Home » News » Security » Artesimda Trojan, Rinbot.Q, Spamta.WF, SpamtaLoad.DW - Panda's Weekly Report - 2007/04/20
This week’s report focuses on the Artesimda Trojan and a worm, Rinbot.Q, that uses several vulnerabilities to spread. It also covers a new combined attack involving members of the Spamta family.
This attack, performed by the Spamta.WF worm and the SpamtaLoad.DW Trojan, consists of the following: when the Trojan infects a computer, it downloads the worm, which, in turn, collects all of the email addresses it finds on the computer and sends them a message containing the SpamtaLoad.DW Trojan. The process then starts all over again.
The subject and the content of the emails with SpamtaLoad.DW are variable. Examples of subjects include: Error, Good day, hello, etc. The file that contains the malware has names such as body, data or doc and a range of extensions (.msg, .txt,…).
SpamtaLoad.DW is installed on computers with a text file icon, although it is really an executable file. This aims at enticing users to open the document and run the Trojan inadvertently. To divert the user’s attention, SpamtaLoad.DW displays an error message.
Rinbot.Q exploits two Windows vulnerabilities (one affecting DNS Servers and the second affecting the Local Security Authority Subsystem -LSASS- process). This worm has downloader features, enabling it to download other malware onto the affected computer. When run, Rinbot.Q checks to see if there are certain network monitoring programs installed on the system. If it finds any, it deletes them. It also ends processes belonging to several rootkit detection tools to make detection more difficult.
Rinbot.Q can also spread through shared network drives and alters the Windows registry to ensure it is run on every system startup.
Artesimda is a dangerous Trojan. When run, it creates an account in Windows with its own user name (Adminestrator) and password. Then it steals all kinds of data from the computers it infects: email and other programs’ passwords, hardware and software data, IP address, email addresses…
The Trojan also allows attackers to take control of infected computers. To do this, it runs a remote administration tool on computers. “As the attacker already knows the computer's IP address and has their own password on the computer, they can access the computer and modify or steal all the information that they want,” explains Luis Corrons, Technical Director of PandaLabs.
Artesimda can monitor users’ Internet activity and obtain all the information that they enter in Web forms: online banking data, email and blog passwords, etc. All this information is then sent to the malware author through a Web server.
It also makes some changes to the Windows Registry in order to disable the Windows XP firewall and be run on every system startup. To make detection more difficult, the Trojan uses rootkit techniques.
“Malware creators want to make the most out of each infection, that’s why they include several features in a single malware specimen. This way, they increase their chances to get confidential data from users,” explains Corrons.