Weekly Report on Viruses and Intruders:This week's report focuses on the Artesimda Trojan and a worm, Rinbot.Q, that uses several vulnerabilities to spread. It also covers a new combined attack involving members of the Spamta family.

This attack, performed by the Spamta.WF worm and the SpamtaLoad.DW Trojan, consists of the following: when the Trojan infects a computer, it downloads the worm, which, in turn, collects all of the e-mail addresses it finds on the computer and sends them a message containing the SpamtaLoad.DW Trojan. The process then starts all over again.

SpamtaLoad.DW is installed on computers with a text file icon, although it is really an executable file. This aims at enticing users to open the document and run the Trojan inadvertently. To divert the user's attention, SpamtaLoad.DW displays an error message.

Rinbot.Q exploits two Windows vulnerabilities (one affecting DNS Servers and the second affecting the Local Security Authority Subsystem -- LSASS -- process). This worm has downloader features, enabling it to download other malware onto the affected computer. When run, Rinbot.Q checks to see if there are certain network monitoring programs installed on the system. If it finds any, it deletes them. It also ends processes belonging to several rootkit detection tools to make detection more difficult.

Rinbot.Q can also spread through shared network drives and alters the Windows registry to ensure it is run on every system startup.

Artesimda is a dangerous Trojan. When run, it creates an account in Windows with its own user name (Adminestrator) and password. Then it steals all kinds of data from the computers it infects: e-mail and other programs' passwords, hardware and software data, IP address, e-mail addresses, etc.

(Read Original Article - Via GT: Security and Privacy.)