This week's PandaLabs report provides information about the Sinowal.VPB and Spammer.AIT Trojans and the ntivirus2008Pro adware.

Sinowal.VPB uses the Windows API to intercept network communications carried out by users. It is also designed to monitor users' access to online banks and capture the data entered (credit card numbers, passwords, etc.). Additionally, Sinowal.VPB creates a copy of itself on
the system.

The Antivirus2008Pro adware tries to pass itself off as an antivirus to fool users. To do so, once run it displays a screen informing users they are infected. Soon after, it starts to scan the system and reports fake infections (see photo here: http://www.flickr.com/photos/9696103@N03/2678703471/).

In this case, hackers are after the money obtained by selling a pay-version of a false antivirus (see photo here:
http://www.flickr.com/photos/9696103@N03/2679524216/)

The Spammer_AIT Trojan is designed to steal all email addresses stored on the system and save them to a file. Then, it opens a port on the computer and adds itself to the list of authorized applications in the Windows Firewall so that cyber-crooks can access the stolen data.

The information stolen from the infected computers is then stored on a web page. This Trojan's aim is to allow cyber-crooks to store a large number of email addresses for ming purposes.

For more information or to subscribe to Panda Security's latest threats service, go to:
http://www.pandasecurity.com/spain/homeusers/security-info/

PandaLabs' latest weekly report provides information about the WistaAntivirus adware, and the Buzus.AL and Fractalove.A worms.

WistaAntivirus passes itself off as an antivirus to fool users. When run, the malicious code displays a screen informing users their PC is infected, which is untrue (image here: http://www.flickr.com/photos/9696103@N03/2657324821/). To disinfect the system, users are invited to download anti-spyware software. If they don't, the system connects to a Web page and simulates an online computer scan, once again informing users about non-existent infections.


The adware's objective is purely financial: it makes users believe they are infected so they 'purchase' the antivirus proposed by the malicious code.

Buzus.AL is a worm with bot functions, designed to steal all sorts of credentials and send them to its creator via FTP. To infect more computers, it tries to spread through different channels (shared folders, removable drives, etc.).

Fractalove.A is a worm that spreads through email. To fool users, it passes itself off as a screensaver by the name of to_my_love.scr. If users download and run the file, they will be infected. To divert users' attention, it displays a screensaver with red fractals while it is installed on the computer. e.g. http://www.flickr.com/photos/9696103@N03/2657324879/

This worm has keylogger functions; once on the computer, it steals confidential information and sends it to its creator. The data stolen includes IM passwords, mailbox passwords and passwords of programs like webmoney, etc. Fractalove.A uses the information obtained on IM programs and via mail, to be sent through those channels and infect new users.

Further information about these threats is available on the PandaLabs blog: www.pandalabs.com

Madrid, June 27, 2008 - PandaLabs' report this week focuses on the DdonAba.A worm, the Torpig.VIC Trojan, and the OSX/AsTHT.A backdoor Trojan.

DdonAba.A reaches computers with a characteristic icon. When users run the file, it copies an image alluding to the worm's creator in the C:\ drive.

Simultaneously, it creates an Autorun.inf file in the PC's root directories, from the F:\ letter onwards. It also creates a copy of itself on the c:\windows\system32 folder called Abaddon.exe.

Finally, DdonAba.A deletes all the files with the .mp3 extension (audio) and the .doc extension (text documents) on the infected drives. Torpig.VIC on the other hand, is a banker Trojan designed to steal financial data from specific online banks.

When users run a file infected by the Trojan, the Trojan waits until users type specific text strings (bank names). Then, it intercepts the data entered in the forms, redirects network traffic and modifies replies to browser requests.

It then sends the information to an Internet server so the hacker can access the stolen data and carry out fraudulent operations.

Finally, the OSX/AsTHT.A backdoor Trojan is designed to affect Apple operating systems such as MacOS, Leopard or Tiger.

When run, the backdoor Trojan uses an Apple Remote Desktop Agent vulnerability to gain privilege escalation and administrator permissions. It then copies itself onto the system and sends a mail to its creator reporting the infection. It also associates the victim's IP address to a Dynamic DNS service to continue having access to the infected computer even if the address is modified.

OSX/AsTHT.A accesses the computer through a VNC server (Vine Server) it includes, and through SSH. It also enables a web server where the remote control tool is hosted.

This malicious code drops a keylogger on the system which can capture images through the iSight integrated camera.

Additionally, if more than one user is registered on the PC, it tries to guess their credentials using a brute force program. It is also designed to disable the firewall and disable, delete and modify several system log files to prevent leaving trails and impede detection.

Users can subscribe to our Latest Threats service on RSS, at: http://www.pandasecurity.com/img/enc/rss_last_threats_es.xml?sitepanda=particulares

Panda Security offers several free tools for scanning PCs at: http://www.infectedornot.com

Madrid, June 20, 2008 - This week's PandaLabs report looks at the PGPCoder.E and NoFreedom.A Trojans, as well as an application for creating worms, called Constructor/Wormer.

PGPCoder.E is a ransomware Trojan, i.e. it is designed to seize information and blackmail the user into paying to recover it. It does this by encrypting all non-operating-system files (such as those with DOC, XLS, PDF, TXT, JPG, BMP, etc. extensions) contained on a computer when the file containing PGPCoder.E is run.

At the same time, it releases two files. One of these is called ¡_READ_ME_!.txt, and contains a message informing users that the files have been encrypted and that to obtain the tool for decrypting them, they have to write to a certain email address.

The second file has the same name as the malware, but with a .vbs extension. This file displays a message similar to the one described above.

NoFreedom.A on the other hand, reaches computers in a file called svch0st.exe with a peculiar icon. When run, it opens Internet Explorer and connects to YouTube to show a video of a certain cartoon series.

However, at the same time it creates several files and Windows registry entries, hiding the clock in the taskbar, disabling permissions to shut down or restart the PC and preventing the task manager from being run.

Finally today, Constructor/Wormer is a tool for creating worms through a console in Visual Basic.

Among other characteristics, this malicious tool includes options for compressing the malicious code created, enabling MuteX and selecting the icons to use. The most curious option however, is that users can choose to prevent the malicious code created from infecting removable drives, such as pen drives, etc.

For more information about Constructor/Wormer, go to the PandaLabs blog at: http://pandalabs.pandasecurity.com/archive/T2W-_2D002D003E00_-Trojan-to-Worm.aspx

Users can subscribe to our Latest Threats service on RSS, at: http://www.pandasecurity.com/img/enc/rss_last_threats_es.xml?sitepanda=particulares

Panda Security offers several free tools for scanning PCs at: http://www.infectedornot.com

Madrid, June 13, 2008 - PandaLabs' report this week focuses on the Banbra.FUD and Dadobra.APK Trojans, and the MalwareProtector 2008 adware.

The Banbra.FUD Trojan uses the Microsoft Internet Explorer icon. When run, the file with the malicious code establishes an FTP connection with a specific IP address, loading the file with the name of the affected computer followed by the word Aviso (Warning).

Banbra.FUD creates several files on the infected system and keys in the Windows registry. When users connect to specific online Brazilian banks, an error message is displayed and a window with a spoof bank url is opened where users are asked to enter their login details. .

On reentering their credentials, the Trojan intercepts them and adds them to the text file, which is later sent via FTP to the IP address mentioned earlier.

Additionally, this Trojan deletes security application files and other banker malware files.

The Dadobra.APK Trojan is designed to download other files infected by banker malware, generically detected as Banbra.FTX by Panda Security solutions.

When users run a file infected by Dadobra.APK, a video in which a football field is shown is played, to fool users while the Trojans continue carrying out malicious actions. .

Finally, MalwareProtector 2008 is an adware (program designed to show unwanted advertising) which simulates system scans and encourages users to buy software to delete the malware which has supposedly been found.

When run, it modifies the desktop wallpaper, displaying a message informing users the computer is infected by spyware. Then, a window is displayed recommending users to download anti-spyware software. If the download is rejected, a screensaver with cockroaches eating the desktop wallpaper is displayed.

If users download the application, it simulates a computer scan and displays a list of the malware supposedly installed on the system. If users choose to delete the malicious code, a message is returned claiming the software is not registered and users must pay to use it.

Users can subscribe to our Latest Threats service on RSS, at http://www.pandasecurity.com/img/enc/rss_last_threats_en.xml?sitepanda=particulares

Panda Security offers several free tools for scanning PCs at:http://www.infectedornot.com