MyWebSearch was the malware most frequently detected this week by TotalScan, Panda Security’s online scanner for detecting active and latent malware. MyWebSearch is a PUP (Potentially Unwanted Program) that installs a toolbar that changes results displayed by some search engines to redirect users to certain vendors’ web pages.
There are eight PUPs among the Top Ten malicious codes detected by TotalScan. “One of the reasons for the widespread distribution of this type of malware is the fact that many users think it is harmless. However, it poses a threat to their privacy, and some malware is even capable of downloading other types of malicious code, including Trojans, onto infected systems”, explains Luis Corrons, Technical Director of PandaLabs.
Of all the new malicious codes analyzed this week by PandaLabs, this week’s report looks at the IRCPass.A backdooor and the MSNFunny.B and Sohanat.CU worms.
IRCPass.A is designed to allow cyber-crooks to take control of computers via HTTP and steal their passwords, for example, passwords saved by the auto-complete feature in Internet Explorer or Opera.
This malicious code opens a system port and waits to receive commands from its creator, who will be notified every time the backdoor infects a computer.
MSNFunny.B spreads through MSN Messenger. To do this, it closes all currently open MSN Messenger windows and sends all the targeted user’s contacts a message with an attached .zip file and a text enticing users to open it. This text can be written in several languages, for example: “lol you got to see this” or “viu este?”.
The worm creates several copies of itself on the system and connects to the Internet to download other malicious codes, like Dialer.KOS and the Sfc.A.mod Trojan.
MSNFunny.B creates a new key in the Windows Registry to run on every system restart and modifies other entries to, for example, disable the Registry editor. It also disables notifications from the firewall and antivirus updates and operating system updates. All this is designed to leave the PC more vulnerable to future attacks.
Sohanat.CU also spreads through instant messaging. To do this, the worm sends random messages to the infected user’s contacts that are connected to the application at the time the malware is run. These messages include: “hot pics this week" or ":D who is beside you in this pic ". Finally, the message shows a link that takes the user to a worm download.
This malware performs malicious actions such as changing the Internet Explorer home page, disabling the option that allows users to change it, or preventing access to the Windows Task Manager. Finally, it edits the Windows Registry to ensure it is run every time the system is started up.