Posted in GD as a public service.
The poster is not an employee of, or in any way associated with Panda Software.
---
"Knowledge is of no value unless you put it into practice."
--Anton Chekhov (1860-1904), Russian dramatist and short-story writer.
Weekly virus report
Oxygen3 24h-365d, by Panda Software (
http://www.pandasoftware.com)
Madrid, November 22, 2003 - Today's report will focus on two worms -variant J of Mimail and variant E of Lohack-, and a Trojan called Banbra.B.
Mimail.J spreads via e-mail in a message with the subject IMPORTANT and an attached file called w w w.paypal.com.pif. This worm uses so-called social engineering techniques to trick users and spread to as many computer as possible, like the I variant, the message carrying Mimail.J refers to the PAYPAL payment system.
When it is run, this malicious code shows an image on screen that simulates the home window of a financial entity. Then, Mimail.J collects the information entered by the user and sends it out via e-mail. In computers with Windows Me/98/95 installed, it runs as a service so that it does not appear in the Task Manager.
Mimail.J looks for e-mail addresses in all the files that do not have any of the following extensions: COM, WAV, CAB, PDF, RAR, ZIP, TIF, PSD, OCX, VXD, MP3, MPG, AVI, DLL, EXE, GIF, JPG and BMP, and saves them in a file called el388.tmp. This malicious code then sends itself out to all the addresses it has found, using its own SMTP engine, and connects to the IP address 212.5.86.163, which belongs to a Russian e-mail server.
Today's second worm, Lohack.E, spreads via e-mail, across computer networks and through the peer-to-peer (P2P) file sharing program KaZaA. It does this using messages that have extremely variable characteristics. In order to trick users into opening them, many of these messages refer to the Spanish Information Society and E-mail Services Law. Furthermore, Lohack.E spoofs the sender's address so that it seems to have been sent from a trustworthy source, such as the Ministerio de Ciencia y Tecnología (Ministry of Science and Technology) or Panda Antivirus.
Lohack.E automatically activates when the message carrying this worm is viewed in the Preview Pane in Outlook. It does this by exploiting the Exploit/Iframe vulnerability, which affects versions 5.01 and 5.5 of Internet Explorer and allows files attached to e-mail messages to run automatically.
We are going to finish today's report with Banbra.B, a Trojan that obtains user's account numbers and passwords for accessing bank accounts with the following financial entities: Internet Banking Caixa, Bradesco Internet Banking and Banco do Brazil. Similarly, it monitors the web pages that the affected user accesses. When the user visits the website of any of the entities mentioned above, Banbra.B displays a fake login interface in order to trick the user into entering confidential information, which will then be sent out via FTP to the creator of the Trojan.
For further information about these and other malicious code, visit Panda Software's Virus Encyclopedia at:
http://www.pandasoftware.com/virus_info/encyclopediaAdditional information
- FTP (File Transfer Protocol): A mechanism that allows files to be transferred through a TCP/IP connection.
- Network: Group of computers or other IT devices interconnected via a cable, telephone line, electromagnetic waves (satellite, microwaves, etc.), in order to communicate and share resources.
More definitions of virus and antivirus terminology at:
http://www.pandasoftware.com/virus_info/glossary/default.aspxNOTE: The addresses above may not show up on your screen as single lines. This would prevent you from using the links to access the web pages. If this happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.
Printer-friendly format
Email this thread to a friend
Bookmark this thread
(1000+ posts)
Send PM |
Profile |
Ignore
