Current Viruses

The Bagle.JP, Bagle.JQ and Sixem.A worms, the Downloader.JFN Trojan, the backdoor Trojan Breplibot.R, the spyware Browsezilla, and the vulnerability discovered in HLINK.DLL, are the subject of this week's report.

Bagle.JP and Bagle.JQ are worms from the Bagle family, whose first variants
appeared in the year 2004. A prime characteristic of this family of worms
has been the ability to spread massively by email and the large number of
variants launched by the creators. The new Bagle.JP and Bagle.JQ variants
spread in a password-protected .zip file attached to an email, which also
includes a .gif image with the password needed to open the file. The
infection occurs if the user opens the .zip file with the password provided
and then runs the file. Both worms collect email addresses from the infected
computer in order to spread to other users and have rootkit options to hide
their files, processes and registry entries. In addition, they disable a
series of processes related with security tools such as antiviruses and
firewalls.

Sixem.A is an email worm that uses the subject of the FIFA World Cup as
bait. When run, it downloads the Downloader.JGP Trojan onto computers. Among
other tactics, it tries to encourage users to open an image supposedly
relating to a 'nudist world cup', although this is really an executable file
with a double extension. To avoid detection, Sixem.A disables a series of
processes related to system security, including antivirus programs and
firewalls.

Downloader.JFN is a Trojan that exploits a currently unpatched vulnerability
detected in Microsoft Excel that could allow arbitrary code to be run on the
computer. The Trojan infects systems through an Excel file created
especially to exploit this vulnerability. On opening the malicious Excel
file, Downloader.JFN is injected in the Internet Explorer process and then
downloads and runs another Trojan. The Trojan cannot spread itself, and
requires user interaction in order to infect a computer (e.g. opening an
email attachment or file downloaded from a website).

Breplibot.R is a backdoor Trojan that opens a communication port on
computers and connects to an IRC server to receive commands that allow
remote control over the infected computer. It makes a call to the netsh
command to prevent being blocked by the firewall. Breplibot.R also requires
user intervention in order to spread, (e.g. opening an email attachment or
file downloaded from a website or P2P networks). This worm has been detected
attached to messages that refer to an alleged oil fraud involving George W.
Bush and Tony Blair.

Browsezilla is an Internet browser that can be downloaded from numerous web
pages. When installed, it installs the adware PicsPlace on computers, which
in turn connects users, without their knowledge, to certain adult content
web pages. This generates an artificial number of hits on these websites,
with the consequent financial benefits to the owners of the websites and the
creators of Browsezilla. The consequences for users that install this
browser are primarily unnecessary bandwidth usage caused by the hidden
connection to these web pages. In addition, users could find themselves
unjustly accused of visiting these pornographic websites.

PandaLabs has also warned this week of a vulnerability discovered in
HLINK.DL, a library used by several Microsoft Office programs, such as
Microsoft Excel. Exploits of this vulnerability have been detected that can
infect computers using a specially-crafted Excel file. This document could
be distributed by email or downloaded from a website. There is currently no
patch available for this vulnerability, and users are therefore advised to
treat all Excel files received with caution, regardless of their origin.

Sixem.A Virus Alert

PandaLabs, Panda Software's anti-malware
laboratory, is warning users of the appearance of Sixem.A, an e-mail
worm using social engineering to trick users, including subjects related
to the World Cup such as 'Naked World Cup game set'. In the message text
users are offered the chance to attend a "nudist world cup".

Sixem.A also uses other bait, such as a link to a website showing images
of football hooliganism.

The email attachment is an executable file that appears to be an image
but which actually has a double extension. This means that the real
nature of the file is not apparent to users whose systems are set to
hide the extension of known file types. Once executed, the worm connects
to a web page and tries to download the Downloader.JGP Trojan.

In addition, this new worm collects email addresses from the user's
computer which it then sends itself out to. Sixem.A also terminates a
series of processes related to antivirus software to prevent it from
being detected and neutralized. This action also makes the computer
vulnerable to further attacks.

This new worm has been detected and neutralized proactively by
TruPreventTM Technologies without having a previous identification of
it. Users of Panda Software have therefore been protected from the
outset against this new threat.

According to Luis Corrons, director of PandaLabs: "Events such as the
football World Cup force us to pay special attention to possible
security risk, as one of the most difficult factors to control is human
action. The excitement created by the World Cup combined with a bit of
cheek on the part of malware creators can be enough to produce an
effective form of spreading malware. Users are advised to be wary of any
email from unknown sources and to take precautions before downloading
files from websites. To prevent the potentially damaging effects of this
kind of malware users should make sure they have an up-to-date antivirus
with technologies capable of detecting new threats."

New MS Excel Vulnerability

PandaLabs has discovered a malicious code that takes advantage of an Excel vulnerability. This flaw causes an unknown error and could allow an attacker to download and run code.

To do this, the attacker sends the target user an Excel file that runs the exploit code and downloads a Trojan, detected as Trj/Downloader.JFN, which in turn tries to download another file.

This vulnerability can be used in the future to download any other executable file. As there is no documentation or security patch to fix this flaw, it is possible that other malicious code may appear in the next few days that takes advantage of this vulnerability.