Zhelatin mutants storm virus charts

By on
Zhelatin mutants storm virus charts

Raft of new variants detected.

The Zhelatin virus is challenging Bagle and Warezov for the dubious honour of number one virus after eight new variants were detected in the past four days, security experts have warned.

Kaspersky Lab said that Zhelatin.s, .t and .u were detected on 8 February, while Zhelatin.v was detected on 9 February. Four more variants, .w to .z, were detected during the weekend of 10-11 February.

The most significant of these is Zhelatin.u, which Kaspersky Lab currently rates as a 'moderate' risk.

Zhelatin first appeared on 19 January and 26 variants have so far been detected by Kaspersky since 22 January.

Zhelatin.u spreads via email as an infected attachment. The subject line, message body and attachment are variable.

The worm itself is a Portable Executable, between 5KB and 54KB in size, packed with UPX. The worm copies itself to the hard disk and modifies the registry to load automatically on start-up.

The worm terminates a range of antivirus and firewall applications and adds a rule to the system firewall to prevent its own activity from being blocked.

It also launches an SMTP proxy server on TCP port 25, allowing a remote hacker to use the infected machine as part of a spam botnet.

Zhelatin.u registers itself on the remote site, sending the network address of the victim machine before downloading a file containing the botnet configuration. This file is used to get data from the victim machine and to send spam.

The worm uses a rootkit to hide its own processes, files and registry changes. Kaspersky detects this component as 'Email-Worm.Win32.Banwarum.f'.

David Emm, senior technology consultant at Kaspersky Lab, said: "Zhelatin.u is just a re-packed version of an earlier Zhelatin variant. It is broadly similar in behaviour to several earlier variants, although there are significant differences.

"The Proactive Defense Module in KAV 6.0 and KIS 6.0 is able to block this new threat without the need for new signatures. Nevertheless, we recommend that users update their antivirus databases as soon as possible."
Got a news tip for our journalists? Share it with us anonymously here.
Copyright ©v3.co.uk

Most Read Articles

Log In

  |  Forgot your password?