Weekly report on viruses and intruders

This week's report on viruses and intruders will focus on four malicious code: three worms -Bagle.AF, Atak.A and Korgo.Z-, and the Trojan Xebiz.A.

Bagle.AF uses its own SMTP engine to send itself out via email to all the addresses it finds in the files with the following extensions on the affected computer: WAB, TXT, MSG, HTM, SHTM, STM, XML, DBX, MBX, MDX, EML, NCH, MMF, ODS, CFG, ASP, PHP, PL, WSH, ADB, TBB, SHT, XLS, OFT, UIN, CGI, MHT, DHTM and JSP.

Bagle.AF ends the processes belonging to security products, such as antivirus protection, and connects to different PHP scripts. This worm also contains code to create a backdoor to open a port and listen in on it.

Today's second worm is Atak.A, which spreads via email in a message with variable characteristics that contains an attachment with a double extension. The first is JPG or GIF followed by a random number of blank spaces and the second is EXE.

When Atak.A has infected a computer it looks for email addresses in all the files it finds with an ADB or WAB extension, and in files that are smaller than 81920 bytes in size and have one of the following extensions: ASP, CFG, CGI, DBX, EML, HTM, HTML, JSP, LOG, MBX, MHT, MSG, NCH, ODS, PHP, SHT, TBB, UIN, VBS and XML. Then, it sends itself out to all the addresses it has found using its own SMTP engine.

Atak.A creates a mutex to ensure that only one copy of this worm is running. It also checks if a debugger is enabled on the affected computer and if it is, it ends it.

The final worm in this week's report is Korgo.Z, which exploits the Windows LSASS vulnerability to spread via the Internet and get into computers. It also affects all Windows platforms, but can only automatically get into computers running Windows XP or 2000 that have not been correctly updated.

The Z variant of Korgo goes memory resident and tries to download files from a series of websites and also sends these websites information about which country the computer is located in. Like the worm mentioned above, Korgo.Z creates a mutex to prevent two copies of this worm from being run at the same time.

We are going to finish today's report with Xebiz.A, a Trojan that connects to a website in order to download a Trojan called Zerolin.A to the affected computer. What's more, it creates several files and generates several entries in the Windows Registry to ensure that it is run whenever the computer is started up.

Xebiz.A has been mass-mailed in messages with variable characteristics. However, all messages include a form with a button. When the user clicks on this button, Zerolin.A will be downloaded.

For further information about these and other computer threats, visit Panda Software's Virus Encyclopedia at:
http://www.pandasoftware.com/virus_info/encyclopedia/

Additional information
Debugger: A tool for reading the source code of programs.
Mutex: Some viruses can use a mutex to control access to resources (examples: programs or even other viruses) and prevent more than one process from simultaneously accessing the same resource.
More definitions at: http://www.pandasoftware.com/virus_info/glossary/default.aspx

About PandaLabs
On receiving a possibly infected file, Panda Software's technical staff get straight down to work. The file is analyzed and depending on the type, the action taken may include: disassembly, macro scanning, code analysis etc. If the file does in fact contain a new virus, the disinfection and detection routines are prepared and quickly distributed to users.