Virus Alerts, by Panda Security (http://www.pandasecurity.com)
This week's PandaLabs report looks at the Koobface.EA worm, designed to
spread using Facebook, the Pidief.A Trojan, which takes advantage of an
Adobe vulnerability to infect users and P2Pworm.BJ, a worm designed to
steal the information entered on online forms.
To spread via Facebook, the Koobface.EA worm publishes a video on the
infected users' Facebook page, for all their friends and contacts to see
it. On trying to watch the video, users are redirected to a page similar
Then, they are asked to download an Adobe Flash version necessary to
watch the video. This file is actually a copy of the worm.
To make the attack even more dangerous, the worm downloads another
malicious code to the infected computer: the AntiSpyware Pro 2009 fake
antivirus. This malicious adware simulates a fake system scan detecting
dozens of actually non-existing malware strains. Then, it offers users
the option to eliminate them using a paid version of the fake antivirus.
As you can see, the objective is to get financial returns from this
You can find images of the infection process here:
The Pidief.A Trojan uses the Adobe CVE-2009-1862 vulnerability to infect
users. The exploit takes advantage of a known vulnerability when trying
to open a PDF document with an embedded flash object.
The Acrobat file viewer has a feature to run flash objects included in
.PDF files. Thanks to the authplay.dll library, the file reader can open
the flash viewer and display the content. In this case, the information
sent to the viewer includes the instruction to download a malware file
(Trj/Pidief.A). Then, no flash object is displayed to the user.
Pidief.A can be used by its creator to download more malware to the
affected computer, or to gain total or partial control of the infected
P2Pworm.BJ is a worm designed to steal the information entered on online
forms through the Internet Explorer and Firefox browsers.
The worm uses the following means to spread:
- Peer-to-peer (P2P) file sharing programs: It creates copies of itself
in the shared directories of several programs (Ares, BearShare, Emule,
Imesh and Shareaza).
The users of these programs can access the shared directories remotely
and download some of the files belonging to P2Pworm.BJ to their
- Removable drives: It copies itself to the RECYCLER folder of removable
drives. Also, it creates an AUTORUN.INF file on these drives to run
every time they are accessed.
- MSN Messenger: It sends messages with a copy of itself to the user's
contacts connected at the time of the infection.
More information about these and other malicious codes is available in
the Panda Security Encyclopedia