Sinister New Spyware Threats Emerge - Neonazi spyware?

http://www.pcworld.com/news/article/0,aid,122176,tk,wb081505x,00.asp

Sinister New Spyware Threats Emerge

One piece of hostile code uses insidious means to steal personal data, while another spreads an image of hate.

Andrew Brandt, PC World
Wednesday, August 10, 2005

snip>
Disturbing Discovery

Investigative curiosity also led researchers at Webroot, the anti-spyware firm that makes the SpySweeper utility, to a bizarre discovery of a symbol of hate embedded in a spyware distribution.

Late last week, Webroot's researchers discovered a file compressed into a new variant of the SARS Trojan horse containing the words "ein Volk, ein REICH, ein Fuhrer !!!" beneath a Nazi swastika rendered in ASCII text.


snip>
The malware file that Webroot discovered had been compressed using the UPX compression method. Accompanying the executable Trojan horse was a text file containing the swastika and the Hitler quote.

"This is the first hate speech we've heard of ," Piccard says. "I'd hope this is just an isolated thing. This just came out of nowhere--you don't expect to find it in spyware or adware. It took us by surprise."
snip>


Now it's even showing up in spyware.
Sigh...
V

It's just plain bizarre.
Luckily I run Mozilla, almost solely.

:hi:

Thanks Rabrrrrrr, I enjoyed the laugh!
:smoke: :hi: :yourock:

FTP server
An FTP server is opened up by the trojan on ports 1000 or 10000, allowing for FTP access to the files on an affected machine.

Steals Sensitive Information
The trojan gathers information from the infected computer, such as:
Clipboard data
Keylogs of sensitive information
IP address of the infected machine
Owner registration of the Windows product
Internet banking and Webmoney details
ICQ numbers
E-mail server names, port numbers and passwords from Protected Sto rage
At the time of publishing, current variants are almost certain to include the keylogging functionalilty, and also attempt to steal the user's Internet banking details.
The trojan sends the information gathered to an e-mail address. This is done by either obtaining the default e-mail account details of the affected machine, or by connecting to mail servers specified inside the code. Recent variants have also been observed to use a POST request to send the collected data via HTTP to a remote web server.

Backdoor Functionality
A backdoor is generally opened up on TCP port 1001, although in later variants the port may be randomly selected. This backdoor accepts commands for several functions, including:
Execute local programs
Open the CD drive
Close the CD drive
Play a sound file
Display a message box
Capture an image of the user's screen
Change the e-mail address that keystroke captures, etc are sent to.
Whilst the above are common Backdoor functions of this family, several variants have also been seen to:
Open an IRC-controlled Backdoor
Member s of the Bambo family have been seen to connect to an IRC server in order to be commanded to perform DDOS (Distributed Denial of Service) attacks on targets.
Run under Internet Explorer:
Certain Bambo variants run their backdoor threads under the guise of Internet Explorer, writing the thread into the process memory of Internet Explorer. This means that Internet Explorer processes will be seen to be running, as well as the trojan.

Edits Hosts file
Some variants have been seen to edit the Windows hosts file (which contains the mappings of IP addresses to host names; %System%\drivers\etc\hosts or %windows%\hosts.sam) effectively stopping an affected user from visiting the following sites:
avp.com
ca.com
customer.symantec.com
dispatch.mcafee.com
download.mcafee.com
f-secure.com
kaspersky.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
my-etrust.com
nai.com
networkassociates.com
rads.mcafee.com
secure.nai.com
securityresponse.symantec.com
sophos.com
symantec.com
trendmicro .com
update.symantec.com
updates.symantec.com
us.mcafee.com
viruslist.com
www.avp.com
www.ca.com
www.f-secure.com
www.kaspersky.com
www.mcafee.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.com

http://vic.zonelabs.com/tmpl/body/CA/virusDetails.jsp?VId=39314

provide this info ck!
I guess with Win, comes lose in some cases.
Sounds like those of us running Mozilla should be alright, but what about when you HAVE to run IE? Does it increase the chances?
V:hi: