Weekly report on viruses and intruders

Today's report will focus on two worms -Bagle.BN and Mytob.A-, and two Trojans -Mitglieder.BO and Tofger.AT-.

In order to infect as many computers as possible, the Bagle.BN and Mitglieder.BO work hand in glove. Mitglieder.BO reaches computers as a file attached to an email message, called price.zip or price2.zip, among others. If the user runs this file, the Trojan activates and tries to connect to an Internet address, from which it downloads the Bagle.BN worm to the computer. When Bagle.BN has been installed on the computer, it sends Mitglieder.BO to the addresses it finds in a file called EML.EXE, which is also downloaded from the Internet. To do this, the worm uses its own SMTP engine.

Mitglieder.BO ends the processes belonging to various antivirus and security applications and overwrites the Windows hosts file to prevent users from connecting to certain web pages.

Bagle.BN opens TCP port 80 and listens for a remote connection to be established. When this happens, it allows remote access to the infected computer, allowing actions that compromise confidential user information or impede the tasks carried out.

The second worm in today's report is Mytob.A, which spreads via email in a message with variable characteristics and via the Internet. In this case, it attacks random IP addresses, in which it will try to exploit the LSASS vulnerability.

Mytob connects to an IRC server and waits for remote control commands, which it will carry out on the affected computer. What's more, it deletes the variants of other worms like Netsky, Sobig, Bagle and Blaster.

The next malicious code is the Tofger.AT Trojan, which is downloaded to the PC when users access certain web pages, which use different exploits -like LoadImage, ByteVerify and MhtRedir.gen- to download malware to computers. This Trojan installs itself as a Browser Helper Object (BHO), so that it is run whenever Internet Explorer is opened.

Tofger.AT tracks the actions carried out by users and the passwords used to access web pages through secure HTTPS connections, which are usually used to log on to secure systems like online banking. What's more, whenever it detects certain names in the URL, it tries to capture the passwords for the following banks: cajamadrid, bpinet, millenniumbcp, hsbc, barclays, lloydstsb, halifax, autorize, bankofamerica; bancodevalencia, cajamar, portal.ccm, bancaja, caixagalicia, caixapenedes, ebankinter, caixasabadell, bes, banif, millenniumbcp, totta, bancomais, montepiogeral, bpinet, patagon, lacaixa, citibank, bbvanet, banesto, e-trade and unicaja. When it has captured this information, Tofger.AT sends it to a server.

About PandaLabs
On receiving a possibly infected file, Panda Software's technical staff get straight down to work. The file is analyzed and depending on the type, the action taken may include: disassembly, macro scanning, code analysis etc. If the file does in fact contain a new virus, the disinfection and detection routines are prepared and quickly distributed to users. For more information: http://www.pandasoftware.com/virus_info/

Comments (0)

Add a Comment

This thread has been closed from taking new comments.

Editorial: +44 (0)1892 536363
Publisher: +44 (0)208 440 0372
Subscribe FREE to the weekly E-newsletter