Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Bagz.H spreads

  • Please log in to reply
No replies to this topic

#1 thatman


  • Members
  • 121 posts
  • Local time:10:48 PM

Posted 08 November 2004 - 04:52 AM


"Since thou are not sure of a minute,
throw not away an hour."
Benjamin Franklin (1706-1790); US scientist and politician.

- Weekly report on viruses and intruders -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, November 7, 2004 - This week's report on viruses and intruders will
focus on the Bagz.H and Mitglieder.AY worms and the Citifraud.A Trojan.

Bagz.H spreads via e-mail. To do this it looks for email addresses in the
files with a DBX, HTM, TBB, TBI or TXT extension on the affected computer.
However, it does not send itself out to all the addresses it finds, as it
avoids addresses with texts strings like abuse, admin. or administrator@,
among others.

The email messages carrying Bagz.H do not have a fixed format, as the
subject, message text and file name can vary. If the user runs the
attachment, Bagz.H will install itself as a service called Xuy v palto.
What's more, this worm modifies the Windows hosts file, preventing certain
Internet addresses from being accessed.

Bagz.H also deletes the entries in the Windows Registry that belong to
certain antivirus and security applications and creates new entries that
allow it to activate whenever the computer is started up.

Mitglieder.AY is a malicious code that is closely related to Bagle.BC and
Bagle.BE (detected a few days ago), as it takes advantage of the effects of
these worms to get into computers directly from the Internet. Mitglieder.AY
uses the backdoor created by both variants of Bagle in TCP port 81.
Mitglieder.AY scans for IP addresses in which the TCP port 81 is open. If it
finds this port open, it copies itself to those computers as a file called

From then on, Mitglieder.AY ends the processes in memory belonging to
different applications. What's more, every six hours, it attempts to
download the file zoo.jpg from certain web addresses. If successful, this
file is saved on the affected computer under the name File.exe. When this
file is run, it downloads other malware to the affected computer.

We are going to finish today's report with a Trojan called Citifraud.A,
which is actually a file written in HTML that exploits a known vulnerability
in Microsoft Internet Explorer. It contains a link pretend to access the
website of a well-known bank. However, this address actually accesses a
false website that imitates the original page. By doing this, it tries to
steal account details entered by the user, allowing the hacker to access the
bank account.

For further information about these and other computer threats, visit Panda
Software's Encyclopedia at:

Additional information

- Port/Communication port: Point through which a computer transfers
information (inbound/outbound) via TCP/IP.

- Vulnerability: Flaws or security holes in a program or IT system, and
often used by viruses as a means of infection.

BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users