Tanatos. (Virus Notes).Tanatos is a Windows attachment about 50 KB in size (it is packed by the UPX UPX Ultimate Packer for eXecutables UPX Ulead Photo Express compression utility) and written in Microsoft Visual C++. The worm is spreading via email attachment files with differing headings, body texts, file attachment names and even formats, all of which make it harder to identify infected email messages from their external properties. Infected messages consistently have plain text or HTML HTML in full HyperText Markup Language Markup language derived from SGML that is used to prepare hypertext documents. Relatively easy for nonprogrammers to master, HTML is the language used for documents on the World Wide Web. format. With the plain text version users must actively open the attached file, thereby letting the worm loose. With the HTML version, after the worm arrives in the inbox of potential victims, Tanatos waits for its email message to be read (for example, in the preview window), once this occurs, by exploiting the "IFRAME' vulnerability in the Windows Explorer's security system, it secretly launches itself and infects the machine. To spread over local area networks, the Tanatos worm goes through all network access resources and searches for the Windows system auto-run directory where it copies itself so that it will execute the next time the infected computer is booted. This function can only work if there is a general write permission enabled in the directory. After activation "Tanatos" registers itself in the system registry auto-run key so that its malicious code will activate each time Windows is booted. Tanatos also contains a Trojan horse function that makes it an exceptionally dangerous program by creating a system breach and exposing confidential data. In part, Tanatos sets a keyboard 'bug" that records all keyboard actions, including system passwords, to a specified file (KEYLOGGER.DLL (1) See data link layer. (2) (Dynamic Link Library) An executable program module in Windows that performs one or more functions at runtime. DLLs are not launched by the user; they are called for by an executable program or by other DLLs. ) in the Windows system directory. Another interesting particularity par·tic·u·lar·i·ty n. pl. par·tic·u·lar·i·ties 1. The quality or state of being particular rather than general. 2. of this worm is its attempts to close active processes. especially anti-virus programs and personal firewalls. Those who control the Tanatos worm can dictate file downloading, transferring, copying, deleting, executing and can also force processes to abort (1) To exit a function or application without saving any data that has been changed. (2) To stop a transmission. (programming) abort - To terminate a program or process abnormally and usually suddenly, with or without diagnostic information. etc. To carry out these operations Tanatos secretly opens the HTTP server and presents its "master(s)" a Web interface with which to control an infected system. Potential victims of Tanatos are computers hosting the Klez worm, as both worms exploit the "IFR IFR abbr. instrument flight rules AME See AIT. " vulnerability in the Windows Explorer security system. www.kaspersky.com |
|
||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion