J of Mimail and variant E of Lohack-, and a Trojan

[andsome]

- Weekly virus report -

Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, November 22, 2003 - Today's report will focus on two worms -variant

J of Mimail and variant E of Lohack-, and a Trojan called Banbra.B.

Mimail.J spreads via e-mail in a message with the subject IMPORTANT and an

attached file called w w w.paypal.com.pif. This worm uses so-called social

engineering techniques to trick users and spread to as many computer as

possible, like the I variant, the message carrying Mimail.J refers to the

PAYPAL payment system.

When it is run, this malicious code shows an image on screen that simulates

the home window of a financial entity. Then, Mimail.J collects the

information entered by the user and sends it out via e-mail. In computers

with Windows Me/98/95 installed, it runs as a service so that it does not

appear in the Task Manager.

Mimail.J looks for e-mail addresses in all the files that do not have any of

the following extensions: COM, WAV, CAB, PDF, RAR, ZIP, TIF, PSD, OCX, VXD,

MP3, MPG, AVI, DLL, EXE, GIF, JPG and BMP, and saves them in a file called

el388.tmp. This malicious code then sends itself out to all the addresses it

has found, using its own SMTP engine, and connects to the IP address

212.5.86.163, which belongs to a Russian e-mail server.

Today's second worm, Lohack.E, spreads via e-mail, across computer networks

and through the peer-to-peer (P2P) file sharing program KaZaA. It does this

using messages that have extremely variable characteristics. In order to

trick users into opening them, many of these messages refer to the Spanish

Information Society and E-mail Services Law. Furthermore, Lohack.E spoofs

the sender's address so that it seems to have been sent from a trustworthy

source, such as the Ministerio de Ciencia y Tecnología (Ministry of Science

and Technology) or Panda Antivirus.

Lohack.E automatically activates when the message carrying this worm is

viewed in the Preview Pane in Outlook. It does this by exploiting the

Exploit/Iframe vulnerability, which affects versions 5.01 and 5.5 of

Internet Explorer and allows files attached to e-mail messages to run

automatically.

We are going to finish today's report with Banbra.B, a Trojan that obtains

user's account numbers and passwords for accessing bank accounts with the

following financial entities: Internet Banking Caixa, Bradesco Internet

Banking and Banco do Brazil. Similarly, it monitors the web pages that the

affected user accesses. When the user visits the website of any of the

entities mentioned above, Banbra.B displays a fake login interface in order

to trick the user into entering confidential information, which will then be

sent out via FTP to the creator of the Trojan.

For further information about these and other malicious code, visit Panda

Software's Virus Encyclopedia at:

http://www.pandasoftware.com/virus_info/encyclopedia

Additional information

- FTP (File Transfer Protocol): A mechanism that allows files to be

transferred through a TCP/IP connection.

- Network: Group of computers or other IT devices interconnected via a

cable, telephone line, electromagnetic waves (satellite, microwaves, etc.),

in order to communicate and share resources.

More definitions of virus and antivirus terminology at:

http://www.pandasoftware.com/virus_info/gl...ry/default.aspx

NOTE: The addresses above may not show up on your screen as single lines.

This would prevent you from using the links to access the web pages. If this

happens, just use the 'cut' and 'paste' options to join the pieces of the

URL.

------------------------------------------------------------

To unsubscribe from Oxygen3 24h-365d, please visit:

http://www.pandasoftware.com/unsubscribe.asp

To contact with Panda Software, please visit:

http://www.pandasoftware.com/about/contact/

------------------------------------------------------------