Weekly report on viruses and intruders

This weeks Panda Software report looks at three examples of malware, the Mepe.A worm, and two Trojans, Mitglieder.EW and Mitglieder.FB.

Mepe.A is a worm that caused a significant number of infections on September 20 and 21, especially in Latin America, placing it at the head of the infections ranking for several hours. In order to spread, this worm searches for open windows (normally instant messaging applications) with the title Conversacin. When infected users have such a window open, the worm sends them an invitation in Spanish with a link to a site from which they can supposedly download a postcard.

This is really the virus itself, which when it is run, displays a false error message while continuing with its action. Incidents involving this virus have, over the last few hours, reduced drastically, as the ISP responsible for the server on which the malware creator had hosted the worm, has disabled the file after being alerted to the issue by PandaLabs.

The other two species of malware, Mitglieder.EW and Mitglieder.FB, are similar in structure, and have been responsible for numerous incidents over the last few days, as part of the wave of Bagle and Mitglieder malware being distributed massively by email. Both of these principally aim to disable security solutions on users computers, making them vulnerable to further malware attacks.

Mitglieder.EW is a Trojan, and as such has no means of self-propagation. It could have been distributed manually as well as in symbiosis with Bagle worms (a frequent occurrence between these two types of malware), and through bot networks. Once it reaches a computer, the Trojan blocks update routine processes of several antivirus programs, as well as services related to antivirus programs, firewalls, etc.

To ensure these programs dont run, it also eliminates Windows Registry entries containing their configuration. Finally, and as is usually the case with Mitglieder, it tries to download a file, OSA6.GIF, that appears to be an image but is really an executable, from numerous websites. This file is actually a variant of the Fantibag family.

Mitglieder.FB operates in the same way as the previous example, including the addresses from which it downloads OSA6.GIF, terminating numerous processes, and deleting a series of files from the computers hard disk, regardless of the drive, and mostly related with IT security. In this case, the file downloaded contains a variant of Downloader.

To prevent this malware or any other malicious code from infecting users computers, Panda Software advises users to keep their security software up-to-date. Panda Software clients already have the updates available to detect and disinfect these malware specimens.

About PandaLabs

Since 1990, PandaLabs mission has been to analyze new threats as soon as possible to ensure that our clients are safe. Several teams specialized in each specific type of malware (viruses, worms, Trojans, spyware, phishing, spam, etc.) work 24x7 to offer global coverage. To do this they are supported by TruPrevent Technologies, a truly global early warning system made up of sensors that are strategically distributed and neutralize new threats and send them to PandaLabs for in-depth analysis. According to AV-Test.org, PandaLabs is the fastest in the industry to offer complete updates (more information at www.pandasoftware.com/pandalabs.asp).

Comments (0)

Add a Comment

This thread has been closed from taking new comments.

Editorial: +44 (0)1892 536363
Publisher: +44 (0)208 440 0372
Subscribe FREE to the weekly E-newsletter