IM Worm Opens Backdoor

Wednesday, November 16, 2011 @ 07:11 AM gHale


An executable file that usually comes through instant messaging applications, pretending to be an Office Genuine Advantage Checker, is a worm that can open a backdoor to allow attackers to take over the controls of a machine.

The file, programmed in Visual Basic, comes as an executable called office_genuine.exe and even though Microsoft retired its OGA program almost a year ago, the application that pretends to check the legitimacy of Office products is still circulating, said researchers at Bitdefender.

RELATED STORIES
Rootkit, Trojan Unite
Busted: Ghost Click Nets Six
Malware Thrives, Remains Undetected
Smart Grid Security Framework Update
Internet Routing Glitch Fixed

The piece of malware, identified as Win32.Worm.Coidung.B, doesn’t come by itself, instead it brings a guest in the form of a file infector detected as Win32.Virtob. It’s not yet certain if they combined on purpose or not.

As soon as it executes, the worm disables the operating system’s firewall and opens a gateway through which the mastermind behind the operation sends his malicious commands. After gaining control of the system, the attacker can basically do anything from DoS to data theft.

By copying itself into several hidden locations, including the registries and the start-up folder, the virus makes sure that every time the computer starts, it gets to attack.

Virtob on the other hand is no angel either. Even though it seems that he’s just in to observe what Coidung in doing, it’s actually very harmful, especially for web applications.

The virus avoids virtual machines and emulators which feeds on ASP, HTM and PHP scripts while it waits further commands from its master.

Even though malware that presents itself as a Windows Genuine Advantage Validation Notification tool or even a Windows Genuine tool, it is not new, they always come with new malicious elements attached and that’s why it is important to keep anti-virus up to date.



Leave a Reply

You must be logged in to post a comment.