Rimecud.B worm is designed to obtain information from the forms stored in the Internet Explorer and Firefox browsers. This malicious code is distributed through P2P networks, and copies itself to the folders of programs such as: Ares, Bearshare, DC++, eMule, eMule plus, iMesh, Kazaa, LimeWire and Shareaza. Rimecud.B also spreads through MSN Messenger. To do so, it sends a copy of itself to the contacts connected at that moment. Finally, it copies itself to the removable drives, such as USB memory sticks, MP3 players, etc.

EggDrop.AA worm spreads through the Internet and copies itself to the system directory. It creates a file server on the user's PC it later tries to connect to, allowing remote intruders to monitor the infected computer through IRC channels. The intruder can configure the server and carry out the following tasks:
* Start up an HTTP proxy server.
* Restore information about the infected system.
* Start up an FTP server.
* Upload and download files through FTP.
* Modify and delete the Registry settings.
* Search, rename and delete files.
* Search for passwords i.e. Outlook passwords or passwords of games (WOW, Conquer Online) or information stored in Internet Explorer.
* End the processes specified.
* Turn the system off or restart it.
* Enable or disable the services running on the infected computer.
* Create or modify user accounts.
* Execute programs.

This worm allows the attacker to manage the user's computer as if he had physical access to it, with all the risks this involves.

IRCBot.CNE worm sends messages to the infected user's MSN Messenger contacts. Message subjects include:
* Me miro boracho en video que me tomaron en youtube (I see myself drunk in a video on youtube).
* Esta es mi casa de suenos!! (this is my dream house).
* Mira que pedo andaba ayer en la fiesta (look how drunk I was at yesterday's party).
* No me acuerdo si me dormir con esta vieja?? no se que hacer? (I can't remember if I slept with this woman yesterday. I don't know what to do).
* Santo Dios creo que eres tu!!!! (Oh my God, I think it's you!).

These messages include an attachment which is a copy of the worm. On running the file, users are infected with a copy of the worm.

BckPatcher.C worm is designed to modify the desktop background, the Windows Explorer background and the folder icons. Additionally, every time files with certain extensions are executed (DLL, EXE, JPG or RAR) the worm is run instead of the applications associated to those extensions. BckPatcher.C spreads through shared, mapped and removable drives, copying itself to them. Images of the modifications carried out by the worm can be viewed here.

Boface.BJ worm reaches computers in a different way: through email messages with attachments, Internet downloads, files transferred via FTP, IRC channels, P2P file-sharing networks, etc. Users are unaware of the infection.

Once the PC is infected, it takes approximately 4 hours to trigger its payload. It does so when users access log into their Facebook account. Then, it uses the network to send them a message, including the affected user. View an image of the message here.

On clicking the link users are directed to a page that resembles YouTube (called "YuoTube") in which a video "should" be displayed. However, in order to do so, users are asked to download a player. If users accept, the fake antivirus is downloaded. Images can be viewed here. Once the download is accepted, the fake antivirus is installed on the computer. It then starts sending users messages informing them their PC is infected and telling them they should buy a solution. Here is the interface displayed by one of the fake antiviruses.

IRCBot.CNK worm is designed to connect to an IRC server to receive remote commands, including:
- Capturing network traffic.
- Downloading any type of file, including malware.
- Updating itself.

Autorun.IYQ is a worm that makes a series of modifications to the Windows registry, with the following effects:
* It prevents a session being started up in safe mode.
* It blocks writing to removable devices, preventing files from being copied to the device.
* It prevents numerous files corresponding to security programs from being run.
* It disables several services in the Windows Security Center.

It adds two new entries at the start of the contextual menu for the drives in My computer, which point to a copy of the worm. View an image here.

Joleee.F worm that spreads through an email advertising pharmaceuticals. It connects to the Internet to download a series of addresses to which it sends spam and consequently, tries to infect the recipients. his worm also creates a series of copies of itself on infected computers. View an image here.

KillAV.KP worm is designed to prevent users from accessing websites of antivirus companies and IT security forums. This way, users cannot check security-related issues nor download updates. This malicious code reaches computers in what looks like an image file with an icon of a cat. To avoid being detected, once run KillAV.KP shows users a .GIF animation. View an image here. Meanwhile, it downloads a file to the system which modifies the Windows Registry to prevent users accessing websites of security companies, etc.

PasswordStealer.BM worm steals users' confidential information, i.e. passwords stored on Internet Explorer. It also steals information regarding the affected computer (version of the operating system, user name and IP address). The information is stored and sent to its creator later on via IRC. There are several tell-tale signs of the presence of this worm. When run, it displays an image of a young person smoking a cigarette (imaged here). It also modifies the homepage of Internet Explorer (imaged here). PasswordStealer.BM uses several techniques to make it more difficult to delete:
- It hides files and folders.
- It conceals file extensions.
- It conceals operating system files.

Additionally, PasswordStealer.BM tries to spread through IRC channels. To do so, it sends random messages with a file called MYPIC.ZIP which contains a compressed copy of itself, to all the users connected to the channel the affected user connects to.

MSNWorm.GI worm is designed to spread through MSN Messenger. To do so, it sends an instant message to the infected user's contacts, tempting them to view a photo. The message includes a link with a URL that resembles Facebook's. On clicking the link, a download window is opened for users to run or save the file (supposedly a photo). The file has a double extension (JPG and EXE) to fool users. This file really consists of an up-to-date copy of the worm. If users open the downloaded file, Facebook's legitimate page will open to fool them and get them to believe there has been an error when they cannot find the new photo.

MSNworm.GM worm spreads using the MSN Messenger instant messaging application. To do this, it sends instant messages to the infected user's contacts inviting them to view a photo. The message contains a file that tries to pass itself off as an image, but is actually a copy of the worm. When the file is run, it displays an error message.

Rimecud.E worm downloads malware from certain Web pages, and is designed to send spam messages while it downloads more malware. Being infected by this worm could result in the user suffering an avalanche of malicious programs. In order to spread, this worm copies itself to folders of P2P applications such as Bearshare and eMule. It also spreads through MSN Messenger. To do so, it sends a copy of the worm to the contacts of the affected user (if connected). It also copies itself to the USB devices connected to the computer and creates an autorun.inf file to be run whenever the infected device is connected to a computer.

Kobcka.A is a Trojan designed to send spam messages to various email addresses. It also sends its creator information about the infected computer, for example, the operating system version. This Trojan uses stealth techniques (through a rootkit) to make detection more difficult. It affects the productivity of the computer, the network to which it's connected or other remote sites.

EvilHot.A is a Trojan that modifies the user's logon password that was active at the time of the infection. Once run, the Trojan displays a series of messages and crashes the computer. It then tries to connect to a Web page to download some files. An image can be viewed here.

Sinowal.WHZ Trogan is distributed through emails that purport to come from UPS. Users are informed via email that the service was unable to deliver the packet sent to a recipient on a specific date. Additionally, users are prompted into opening the attached file including the receipt. If users open the attached file, they will really be downloading a copy of the Trojan onto their computer. Like most of the variants of this family, Sinowal.WHZ is designed to steal infected users' bank details.

Banbra.GIM is a banker Trojan that affects a banking institution from Brazil. To get the user's banking details, the malicious code passes itself off as a security application that supposedly allows users to connect to their bank more safely. Users are prompted to enter their banking details to complete the process. When they do this, a message is displayed at the end of the process informing them that their account has been secured. The reality, however, is quite different, as the data has been sent to the malware creator.

KillRDLL.A is a Trojan that creates copies of itself every time users access a directory. This file has a Windows folder icon with a hidden extension to make users believe it is a folder. It also creates a copy of itself when users access a subdirectory. Fake folders use names including: Angelina Jolie, Clips, Documents, Favorites, Flash Games, Games, My Documents, My Folder, Picture, Video and WallPapers. When run, it opens the Web page of a search engine that dislplays false results. Image can be viewed here.

CoreGuard2009 is a fake antivirus type of adware. Like of all its kind, CoreGuard2009 tries to pass itself off as a security solution and simulates a system scan, finding malware strains that are not actually present on the system. It then offers users the possibility of removing that 'malware' by buying a premium version of the product at $76.50. Images of this fake antivirus can be viewed here.

AntivirusDoktor adware is designed to make users believe their computers are infected. The tool performs a false scan of the affected system. Then, it shows a screen as if the computer were infected by dozens of virueses. AntivirusDoktor then offers users the option to eliminate the malware by purchasing a paid version of the fake antivirus. The objective is to profit financially from selling fake antiviruses. If users do not purchase the paid version, the antivirus displays a window every now and again indicating the computer is infected and prompting users into purchasing the paid version. All the adware's images can be viewed here.

FastAntivirus2009 is a fake antivirus adware that simulates a system scan, detecting several malware variants which are really not on the computer. Then, it offers the possibility of disinfecting these 'viruses' by purchasing a paid version of the false antivirus. All this aims at getting financial returns from this malicious code. All the adware's images can be viewed here.

Terminator2009 is a fake antivirus type of adware. When it runs, it simulates a scan (although this is started when users click the scanner button). It then claims to have detected malware. If users follow the program's recommendations, they are redirected to a page where they can purchase a Premium version of the fake antivirus. If not, the adware starts displaying warnings to users claiming that the computer is infected and suggesting they purchase the pay version to eliminate these (non-existent) threats. The overall objective for the creators of this malicious code is to profit from the sale of pay versions of the fake antivirus. Images of this fake antivirus can be viewed here.

As always, your comments and suggestions are welcome.

Thanks for stoppin' by.  "See ya' at the auction".
JD White
WINS#7, Operations Admin