"Since thou are not sure of a minute,
throw not away an hour."
Benjamin Franklin (1706-1790); US scientist and politician.
- Weekly report on viruses and intruders -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com
Madrid, November 7, 2004 - This week's report on viruses and intruders will
focus on the Bagz.H and Mitglieder.AY worms and the Citifraud.A Trojan.
Bagz.H spreads via e-mail. To do this it looks for email addresses in the
files with a DBX, HTM, TBB, TBI or TXT extension on the affected computer.
However, it does not send itself out to all the addresses it finds, as it
avoids addresses with texts strings like abuse, admin. or administrator@,
The email messages carrying Bagz.H do not have a fixed format, as the
subject, message text and file name can vary. If the user runs the
attachment, Bagz.H will install itself as a service called Xuy v palto.
What's more, this worm modifies the Windows hosts file, preventing certain
Internet addresses from being accessed.
Bagz.H also deletes the entries in the Windows Registry that belong to
certain antivirus and security applications and creates new entries that
allow it to activate whenever the computer is started up.
Mitglieder.AY is a malicious code that is closely related to Bagle.BC and
Bagle.BE (detected a few days ago), as it takes advantage of the effects of
these worms to get into computers directly from the Internet. Mitglieder.AY
uses the backdoor created by both variants of Bagle in TCP port 81.
Mitglieder.AY scans for IP addresses in which the TCP port 81 is open. If it
finds this port open, it copies itself to those computers as a file called
From then on, Mitglieder.AY ends the processes in memory belonging to
different applications. What's more, every six hours, it attempts to
download the file zoo.jpg from certain web addresses. If successful, this
file is saved on the affected computer under the name File.exe. When this
file is run, it downloads other malware to the affected computer.
We are going to finish today's report with a Trojan called Citifraud.A,
which is actually a file written in HTML that exploits a known vulnerability
in Microsoft Internet Explorer. It contains a link pretend to access the
website of a well-known bank. However, this address actually accesses a
false website that imitates the original page. By doing this, it tries to
steal account details entered by the user, allowing the hacker to access the
For further information about these and other computer threats, visit Panda
Software's Encyclopedia at:http://www.pandasoftware.com/virus_info/encyclopedia/
- Port/Communication port: Point through which a computer transfers
information (inbound/outbound) via TCP/IP.
- Vulnerability: Flaws or security holes in a program or IT system, and
often used by viruses as a means of infection.