This week's report looks at four variants of the Mitglieder Trojan (FK, FL, FN and FM), which have been spread massively by email this week affecting numerous countries, and the Bagle.FN worm.
According to data from Panda ActiveScan, Panda Softwares online antivirus solution, the four variants of Mitglieder mentioned above have been the most frequently detected threats around the world. The first variant to appear -FK-, is spread in emails with a blank subject and with a message text including words such as "Texte" or "Info". The emails include a .ZIP attachment with a variable name (Health_and_knowledge, Txt_sms, Max, Business, The_new_price, Info_prices or Business_dealing). This file includes an .EXE file, which installs Mitglieder.FK on the computer when it is run.
The FK, FL and FN variants of Mitglieder share the following characteristics:
- Once installed on a computer, and using a PHP script, they try to download a file from different web pages. Once downloaded, they save it -using a random number as the name- in the subfolder EXEFLD of the Windows directory, and then they run it.
- They create the HLOADER_EXE.EXE file, a copy of the Trojan itself, which in turn generates the HLEADER_DLL.DLL file the next time the computer is started up. The latter is injected in the EXPLORER.EXE process and is responsible for carrying out the Trojans actions.
The action that the FM variant of Migtlieder takes on the computers it infects includes:
- Preventing access to certain web pages, in particular those belonging to antivirus companies.
- Disabling system services related to several antivirus and security products.
- Deleting Windows registry editing tools.
Finally in today's report we will look at Bagle.FN, a worm that sends a copy of the Mitglieder.FK Trojan to all addresses it collects from the compromised computer.
Bagle.FN spreads in an email message that tries to trick users into believing that the message attachment is a computer program, images, etc. It also spreads via Internet, attacking IP addresses -obtained at random or from the infected computers network-, exploiting a vulnerability or through an open port.
Bagle.FN tries to download several files from different websites in order to run them on the computer, and deletes Windows registry entries associated with other malware specimens.
Since 1990, PandaLabs mission has been to analyze new threats as soon as possible to ensure that our clients are safe. Several teams specialized in each specific type of malware (viruses, worms, Trojans, spyware, phishing, spam, etc.) work 24x7 to offer global coverage. To do this they are supported by TruPrevent Technologies, a truly global early warning system made up of sensors that are strategically distributed and neutralize new threats and send them to PandaLabs for in-depth analysis. According to AV-Test.org, PandaLabs is the fastest in the industry to offer complete updates (more information at www.pandasoftware.com/pandalabs.asp).