Harrenix.A is a Trojan that reaches computers disguised as a trailer for the forthcoming Harry Potter movie. However, when the user runs the file, instead of a movie being shown, the computer is infected by the Trojan. In order to avoid arousing suspicion, it shows an error message informing the user that as a certain codec is missing, the video cannot be shown, and advises the user to visit the official movie Web site.
"A while back, we saw a similar case with the movie Pirates of the Caribbean. Cyber criminals take advantage of users' interest in these movies to trick them into opening files that actually contain malware," explains Luis Corrons, Technical Director of PandaLabs.
Once it has infected a computer, this Trojan downloads a dialer onto the computer, detected by PandaLabs as Dialer.KJD. This dialer is designed to connect users to the Internet through a more expensive connection than the one they have contracted.
Moaphie.A is a worm that, when it infects a computer, changes the Internet Explorer home page set by the user to a page with malicious content.
This worm captures data from the infected computer. Then it sends it to the author of the worm via email using a template in which it enters the computer name and the name of the user that was logged on when the computer was infected.
In order to spread, Moaphie.A copies itself to the root directory of other drives, and in the USB memory keys. It also creates a file called autorun.inf in these drives in order to run when one of them is accessed.
It can also spread through instant messaging. To do this, every ten milliseconds, it looks for open windows with the text "conversation" which corresponds to the English version of the instant messaging system MSN Messenger. If it finds an open window, it sends a link to a Web page containing a copy of the worm to the user's contacts that are connected at the time.
"Instant messaging services like MSN Messenger, Yahoo! Messenger, AIM, etc. are increasingly popular in both homes and the workplace. This popularity has made them an excellent means for propagating malware, which can thereby reach more computers," says Corrons.
Moaphie.A connects to a Web page, from which it downloads a copy of itself. In order to avoid being deleted, while it is running, this worm looks for all open windows that contain text strings related to various security solutions. If it detects an open window, the worm closes it.
When the user logs on, this worm shows the following error message: Fatal Error: kernel32.dll can't be loaded.
Moaphie.A carries out other malicious actions such as rending unusable the command console, in which it shows the following instant message: THE WORLD-WIDE DONT ACCEPT COMMAND PROMPT!!!!
The second worm in this week's report is Trixcu.A. When this worm is run, it shows an error message. The malicious actions it carries out on infected computers include copying itself to the system or modifying the Windows Registry. One of these modifications allows it to automatically run whenever the computer is restarted.
It also tries to change the name and company with which the operating system is registered. In order to spread, this worm copies itself to the mapped drives on the computer.
The Suarabh.A Trojan is programmed to capture keystrokes, allowing it to steal all types of confidential information entered by the user. This Trojan also creates a report about the applications running on the computer.
Suarabh.A changes the attributes of all the system folders, configuring them as hidden or read-only. It also modifies several Registry entries. One of these modifications disables the menu that allows users to change the folder options, while others prevent them from using the Windows Registry Editor so that they cannot modify the Registry. By doing this, the Trojan tries to protect the changes it has made.
