Panda Weekly - viruses and intruders - 05/11/04

- Weekly report on viruses and intruders -
Virus Alerts, by Panda Software (http://www.pandasoftware.com) ​

Madrid, November 5 2004 - This week's report on viruses and intruders will focus on the Bagz.H and Mitglieder.AY worms and the Citifraud.A Trojan.

Bagz.H spreads via e-mail. To do this it looks for email addresses in the files with a DBX, HTM, TBB, TBI or TXT extension on the affected computer. However, it does not send itself out to all the addresses it finds, as it avoids addresses with texts strings like abuse, admin. or administrator@, among others.

The email messages carrying Bagz.H do not have a fixed format, as the subject, message text and file name can vary. If the user runs the attachment, Bagz.H will install itself as a service called Xuy v palto. What's more, this worm modifies the Windows hosts file, preventing certain Internet addresses from being accessed.

Bagz.H also deletes the entries in the Windows Registry that belong to certain antivirus and security applications and creates new entries that allow it to activate whenever the computer is started up.

Mitglieder.AY is a malicious code that is closely related to Bagle.BC and Bagle.BE (detected a few days ago), as it takes advantage of the effects of these worms to get into computers directly from the Internet. Mitglieder.AY uses the backdoor created by both variants of Bagle in TCP port 81. Mitglieder.AY scans for IP addresses in which the TCP port 81 is open. If it finds this port open, it copies itself to those computers as a file called winshost.exe.

From then on, Mitglieder.AY ends the processes in memory belonging to different applications. What's more, every six hours, it attempts to download the file zoo.jpg from certain web addresses. If successful, this file is saved on the affected computer under the name File.exe. When this file is run, it downloads other malware to the affected computer.

We are going to finish today's report with a Trojan called Citifraud.A, which is actually a file written in HTML that exploits a known vulnerability in Microsoft Internet Explorer. It contains a link pretend to access the website of a well-known bank. However, this address actually accesses a false website that imitates the original page. By doing this, it tries to steal account details entered by the user, allowing the hacker to access the bank account.

For further information about these and other computer threats, visit Panda Software's Virus Encyclopedia at: http://www.pandasoftware.com/virus_info/encyclopedia/

Additional information

- Port/Communication port: Point through which a computer transfers information (inbound/outbound) via TCP/IP.

- Vulnerability: Flaws or security holes in a program or IT system, and often used by viruses as a means of infection.

More technical definitions at: http://www.pandasoftware.com/virus_info/glossary/default.aspx