Doctor Web—the Russian anti-virus developer company—warns users of a Trojan horse family added to the Dr.Web virus database as BackDoor.Volk. These Trojan horses modify the hosts file and execute commands received from a remote server. Interestingly, the Trojan horses supposedly originate in South America.
Doctor Web's virus laboratory has received an entire brood of these Trojan horses. BackDoor.Volk.1 was the first one. Curiously, this Trojan horse is written in PHP which is used primarily to create scripts and server applications and then converted into executable code with the php2exe utility. This malicious program modifies the hosts file that lists available DNS names and their respective IP addresses in the compromised system.
BackDoor.Volk can join into botnets controlled with a specially designed administration panel. Doctor Web's analysts got hold of a database dump from a server controlling a botnet comprised of BackDoor.Volk bots. The database contains entries for around 100 bots and infected machines are found in many countries. Most of them are located in Chile (31%) and Uruguay (13%), followed by Peru (8%), Argentina (4%) and Spain (3%). The least affected countries are the U.S. and India (2%), as well as Canada, Colombia, and Brazil (1%). The remaining 34% of infected machines are located in the country dubbed Unknown — some of them may be in Russia.
BackDoor.Volk.3 and BackDoor.Volk.4 also written in Visual Basic, are BackDoor.Volk.2 modifications featuring different routines to communicate with a remote server. Other features are similar. The host file modification function of the Trojan horse is the most dangerous one since it can be used by criminals to redirect a potential victim to a phishing site while stolen FTP server access passwords may be used to get unauthorized access to various websites. Signatures of all known BackDoor.Volk modifications are added into the Dr.Web virus database.
View the article
