Lumension Security Experts Warn of New, Virulent Trojan

Researchers at security company Lumension are alerting that a new Trojan with its capability of propagation similar to a conventional virus and of getting buried deep into a user's system could prove itself a virulent threat.

Paul Henry, Security Guru at Lumension, states via a blog message that the new threat that Symantec identified as Trojan Virut.CF and Sophos labeled as Scribble-A could result in severe problems. It includes a mix of infection techniques and proliferation capabilities similar to that of the recent Conficker, said Henry, as reported by eweek on April 29, 2009.

Henry further warns that the malware's ability to remotely access computers and to proliferate like Virus W32/Scribble-A or W32.Virut.CF is set to cause an immense trouble for networks in future.

He writes that the Trojan plants itself deep inside the infected systems, causing a lot of difficulties in removing it. Moreover, the malware is believed to be cracking some vital business software by installing itself on them.

Meanwhile, Henry is studying a sample, which includes a keystroke-logging program that hasn't so far transferred any information remotely to another server.

Additionally, several reports are flowing in about the widespread influence of Trojan in various organizations. Typically, the attack starts with a Web-based malware, and as it finds a place on a network, it starts utilizing open shares to spread itself. It also targets different URLs displayed on the screens to download more malevolent programs; thereby, influencing the entire network's performance during proliferation.

Moreover, Conficker, the older variants of W32.Virut.CF, during February-March 2009 used infected USB memory sticks to spread the infection and also used the opportunity of many users not deploying the MS08-067 update to compromise their computers.

However, the existing variant of Virut.CF is polymorphic and utilizes a packer along with a number of encryption levels to escape detection by security software. Further, it alters the host file of the infected computer so that the system can't access an antivirus website. Finally, the worm changes .scr and .exe files along with .html, .htm, .asp and .php by injecting an infected IFrame.

Related article: Long URLs Cause Security Flaw in Opera Browser

» SPAMfighter News - 5/13/2009