma” media extension, then you will notice the following behavior:
- Browser page will open to fastmp3player.com page
- Then a piece of malware will get downloaded and executed when the user hits Run on IE
- The malware will remain disguised as “Codec.exe” named file and will have the Windows Media Player icon.
Trojan.Downloader.Wimad.A remains disguised under a common media file extension and thus tricks the user into downloading and executing a piece of malware. It succeeds in remaining disguised by taking advantage of the incapacity of your software configuration that fails to view this kind of media. There is a common misconception that malware or viruses are found only in executables, and this Trojan exists as a media file extension and thus avoids detection. Finally, it installs itself without the users’ knowledge.
Discovered on 18th July 2008 by the virus researcher Ovidiu Visoiu, Trojan.PWS.Onlinegames.ZGE is a very low intensity Trojan. Its damaging impact and spreading power is considerably low as compared to other similar Trojans.
Presence of this Trojan will create specified files and registry keys.
Initially, it exists as an executable file and when it gets launched it renders the following activities:
- It copies itself to %SYSTEM%\[virus_name].exe (e.g. ckvo.exe)
- It drops %SYSTEM%\[virus_name][N].exe (e.g. ckvo1.dll). This file is used to monitor actions inside executable games.
In order to be launched by Internet Explorer (IE), the Trojan creates files in autorun.inf and ffocj.com. These files exist as exporer.exe files and get injected with first DLL. This hooks messages changes between target applications and system and thus steals user data.
Before these Trojan malware hit your PC and render your valuable data and information files ruined, it is wise to scan your PC and update your antivirus software. In case you notice any of the symptoms mentioned above or suspect the presence of malware on your PC then the best thing to do is to reach out a professional PC security expert and ensure that your data and PC stay safe and guarded.