New variant of the Mitglieder Trojan being mass mailed -

PandaLabs has detected the mass mailing of spam that contains the new and dangerous CG variant of the Mitglieder Trojan (also known as Bagle.bn by other security companies). Data collected by the international PandaLabs network shows that this new malicious code is starting to spread rapidly across several countries.

The email messages in which this new Trojan has been detected have a blank subject and message body and include an attached file called work.zip. However, users should be careful, as this Trojan is being spammed out manually or through zombi computers and therefore, the characteristics of the email message carrying Mitglieder.CG could be totally different.

If the user runs the file containing Mitglieder.CG, the Notepad application will be opened, displaying the word 'Sorry'. At the same time, a file called winshost.exe is created in the Windows system directory on the affected computer. When the computer restarts, this file will be run and create another file called wiwhost.exe. This file will modify the host file so that the user will not be able to access certain websites; mainly websites related to antivirus programs and IT security.

In addition, the Trojan deletes files and Registry entries and stops processes related to security applications that could be installed on the computer.

According to Luis Corrons: "the aim of Mitglieder.CG is to download malware to the computer. It does this by connecting to a large number of Internet addresses and trying to download files, which could predictably contain other malware, such as backdoors, spyware, adware, bots, etc. This allows the authors of these malicious code to create networks of infected computers in order to launch attacks on other computers or collect hundreds of thousands of email address to send spam to."

Due to the wide circulation of this Trojan, Panda Software advises users to take precautions and to update their antivirus software. Panda Software has made the corresponding updates available to its clients to detect and disinfect this new malicious code.

- Weekly report on viruses and intruders -


MADRID, April 17 2005 - This week's report on viruses and intruders includes five vulnerabilities in different Microsoft products and new variants of the Mytob, Gaobot and Kelvir worms.

The five vulnerabilities have been rated 'critical' and affect not only Windows operating systems, but also other applications like Internet Explorer, Exchange Server, MSN Messenger, Word, Works and Office. If the patches that fix these flaws are not applied, an attacker could gain remote control of affected systems.

As far as malicious code is concerned, we can highlight the gradual increase in the number of Mytob worms emerging. The Mytob worms connect to an IRC server and wait for remote control commands to carry out on the affected computer, such as deleting, downloading or running files. Some variants prevent the user from accessing the websites belonging to certain antivirus and IT security companies. What's more, they spread via email, through the Internet -by exploiting the LSASS vulnerability- and across networks protected with weak passwords. However, the proactive TruPreventTM detection technologies blocked all these variants of the Mytob worm without needing to be able to identify them first. Therefore, users that have these technologies installed on their systems have been protected from the very start.

The appearance of Gaobot.EYP can also be highlighted. This is a worm that also opens a backdoor, allowing a remote attacker to gain control of affected computers. The attacker would be able to carry out multiple actions including running commands, downloading and executing files, capturing keystrokes, obtaining the characteristics of the computer, launching distributed denial of service attacks (DDoS), etc.

Gaobot.EYP ends the processes belonging to different security tools, such as antivirus programs and firewalls, leaving the computer vulnerable to attack from other malware. What's more, it ends the processes belong to other worms.

Gaobot.EYP uses a number of methods to spread:

- It copies itself to the shared network resources it manages to access.

- It exploits the following vulnerabilities to spread via the Internet: LSASS, RPC DCOM, WINS buffer overflow in the workstation service.

- It can get into computers with SQL Server, whose SA (System Administrator) account has a blank password.

Finally, we will look at Kelvir.L.worm. This worm spreads via MSN Messenger by sending a message to all the contacts with the text "its you!", which points to a URL belonging to the hydr0.net domain.

If the user clicks on this link, a compressed, autoexecutable file, detected as Trj/MultiDropper.ZL, is downloaded and run. This file contains files called "uncanny.exe" and "advbot.exe", which are copies of Kelvir.L.worm and Gaobot.EYX.worm, respectively.