Thursday, November 17, 2011

Win32.Worm.Coidung.B Posing as Office Genuine Advantage Program, Spreading via Chat Messenger

Win32.Worm.Coidung.B is a little crazy..A worm has been spotted in the wild, spreading through the Yahoo Messenger and tunneling deep into victim’s computers in order to wreak havoc.

The worm, identified by Bitdefender as Win32.Worm.Coidung.B poses as an Office Genuine Advantage checker, which is a tool previously used in the past by Microsoft to validate copies of Microsoft Office – similar to the Windows Genuine Advantage system in place today. The worm is being spread via a file called “office_genuine.exe.”

Once the Coidung worm gains entry into the victim’s computer, it goes straight to work – disabling the Windows firewall, creating copies of itself that it hides within several system folders under a variety of names, modifying registry keys to ensure the files run on startup, and opening a backdoor to allow its author to control the PC remotely, recruit it into a DDoS attack or download additional malware.

To make things worse, Coidung comes bundled with a virus, Win32.Virtob. It is unknown whether the virus was planted inside the Coidung worm intentionally or if it happened to hitch-hike a ride somehow along the way. Either way, the Virtob virus is happy to do its own thing by infecting ASP, HTM and PHP scripts while it waits patiently for a command from its controller.

Users should avoid downloading any executable files shared via messenger programs or unsolicited emails to minimize the chances of Win32.Worm.Coidung.B  - or any other malware - from making it's way onto their machine.

It’s recommended that you always keep your PC protected by running up-to-date antivirus software that offers real-time scanning and a personal firewall in addition to exercising caution when dealing with files downloaded from the internet.

Photo Credit: Kokotron

Be sure to follow us on Twitter @hyphenet and “Like” us on Facebook to stay up-to-date on the latest PC security threats.

No comments:

Post a Comment