Saturday, June 24, 2006

Current Viruses

The Bagle.JP, Bagle.JQ and Sixem.A worms, the Downloader.JFN Trojan, the backdoor Trojan Breplibot.R, the spyware Browsezilla, and the vulnerability discovered in HLINK.DLL, are the subject of this week's report.

Bagle.JP and Bagle.JQ are worms from the Bagle family, whose first variants
appeared in the year 2004. A prime characteristic of this family of worms
has been the ability to spread massively by email and the large number of
variants launched by the creators. The new Bagle.JP and Bagle.JQ variants
spread in a password-protected .zip file attached to an email, which also
includes a .gif image with the password needed to open the file. The
infection occurs if the user opens the .zip file with the password provided
and then runs the file. Both worms collect email addresses from the infected
computer in order to spread to other users and have rootkit options to hide
their files, processes and registry entries. In addition, they disable a
series of processes related with security tools such as antiviruses and

Sixem.A is an email worm that uses the subject of the FIFA World Cup as
bait. When run, it downloads the Downloader.JGP Trojan onto computers. Among
other tactics, it tries to encourage users to open an image supposedly
relating to a 'nudist world cup', although this is really an executable file
with a double extension. To avoid detection, Sixem.A disables a series of
processes related to system security, including antivirus programs and

Downloader.JFN is a Trojan that exploits a currently unpatched vulnerability
detected in Microsoft Excel that could allow arbitrary code to be run on the
computer. The Trojan infects systems through an Excel file created
especially to exploit this vulnerability. On opening the malicious Excel
file, Downloader.JFN is injected in the Internet Explorer process and then
downloads and runs another Trojan. The Trojan cannot spread itself, and
requires user interaction in order to infect a computer (e.g. opening an
email attachment or file downloaded from a website).

Breplibot.R is a backdoor Trojan that opens a communication port on
computers and connects to an IRC server to receive commands that allow
remote control over the infected computer. It makes a call to the netsh
command to prevent being blocked by the firewall. Breplibot.R also requires
user intervention in order to spread, (e.g. opening an email attachment or
file downloaded from a website or P2P networks). This worm has been detected
attached to messages that refer to an alleged oil fraud involving George W.
Bush and Tony Blair.

Browsezilla is an Internet browser that can be downloaded from numerous web
pages. When installed, it installs the adware PicsPlace on computers, which
in turn connects users, without their knowledge, to certain adult content
web pages. This generates an artificial number of hits on these websites,
with the consequent financial benefits to the owners of the websites and the
creators of Browsezilla. The consequences for users that install this
browser are primarily unnecessary bandwidth usage caused by the hidden
connection to these web pages. In addition, users could find themselves
unjustly accused of visiting these pornographic websites.

PandaLabs has also warned this week of a vulnerability discovered in
HLINK.DL, a library used by several Microsoft Office programs, such as
Microsoft Excel. Exploits of this vulnerability have been detected that can
infect computers using a specially-crafted Excel file. This document could
be distributed by email or downloaded from a website. There is currently no
patch available for this vulnerability, and users are therefore advised to
treat all Excel files received with caution, regardless of their origin.