From; Panda PM Virus Alerts: - Weekly report on viruses and intruders - Virus Alerts, by Panda Software (http://www.pandasoftware.com) Madrid, March 4, 2005 - Today's report will focus on two worms -Bagle.BN and Mytob.A-, and two Trojans -Mitglieder.BO and Tofger.AT-. In order to infect as many computers as possible, the Bagle.BN and Mitglieder.BO work hand in glove. Mitglieder.BO reaches computers as a file attached to an email message, called price.zip or price2.zip, among others. If the user runs this file, the Trojan activates and tries to connect to an Internet address, from which it downloads the Bagle.BN worm to the computer. When Bagle.BN has been installed on the computer, it sends Mitglieder.BO to the addresses it finds in a file called EML.EXE, which is also downloaded from the Internet. To do this, the worm uses its own SMTP engine. Mitglieder.BO ends the processes belonging to various antivirus and security applications and overwrites the Windows hosts file to prevent users from connecting to certain web pages. Bagle.BN opens TCP port 80 and listens for a remote connection to be established. When this happens, it allows remote access to the infected computer, allowing actions that compromise confidential user information or impede the tasks carried out. The second worm in today's report is Mytob.A, which spreads via email in a message with variable characteristics and via the Internet. In this case, it attacks random IP addresses, in which it will try to exploit the LSASS vulnerability. Mytob connects to an IRC server and waits for remote control commands, which it will carry out on the affected computer. What's more, it deletes the variants of other worms like Netsky, Sobig, Bagle and Blaster. The next malicious code is the Tofger.AT Trojan, which is downloaded to the PC when users access certain web pages, which use different exploits -like LoadImage, ByteVerify and MhtRedir.gen- to download malware to computers. This Trojan installs itself as a Browser Helper Object (BHO), so that it is run whenever Internet Explorer is opened. Tofger.AT tracks the actions carried out by users and the passwords used to access web pages through secure HTTPS connections, which are usually used to log on to secure systems like online banking. What's more, whenever it detects certain names in the URL, it tries to capture the passwords for the following banks: cajamadrid, bpinet, millenniumbcp, hsbc, barclays, lloydstsb, halifax, autorize, bankofamerica; bancodevalencia, cajamar, portal.ccm, bancaja, caixagalicia, caixapenedes, ebankinter, caixasabadell, bes, banif, millenniumbcp, totta, bancomais, montepiogeral, bpinet, patagon, lacaixa, citibank, bbvanet, banesto, e-trade and unicaja. When it has captured this information, Tofger.AT sends it to a server. For further information about these and other computer threats, visit Panda Software's Encyclopedia: http://www.pandasoftware.com/virus_info/encyclopedia/ NOTE: The address above may not show up on your screen as a single line. This would prevent you from using the link to access the web page. If this happens, just use the 'cut' and 'paste' options to join the pieces of the URL. ------------------------------------------------------------ To contact with Panda Software, please visit: http://www.pandasoftware.com/about/contact/ ------------------------------------------------------------ *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member