Madrid, July 16, 2004 - This week's report on viruses and intruders will
focus on four malicious code: three worms -Bagle.AF, Atak.A and Korgo.Z-,
and the Trojan Xebiz.A.
Bagle.AF uses its own SMTP engine to send itself out via email to all the
addresses it finds in the files with the following extensions on the
affected computer: WAB, TXT, MSG, HTM, SHTM, STM, XML, DBX, MBX, MDX, EML,
NCH, MMF, ODS, CFG, ASP, PHP, PL, WSH, ADB, TBB, SHT, XLS, OFT, UIN, CGI,
MHT, DHTM and JSP.
Bagle.AF ends the processes belonging to security products, such as
antivirus protection, and connects to different PHP scripts. This worm also
contains code to create a backdoor to open a port and listen in on it.
Today's second worm is Atak.A, which spreads via email in a message with
variable characteristics that contains an attachment with a double
extension. The first is JPG or GIF followed by a random number of blank
spaces and the second is EXE.
When Atak.A has infected a computer it looks for email addresses in all the
files it finds with an ADB or WAB extension, and in files that are smaller
than 81920 bytes in size and have one of the following extensions: ASP, CFG,
CGI, DBX, EML, HTM, HTML, JSP, LOG, MBX, MHT, MSG, NCH, ODS, PHP, SHT, TBB,
UIN, VBS and XML. Then, it sends itself out to all the addresses it has
found using its own SMTP engine.
Atak.A creates a mutex to ensure that only one copy of this worm is running.
It also checks if a debugger is enabled on the affected computer and if it
is, it ends it.
The final worm in this week's report is Korgo.Z, which exploits the Windows
LSASS vulnerability to spread via the Internet and get into computers. It
also affects all Windows platforms, but can only automatically get into
computers running Windows XP or 2000 that have not been correctly updated.
The Z variant of Korgo goes memory resident and tries to download files from
a series of websites and also sends these websites information about which
country the computer is located in. Like the worm mentioned above, Korgo.Z
creates a mutex to prevent two copies of this worm from being run at the
same time.
We are going to finish today's report with Xebiz.A, a Trojan that connects
to a website in order to download a Trojan called Zerolin.A to the affected
computer. What's more, it creates several files and generates several
entries in the Windows Registry to ensure that it is run whenever the
computer is started up.
Xebiz.A has been mass-mailed in messages with variable characteristics.
However, all messages include a form with a button. When the user clicks on
this button, Zerolin.A will be downloaded.
- Debugger: A tool for reading the source code of programs.
- Mutex: Some viruses can use a mutex to control access to resources
(examples: programs or even other viruses) and prevent more than one process
from simultaneously accessing the same resource.
