[virusinfo] Panda Weekly report on viruses and intruders - 03/04/05
- From: "Mike" <mikebike@xxxxxxxxx>
- To: virusinfo@xxxxxxxxxxxxx
- Date: Sat, 05 Mar 2005 15:08:24 -0800
From; Panda PM Virus Alerts:
- Weekly report on viruses and intruders -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)
Madrid, March 4, 2005 - Today's report will focus on two worms -Bagle.BN and
Mytob.A-, and two Trojans -Mitglieder.BO and Tofger.AT-.
In order to infect as many computers as possible, the Bagle.BN and
Mitglieder.BO work hand in glove. Mitglieder.BO reaches computers as a file
attached to an email message, called price.zip or price2.zip, among others.
If the user runs this file, the Trojan activates and tries to connect to an
Internet address, from which it downloads the Bagle.BN worm to the computer.
When Bagle.BN has been installed on the computer, it sends Mitglieder.BO to
the addresses it finds in a file called EML.EXE, which is also downloaded
from the Internet. To do this, the worm uses its own SMTP engine.
Mitglieder.BO ends the processes belonging to various antivirus and security
applications and overwrites the Windows hosts file to prevent users from
connecting to certain web pages.
Bagle.BN opens TCP port 80 and listens for a remote connection to be
established. When this happens, it allows remote access to the infected
computer, allowing actions that compromise confidential user information or
impede the tasks carried out.
The second worm in today's report is Mytob.A, which spreads via email in a
message with variable characteristics and via the Internet. In this case, it
attacks random IP addresses, in which it will try to exploit the LSASS
vulnerability.
Mytob connects to an IRC server and waits for remote control commands, which
it will carry out on the affected computer. What's more, it deletes the
variants of other worms like Netsky, Sobig, Bagle and Blaster.
The next malicious code is the Tofger.AT Trojan, which is downloaded to the
PC when users access certain web pages, which use different exploits -like
LoadImage, ByteVerify and MhtRedir.gen- to download malware to computers.
This Trojan installs itself as a Browser Helper Object (BHO), so that it is
run whenever Internet Explorer is opened.
Tofger.AT tracks the actions carried out by users and the passwords used to
access web pages through secure HTTPS connections, which are usually used to
log on to secure systems like online banking. What's more, whenever it
detects certain names in the URL, it tries to capture the passwords for the
following banks: cajamadrid, bpinet, millenniumbcp, hsbc, barclays,
lloydstsb, halifax, autorize, bankofamerica; bancodevalencia, cajamar,
portal.ccm, bancaja, caixagalicia, caixapenedes, ebankinter, caixasabadell,
bes, banif, millenniumbcp, totta, bancomais, montepiogeral, bpinet, patagon,
lacaixa, citibank, bbvanet, banesto, e-trade and unicaja. When it has
captured this information, Tofger.AT sends it to a server.
For further information about these and other computer threats, visit Panda
Software's Encyclopedia:
http://www.pandasoftware.com/virus_info/encyclopedia/
NOTE: The address above may not show up on your screen as a single line.
This would prevent you from using the link to access the web page. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.
------------------------------------------------------------
To contact with Panda Software, please visit:
http://www.pandasoftware.com/about/contact/
------------------------------------------------------------
*********** MIKE"S REPLY SEPARATOR ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance and OWTA Charter Member
Other related posts:
- » [virusinfo] Panda Weekly report on viruses and intruders - 03/04/05
