Tanatos - A Worm with a "Trojan" In Its Pocket

30 Sep 2002
Virus News


A new multi-component virus gathers steam. Kaspersky Lab, an international data-security software developer, announces the detection of a new Internet worm called Tanatos (also known as "BugBear"), which is currently spreading via email and local are networks and is busy hijacking confidential information from infected computers. Presently Kaspersky Lab has already received confirmation of Tanatos infections in the UK and other countries. Tanatos is a Windows attachment about 50 KB in size (it is packed by the UPX compression utility) and written in Microsoft Visual C++. The worm is spreading via email attachment files with differing headings, body texts, file attachment names and even formats, all of which make it harder to identify infected email messages from their external properties. Infected messages consistently have plain text or HTML format. With the plain text version users must actively open the attached file, thereby letting the worm loose. With the HTML version, after the worm arrives in the inbox of potential victims, Tanatos waits for its email message to be read (for example, in the preview window), once this occurs, by exploiting the "IFRAME" vulnerability in the Windows Explorer's security system, it secretly launches itself and infects the machine. To spread over local area networks, the Tanatos worm goes through all network access resources and searches for the Windows system auto-run directory where it copies itself so that it will execute the next time the infected computer is booted. This function can only work if there is a general write permission enabled in the directory. After activation, "Tanatos" registers itself in the system registry auto-run key so that its malicious code will activate each time Windows is booted. Tanatos also contains a Trojan horse function that makes it an exceptionally dangerous program by creating a system breach and exposing confidential data. In part, Tanatos sets a keyboard "bug" that records all keyboard actions, including system passwords, to a specified file (KEYLOGGER.DLL) in the Windows system directory. Another interesting particularity of this worm is its attempts to close active processes, especially anti-virus programs and personal firewalls. Full control over infected computers: On infected machines those who control the Tanatos worm can dictate file downloading, transferring, copying, deleting, executing and can also force processes to abort etc. To carry out these operations Tanatos secretly opens the HTTP server and presents its "master(s)" a Web interface with which to control an infected system. Potential victims of Tanatos are computers hosting the Klez worm, as both worms exploit the "IFRAME" vulnerability in the Windows Explorer security system. "When taking into account the fact that Klez, to this day, still maintains first place in the list of most widespread virus programs, it is possible to expect Tanatos to do its share of damage as well", commented Denis Zenkin, Head of Corporate Communications for Kaspersky Lab. The defense against Tanatos has already been added to the Kaspersky Anti-Virus databases. Please update your anti-virus software. To download the patch for the Internet Explorer IFRAME Security System vulnerability just click here. More details covering the Tanatos Internet worm are now available in the Kaspersky Virus Encyclopedia.