New Virus Variants - Bagle.AM and Leritand Trojan

- Weekly report on viruses and intrusions -

Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, August 13, 2004 - Today's report will focus the AM variant of Bagle and the Trojans: Leritand.A, Leritand.B and Leritand.C, and Toquimos.A.

Bagle.AM appeared at the beginning of this week and rapidly infected a large number of computers. It spreads via email in a message without a subject that includes an attachment with a variable name and a ZIP extension.

This file contains two items:

- Illwill.A, an HTML file containing an exploit used by Bagle.AM to infect the computer without the user realizing.

- An EXE file, which is run when the user opens the Illwill.A file.

When it has infected a computer, Bagle.AM tries to download a false JPG file from different websites and if it manages to download the file, it starts spreading. What's more, Bagle.AM spreads through P2P (peer-to-peer) filesharing programs.

Bagle.AM opens a TCP port in affected computers and listens in, allowing a hacker to access the computer. This worm also ends the processes belonging to different programs, including antivirus update programs, preventing them from offering protection against new viruses.

Similarly, if the computer is infected by a variant of Netsky, Bagle.AM prevents it from running whenWindows starts up.

Leritand.A, Leritand.B and Leritand.C are Trojans that change the prefix ofweb addresses starting with www, redirecting them to a website that opens the web page originally requested by the user.

What's more, these maliciouscode disable the URL handlers of the its, ms-its and mhtml protocols, preventing some help systems from working.

Leritand.A, Leritand.B andLeritand.C change the default home page and search page in Internet Explorer and add links to the Favorites folder.

We are going to finish today's report with Toquimos.A, a Trojan that only affects Nokia series 60 cell phones. It cannot spread on its own, as it must be installed and run by the user.

Its most common means of propagation isP2P file sharing networks. When it is run, Toquimos.A checks if the phone has a pirated version of agame installed.

If it has, it sends an SMS to a special rate phone numberwithout the user's permission. This SMS is sent whenever the game is run.

For further information about these and other computer threats, visit Panda Software's Virus Encyclopedia at: http://www.pandasoftware.com/virus_info/encyclopedia/

Additional information

- Exploit: This can be a technique or a program that takes advantage of avulnerability or security hole in a certain communication protocol,operating system, or other IT utility or application.

- P2P (Peer to peer): A program or network connection- used to offer services via the Internet (usually file sharing), which viruses and other types of threats can use to spread. Some examples of this type of program are KaZaA, Emule, eDonkey, etc.

More definitions of virus and antivirus terminology at: http://www.pandasoftware.com/virus_info/glossary/default.aspx