Friday, March 04, 2005

- Weekly report on viruses and intruders -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, March 4, 2005 - Today's report will focus on two worms -Bagle.BN and
Mytob.A-, and two Trojans -Mitglieder.BO and Tofger.AT-.

In order to infect as many computers as possible, the Bagle.BN and
Mitglieder.BO work hand in glove. Mitglieder.BO reaches computers as a file
attached to an email message, called price.zip or price2.zip, among others.
If the user runs this file, the Trojan activates and tries to connect to an
Internet address, from which it downloads the Bagle.BN worm to the computer.
When Bagle.BN has been installed on the computer, it sends Mitglieder.BO to
the addresses it finds in a file called EML.EXE, which is also downloaded
from the Internet. To do this, the worm uses its own SMTP engine.

Mitglieder.BO ends the processes belonging to various antivirus and security
applications and overwrites the Windows hosts file to prevent users from
connecting to certain web pages.

Bagle.BN opens TCP port 80 and listens for a remote connection to be
established. When this happens, it allows remote access to the infected
computer, allowing actions that compromise confidential user information or
impede the tasks carried out.

The second worm in today's report is Mytob.A, which spreads via email in a
message with variable characteristics and via the Internet. In this case, it
attacks random IP addresses, in which it will try to exploit the LSASS
vulnerability.

Mytob connects to an IRC server and waits for remote control commands, which
it will carry out on the affected computer. What's more, it deletes the
variants of other worms like Netsky, Sobig, Bagle and Blaster.

The next malicious code is the Tofger.AT Trojan, which is downloaded to the
PC when users access certain web pages, which use different exploits -like
LoadImage, ByteVerify and MhtRedir.gen- to download malware to computers.
This Trojan installs itself as a Browser Helper Object (BHO), so that it is
run whenever Internet Explorer is opened.

Tofger.AT tracks the actions carried out by users and the passwords used to
access web pages through secure HTTPS connections, which are usually used to
log on to secure systems like online banking. What's more, whenever it
detects certain names in the URL, it tries to capture the passwords for the
following banks: cajamadrid, bpinet, millenniumbcp, hsbc, barclays,
lloydstsb, halifax, autorize, bankofamerica; bancodevalencia, cajamar,
portal.ccm, bancaja, caixagalicia, caixapenedes, ebankinter, caixasabadell,
bes, banif, millenniumbcp, totta, bancomais, montepiogeral, bpinet, patagon,
lacaixa, citibank, bbvanet, banesto, e-trade and unicaja. When it has
captured this information, Tofger.AT sends it to a server.

Wednesday, March 02, 2005

- A new wave of malware with variants of Bagle
and Mitglieder now threatens users -
Virus Alerts, by Panda Software

MADRID, March 1st, 2005- In the last few hours, PandaLabs has detected the
appearance of six variants (BN, BO, BP, BQ, BR and BS) of the Bagle email
worm, as well as four variants (BO, BP, BQ and BR) of the Mitglieder Trojan.
Of these, the most active at present are Bagle.BN and Mitglieder.BO.
According to Panda Software's international tech support network, the latter
is causing incidents in users' computers around the globe, and is already
one of the viruses most frequently detected by Panda ActiveScan, the free
online scanner.

Bagle.BN and Mitglieder.BO work hand-in-glove to spread as widely as
possible. Mitglieder.BO reaches computers in an email message, in an
attachment that could have names like price.zip or price2.zip. If a user
runs this file, the Trojan activates and tries to connect to an Internet
address from which it downloads the Bagle.BN worm onto the system. Once
Bagle.BN is installed on a computer, it sends Mitglieder.BO to the addresses
that it finds in a file called EML.EXE, which is also downloaded from the
Internet. To do this the worm uses its own SMTP engine.

In addition, Mitglieder.BO terminates processes belonging to various
antivirus and security programs, and overwrites the Windows 'hosts' file to
prevent users from connecting to certain web pages.

"We are up against a similar wave of viruses to the one witnessed in 2004.
It would seem that given the similarities that we have detected in the
source code, the new Bagle and Mitglieder variants are the work of the same
person or of an organized group. In fact, the whole process began with the
massive, manual sending of thousands of emails infected with Mitglieder.BO.
Moreover, in order to confuse both antivirus vendors and users alike, a
large number of variants have been created and circulated in a very short
period of time. For this reason it is possible that new variants of both
malicious codes will continue to appear over the next few hours", explains
Luis Corrons, director of PandaLabs.

As Panda Software's International Tech Support has already detected
incidents caused by the new malicious code, users are advised to take
precautions and keep their antivirus software updated. Panda Software
clients already have the updates available to detect and disinfect the new
malicious code.

Another Bagle Virus Appears Via Wave of Spam

What is it?
Mass-spammed over the past 24 hours, W32/Bagle.dldr is a Medium Risk Trojan downloader that tries to:


Open a communication port on your computer
Download a .jpg picture file from various sites
Terminate security services like anti-virus updating


Unlike earlier variants, W32/Bagle.dldr does not appear to mass-mail itself to stolen email contacts.

Note: To fortify your anti-virus defense against threats like W32/Bagle.dldr that need Internet access to spread, we recommend installing McAfee Personal Firewall Plus.



How do I know if I've been infected?

W32/Bagle.dldr copies itself to the Windows\System32 directory as winshost.exe, which VirusScan detects as W32/Bagle.dll.gen.



How do I find out more?

View details about W32/Bagle.dldr here.