- Weekly report on viruses and intruders -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)
Madrid, March 4, 2005 - Today's report will focus on two worms -Bagle.BN and
Mytob.A-, and two Trojans -Mitglieder.BO and Tofger.AT-.
In order to infect as many computers as possible, the Bagle.BN and
Mitglieder.BO work hand in glove. Mitglieder.BO reaches computers as a file
attached to an email message, called price.zip or price2.zip, among others.
If the user runs this file, the Trojan activates and tries to connect to an
Internet address, from which it downloads the Bagle.BN worm to the computer.
When Bagle.BN has been installed on the computer, it sends Mitglieder.BO to
the addresses it finds in a file called EML.EXE, which is also downloaded
from the Internet. To do this, the worm uses its own SMTP engine.
Mitglieder.BO ends the processes belonging to various antivirus and security
applications and overwrites the Windows hosts file to prevent users from
connecting to certain web pages.
Bagle.BN opens TCP port 80 and listens for a remote connection to be
established. When this happens, it allows remote access to the infected
computer, allowing actions that compromise confidential user information or
impede the tasks carried out.
The second worm in today's report is Mytob.A, which spreads via email in a
message with variable characteristics and via the Internet. In this case, it
attacks random IP addresses, in which it will try to exploit the LSASS
vulnerability.
Mytob connects to an IRC server and waits for remote control commands, which
it will carry out on the affected computer. What's more, it deletes the
variants of other worms like Netsky, Sobig, Bagle and Blaster.
The next malicious code is the Tofger.AT Trojan, which is downloaded to the
PC when users access certain web pages, which use different exploits -like
LoadImage, ByteVerify and MhtRedir.gen- to download malware to computers.
This Trojan installs itself as a Browser Helper Object (BHO), so that it is
run whenever Internet Explorer is opened.
Tofger.AT tracks the actions carried out by users and the passwords used to
access web pages through secure HTTPS connections, which are usually used to
log on to secure systems like online banking. What's more, whenever it
detects certain names in the URL, it tries to capture the passwords for the
following banks: cajamadrid, bpinet, millenniumbcp, hsbc, barclays,
lloydstsb, halifax, autorize, bankofamerica; bancodevalencia, cajamar,
portal.ccm, bancaja, caixagalicia, caixapenedes, ebankinter, caixasabadell,
bes, banif, millenniumbcp, totta, bancomais, montepiogeral, bpinet, patagon,
lacaixa, citibank, bbvanet, banesto, e-trade and unicaja. When it has
captured this information, Tofger.AT sends it to a server.