Weekly Virus Report – Mimail.I and Sinala.A Worms; Sdbot.BL and Webber.C Trojans
The I variant of Mimail spreads via e-mail in a message with the subject: “YOUR PAYPAL.COM ACCOUNT EXPIRES”, and an attached file called paypal.asp.scr or w w w.paypal.com.scr. After infecting a computer, this worm looks for e-mail addresses in all the files that do not have any of the following extensions: COM, WAV, CAB, PDF, RAR, ZIP, TIF, PSD, OCX, VXD, MP3, MPG, AVI, DLL, EXE, GIF, JPG and BMP, and saves them in the file el388.tmp. Mimail.I then sends itself out to all the addresses it has found, using its own SMTP engine.
Sinala.A spreads by exploiting the MHTML vulnerability in Outlook Express, which allows a hacker to send and run programs on the affected computer. It also spreads through P2P programs, in files with an EXE or SCR extension that have the same icon as AVI video files. This worm reaches computers in a message from email@example.com, or from an address that it takes from the Outlook address book or MSN Messenger contact list on the affected computer. The file attached to this message, which infects the computer when it is run, is called ALANIS.EXE.
A clear indication that Sinala.A has infected a computer is a fake Windows error message displayed on screen. This malicious code also regularly checks if there is a floppy disk in the floppy disk drive and if there is, it copies files to it.
The first Trojan in today’s report is Sdbot.BL, which mainly spreads via e-mail and IRC channels, in a message with an attached file. When this file is run, the Trojan goes memory resident and connects to a specific IRC channel. By doing this, it allows a hacker to carry out different actions on the affected computer, such as scanning and redirecting ports, downloading and running files and changing the security parameters in the Windows Registry and launching Denial of Service (DoS) attacks.
Sdbot.BL is difficult to identify, as it does not display any messages or warnings that indicate that it has reached a computer. However, if net shares are disabled or if certain programs that are running on the computer stop for no apparent reason, Sdbot.BL might have reached the computer.
The last malicious code in this week’s report is Webber.C which, when it is installed on a computer, downloads a file from the Internet. This files steals the passwords for accessing different services that are stored on the affected computer.
Webber.C has been spammed in an e-mail message that seems to have been sent from a financial entity. The subject of this message is always: “RE: Your credit application” and it includes an attachment called W W W.CITIBANKHOMELOAN.HTM.PIF. This file has a double extension, and is designed like a web page in order to trick the user into opening it, allowing Webber.C to infect the computer.