andsome Posted November 23, 2003 Report Share Posted November 23, 2003 - Weekly virus report - Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)Madrid, November 22, 2003 - Today's report will focus on two worms -variantJ of Mimail and variant E of Lohack-, and a Trojan called Banbra.B.Mimail.J spreads via e-mail in a message with the subject IMPORTANT and anattached file called w w w.paypal.com.pif. This worm uses so-called socialengineering techniques to trick users and spread to as many computer aspossible, like the I variant, the message carrying Mimail.J refers to thePAYPAL payment system.When it is run, this malicious code shows an image on screen that simulatesthe home window of a financial entity. Then, Mimail.J collects theinformation entered by the user and sends it out via e-mail. In computerswith Windows Me/98/95 installed, it runs as a service so that it does notappear in the Task Manager.Mimail.J looks for e-mail addresses in all the files that do not have any ofthe following extensions: COM, WAV, CAB, PDF, RAR, ZIP, TIF, PSD, OCX, VXD,MP3, MPG, AVI, DLL, EXE, GIF, JPG and BMP, and saves them in a file calledel388.tmp. This malicious code then sends itself out to all the addresses ithas found, using its own SMTP engine, and connects to the IP address212.5.86.163, which belongs to a Russian e-mail server. Today's second worm, Lohack.E, spreads via e-mail, across computer networksand through the peer-to-peer (P2P) file sharing program KaZaA. It does thisusing messages that have extremely variable characteristics. In order totrick users into opening them, many of these messages refer to the SpanishInformation Society and E-mail Services Law. Furthermore, Lohack.E spoofsthe sender's address so that it seems to have been sent from a trustworthysource, such as the Ministerio de Ciencia y TecnologĂa (Ministry of Scienceand Technology) or Panda Antivirus.Lohack.E automatically activates when the message carrying this worm isviewed in the Preview Pane in Outlook. It does this by exploiting theExploit/Iframe vulnerability, which affects versions 5.01 and 5.5 ofInternet Explorer and allows files attached to e-mail messages to runautomatically. We are going to finish today's report with Banbra.B, a Trojan that obtainsuser's account numbers and passwords for accessing bank accounts with thefollowing financial entities: Internet Banking Caixa, Bradesco InternetBanking and Banco do Brazil. Similarly, it monitors the web pages that theaffected user accesses. When the user visits the website of any of theentities mentioned above, Banbra.B displays a fake login interface in orderto trick the user into entering confidential information, which will then besent out via FTP to the creator of the Trojan. For further information about these and other malicious code, visit PandaSoftware's Virus Encyclopedia at:http://www.pandasoftware.com/virus_info/encyclopediaAdditional information- FTP (File Transfer Protocol): A mechanism that allows files to betransferred through a TCP/IP connection. - Network: Group of computers or other IT devices interconnected via acable, telephone line, electromagnetic waves (satellite, microwaves, etc.),in order to communicate and share resources. More definitions of virus and antivirus terminology at:http://www.pandasoftware.com/virus_info/gl...ry/default.aspxNOTE: The addresses above may not show up on your screen as single lines.This would prevent you from using the links to access the web pages. If thishappens, just use the 'cut' and 'paste' options to join the pieces of theURL. ------------------------------------------------------------To unsubscribe from Oxygen3 24h-365d, please visit:http://www.pandasoftware.com/unsubscribe.aspTo contact with Panda Software, please visit:http://www.pandasoftware.com/about/contact/------------------------------------------------------------ Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.