Sunday, July 18, 2004

- Weekly report on viruses and intruders -   
 
Virus Alerts, by Panda Software (http://www.pandasoftware.com) Madrid, July 16, 2004 - This week's report on viruses and intruders willfocus on four malicious code: three worms -Bagle.AF, Atak.A and Korgo.Z-,and the Trojan Xebiz.A.
 
Bagle.AF uses its own SMTP engine to send itself out via email to all theaddresses it finds in the files with the following extensions on theaffected computer: WAB, TXT, MSG, HTM, SHTM, STM, XML, DBX, MBX, MDX, EML,NCH, MMF, ODS, CFG, ASP, PHP, PL, WSH, ADB, TBB, SHT, XLS, OFT, UIN, CGI,MHT, DHTM and JSP.
 
Bagle.AF ends the processes belonging to security products, such asantivirus protection, and connects to different PHP scripts. This worm also contains code to create a backdoor to open a port and listen in on it.
 
Today's second worm is Atak.A, which spreads via email in a message with variable characteristics that contains an attachment with a doubleextension. The first is JPG or GIF followed by a random number of blankspaces and the second is EXE.
 
When Atak.A has infected a computer it looks for email addresses in all thefiles it finds with an ADB or WAB extension, and in files that are smallerthan 81920 bytes in size and have one of the following extensions: ASP, CFG,CGI, DBX, EML, HTM, HTML, JSP, LOG, MBX, MHT, MSG, NCH, ODS, PHP, SHT, TBB,UIN, VBS and XML.
 
Then, it sends itself out to all the addresses it hasfound using its own SMTP engine.Atak.A creates a mutex to ensure that only one copy of this worm is running.
 
It also checks if a debugger is enabled on the affected computer and if itis, it ends it.The final worm in this week's report is Korgo.Z, which exploits the WindowsLSASS vulnerability to spread via the Internet and get into computers.
 
It also affects all Windows platforms, but can only automatically get into computers running Windows XP or 2000 that have not been correctly updated.
 
The Z variant of Korgo goes memory resident and tries to download files froma series of websites and also sends these websites information about whichcountry the computer is located in. Like the worm mentioned above, Korgo.Zcreates a mutex to prevent two copies of this worm from being run at thesame time.
 
We are going to finish today's report with Xebiz.A, a Trojan that connectsto a website in order to download a Trojan called Zerolin.A to the affected computer.
 
What's more, it creates several files and generates severalentries in the Windows Registry to ensure that it is run whenever thecomputer is started up.
 
Xebiz.A has been mass-mailed in messages with variable characteristics. However, all messages include a form with a button. When the user clicks onthis button, Zerolin.A will be downloaded.
 
For further information about these and other computer threats, visit PandaSoftware's Virus Encyclopedia at:http://www.pandasoftware.com/virus_info/encyclopedia/
 
Additional information-
 
Debugger: A tool for reading the source code of programs.
 
Mutex: Some viruses can use a mutex to control access to resources(examples: programs or even other viruses) and prevent more than one processfrom simultaneously accessing the same resource. 
 
More definitions of virus and antivirus terminology at: http://www.pandasoftware.com/virus_info/glossary/default.aspx
 
NOTE: The addresses above may not show up on your screen as single lines. This would prevent you from using the links to access the web pages. If thishappens, just use the 'cut' and 'paste' options to join the pieces of theURL.