- Weekly report on viruses and intruders -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, July 2 2004 - This week's report on viruses and intruders will focus
on three backdoor Trojans -Webber.S, Webber.P and Agent.E-, two Trojans
-Bankhook.A and Scob.A-, and three new Korgo variants.

Webber.S and Webber.P are two backdoor Trojans that allow malicious users to
access remote computers, steal confidential information and send it to
several websites. These two variants differ in their means of distribution.

Webber.P spreads by modifying the configuration of web servers that use IIS
5.0 (Internet Information Services). As a result, these servers will include
malicious JavaScript code -detected by Panda Software as Exploit/DialogArg-
in the pages they host. This code exploits an Internet Explorer
vulnerability to allow Webber.P to be downloaded and run on the computer,
without the user's consent.

Webber.S is also distributed when users visit certain web pages which
include a malicious JavaScript code. Due to a vulnerability in Internet
Explorer, this code allows Webber.S to be downloaded and run in the
computer, without the user realizing.

Webber.P opens two TCP ports in order to make the affected computer act as a
proxy server.

The third backdoor Trojan in today's report is Agent.E, which installs
itself on affected computer when users visit certain web sites. This
malicious code creates a dinamic link library in the targeted computer,
which takes control of certain features of the browser Internet Explorer.
Agent.E allows the following actions to be carried out: obtain information
from the system, access files belonging to several applications, use objects
for communication, etc.

The Trojan Bankhook.A installs itself on the affected computer by exploiting
the MhtRedir Internet Explorer vulnerability. Bankhook.A modifies the
affected computer's Windows Registry in order to ensure it is run every time
the Internet Explorer is launched.

Bankhook.A searches the HTTPS traffic generated in the affected computer for
text strings related to different online banks. If successful, Bankhook.A
steals confidential information (user names, passwords, account numbers,
credit card numbers, etc.) and sends it to a remote computer though a
script.

The second Trojan in today's report is Scob.A, which only affects Windows
XP/2000/NT computers that act as web servers, provided that they have IIS
(Internet Information Services) v5.0 installed. Scob.A modifies the
application settings so that malicious code (Exploit/DialogArg) is included
in all the files provided from those servers.

We are going to finish this week's report with variants U, V and W of Korgo.
All these malicious code exploit the Windows LSASS vulnerability to spread
automatically to computers via the Internet. Even though these malicious
code affect all Windows platforms, they can only spread automatically to
Windows XP/2000 computers. All these Korgo variants connect to several
websites and try to download files from them. They also send information on
the country in which the affected computer is located to those websites.

Korgo.U, Korgo.V and Korgo.W go memory resident and, unlike other malicious
codes that exploit the LSASS vulnerability to affect computers, they do not
display an error message with a countdown clock or restart the affected
computer.

For further information about these and other computer threats, visit Panda
Software's Virus Encyclopedia at:
http://www.pandasoftware.com/virus_info/encyclopedia

Additional information

- Backdoor Trojan: this is a program that enters the computer and creates a
backdoor through which it is possible to control the affected system without
the user realizing.

- Internet Information Server( IIS): this is a Microsoft server designed for
publishing and maintaining web pages and portals.

- Dynamic Link Library (DLL): a special type of file with the extension DLL.

More definitions of virus and antivirus terminology at:
http://www.pandasoftware.com/virus_info/glossary/default.aspx

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.