Madrid, August 13, 2004 - Today's report will focus the AM variant of Bagle
and the Trojans: Leritand.A, Leritand.B and Leritand.C, and Toquimos.A.
Bagle.AM appeared at the beginning of this week and rapidly infected a large
number of computers. It spreads via email in a message without a subject
that includes an attachment with a variable name and a ZIP extension. This
file contains two items:
- Illwill.A, an HTML file containing an exploit used by Bagle.AM to infect
the computer without the user realizing.
- An EXE file, which is run when the user opens the Illwill.A file.
When it has infected a computer, Bagle.AM tries to download a false JPG file
from different websites and if it manages to download the file, it starts
spreading. What's more, Bagle.AM spreads through P2P (peer-to-peer) file
sharing programs.
Bagle.AM opens a TCP port in affected computers and listens in, allowing a
hacker to access the computer. This worm also ends the processes belonging
to different programs, including antivirus update programs, preventing them
from offering protection against new viruses. Similarly, if the computer is
infected by a variant of Netsky, Bagle.AM prevents it from running when
Windows starts up.
Leritand.A, Leritand.B and Leritand.C are Trojans that change the prefix of
web addresses starting with www, redirecting them to a website that opens
the web page originally requested by the user. What's more, these malicious
code disable the URL handlers of the its, ms-its and mhtml protocols,
preventing some help systems from working. Leritand.A, Leritand.B and
Leritand.C change the default home page and search page in Internet Explorer
and add links to the Favorites folder.
We are going to finish today's report with Toquimos.A, a Trojan that only
affects Nokia series 60 cell phones. It cannot spread on its own, as it must
be installed and run by the user. Its most common means of propagation is
P2P file sharing networks.
When it is run, Toquimos.A checks if the phone has a pirated version of a
game installed. If it has, it sends an SMS to a special rate phone number
without the user's permission. This SMS is sent whenever the game is run.
- Exploit: This can be a technique or a program that takes advantage of a
vulnerability or security hole in a certain communication protocol,
operating system, or other IT utility or application.
- P2P (Peer to peer): A program -or network connection- used to offer
services via the Internet (usually file sharing), which viruses and other
types of threats can use to spread. Some examples of this type of program
are KaZaA, Emule, eDonkey, etc.
