This week's report on viruses and intruders will focus on the Bagz.H and Mitglieder.AY worms and the Citifraud.A Trojan.
Bagz.H spreads via e-mail. To do this it looks for email addresses in the files with a DBX, HTM, TBB, TBI or TXT extension on the affected computer. However, it does not send itself out to all the addresses it finds, as it avoids addresses with texts strings like abuse, admin. or [email protected], among others.
The email messages carrying Bagz.H do not have a fixed format, as the subject, message text and file name can vary. If the user runs the attachment, Bagz.H will install itself as a service called Xuy v palto. What's more, this worm modifies the Windows hosts file, preventing certain Internet addresses from being accessed.
Bagz.H also deletes the entries in the Windows Registry that belong to certain antivirus and security applications and creates new entries that allow it to activate whenever the computer is started up.
Mitglieder.AY is a malicious code that is closely related to Bagle.BC and Bagle.BE (detected a few days ago), as it takes advantage of the effects of these worms to get into computers directly from the Internet. Mitglieder.AY uses the backdoor created by both variants of Bagle in TCP port 81. Mitglieder.AY scans for IP addresses in which the TCP port 81 is open. If it finds this port open, it copies itself to those computers as a file called winshost.exe.
From then on, Mitglieder.AY ends the processes in memory belonging to different applications. What's more, every six hours, it attempts to download the file zoo.jpg from certain web addresses. If successful, this file is saved on the affected computer under the name File.exe. When this file is run, it downloads other malware to the affected computer.
We are going to finish today's report with a Trojan called Citifraud.A, which is actually a file written in HTML that exploits a known vulnerability in Microsoft Internet Explorer. It contains a link pretend to access the website of a well-known bank. However, this address actually accesses a false website that imitates the original page. By doing this, it tries to steal account details entered by the user, allowing the hacker to access the bank account.
For further information about these and other computer threats, visit Panda Software's Virus Encyclopedia.
- Port/Communication port: Point through which a computer transfers information (inbound/outbound) via TCP/IP.
- Vulnerability: Flaws or security holes in a program or IT system, and often used by viruses as a means of infection.
More definitions at: http://www.pandasoftware.com/virus_info/glossary/default.aspx
On receiving a possibly infected file, Panda Software's technical staff get straight down to work. The file is analyzed and depending on the type, the action taken may include: disassembly, macro scanning, code analysis etc. If the file does in fact contain a new virus, the disinfection and detection routines are prepared and quickly distributed to users.