Weekly report on viruses and intruders

Today's report looks at Constructor/EMFTrojan.C, Netsky.AH, Netsky.AI, Bagz.E, Mydoom.AD and Scranor.A.

Constructor/EMFTrojan.C is a program designed to create malformed image files to exploit a remote code execution vulnerability in the rendering of Enhanced Metafile (EMF) image formats, described in Microsoft's MS04-032 bulletin.

Constructor/EMFTrojan offers several options to configure the generated code, giving the option to take the following action when the file is opened:

- Open a port through which commands can be sent to the compromised computer.

- Download and run a file from a specified URL.

To protect computers from this and other similar threats, Panda Software has developed Exploit/MS04-032.gen, a generic detection for EMF images crafted specifically to exploit this security flaw.

The first worms that we'll look at today are the AH and AI variants of Nestky, which are sent via email, using their own SMTP engine, to addresses that they get from files that are less than 10,000,000 bytes and have one of the following extensions: DBX, WAB, MBX, EML, MDB, TBB or DAT. They are sent ten minutes after they are executed and are only sent between October 20 and October 25 2004. To prevent simultaneous execution Netsky.AH and Netsky.AI create the mutex "0x452A561C".

The next worm in today's report is Bagz.E, which spreads in an email with variable characteristics. It terminates processes of applications such as antivirus programs, leaving the computer vulnerable to attack from other malware.

Bagz.E creates several files in the Windows directory of the computer it affects. This worm also modifies the HOSTS file, preventing access to the websites of several antiviruses an IT security company.

Mydoom.AD, also spreads via email in a variable message. It spoofs the sender's address using a set list of names and domains.

Using its own SMTP engine, Mydoom.AD sends a copy of itself to all addresses in the files it finds with the following extensions (provided they don't have certain text strings): ADB, ASP, CFG, CGI, DBX, EML, HTM, HTML, JSP, MBX, MDX, MSG, PHP, PL, SHT, TBB, TXT, UIN, VBS, WAB, WSH, XLS and XML.

To ensure that only one copy of itself ids run at a time, Mydoom.AD creates a mutex called My-Game. Just the like the worm mentioned above, Mydoom.AD also edits the HOSTS file to prevent access to the websites of several antivirus companies.

The AD variant of Mydoom tries to download a file from a web page corresponding to Scranor.A, another worm. It saves the file in the root directory, renames it and then executes it.

Finally we will look at Scranor.A, a worm that propagates by making copies of itself without infecting other files. Its aim is to saturate and crash computers and networks.

For further information about these and other computer threats, visit Panda Software's Virus Encyclopedia.

Additional information
- SMTP (Simple Mail Transfer Protocol): This is a protocol used on the Internet exclusively for sending e-mail messages.

More definitions at: http://www.pandasoftware.com/virus_info/glossary/default.aspx

About PandaLabs
On receiving a possibly infected file, Panda Software's technical staff get straight down to work. The file is analyzed and depending on the type, the action taken may include: disassembly, macro scanning, code analysis etc. If the file does in fact contain a new virus, the disinfection and detection routines are prepared and quickly distributed to users.

Comments (0)

Add a Comment

This thread has been closed from taking new comments.

Editorial: +44 (0)1892 536363
Publisher: +44 (0)208 440 0372
Subscribe FREE to the weekly E-newsletter