Weekly Virus Report – Mimail.j, Lohack.E Worms and Banbra Trojan

Cyber Chief Magazine brings you the tactics to uncover and neutralize the insider threat

Mimail.J spreads via e-mail in a message with the subject IMPORTANT and an attached file called w w w.paypal.com.pif. This worm uses so-called social engineering techniques to trick users and spread to as many computer as possible, like the I variant, the message carrying Mimail.J refers to the PAYPAL payment system.

When it is run, this malicious code shows an image on screen that simulates the home window of a financial entity. Then, Mimail.J collects the information entered by the user and sends it out via e-mail. In computers with Windows Me/98/95 installed, it runs as a service so that it does not appear in the Task Manager.

Mimail.J looks for e-mail addresses in all the files that do not have any of the following extensions: COM, WAV, CAB, PDF, RAR, ZIP, TIF, PSD, OCX, VXD, MP3, MPG, AVI, DLL, EXE, GIF, JPG and BMP, and saves them in a file called el388.tmp. This malicious code then sends itself out to all the addresses it has found, using its own SMTP engine, and connects to the IP address 212.5.86.163, which belongs to a Russian e-mail server.

Today’s second worm, Lohack.E, spreads via e-mail, across computer networks and through the peer-to-peer (P2P) file sharing program KaZaA. It does this using messages that have extremely variable characteristics. In order to trick users into opening them, many of these messages refer to the Spanish Information Society and E-mail Services Law. Furthermore, Lohack.E spoofs the sender’s address so that it seems to have been sent from a trustworthy source, such as the Ministerio de Ciencia y Tecnolog?­a (Ministry of Science and Technology) or Panda Antivirus.

Lohack.E automatically activates when the message carrying this worm is viewed in the Preview Pane in Outlook. It does this by exploiting the Exploit/Iframe vulnerability, which affects versions 5.01 and 5.5 of Internet Explorer and allows files attached to e-mail messages to run automatically.

We are going to finish today’s report with Banbra.B, a Trojan that obtains user’s account numbers and passwords for accessing bank accounts with the following financial entities: Internet Banking Caixa, Bradesco Internet Banking and Banco do Brazil. Similarly, it monitors the web pages that the affected user accesses. When the user visits the website of any of the entities mentioned above, Banbra.B displays a fake login interface in order to trick the user into entering confidential information, which will then be sent out via FTP to the creator of the Trojan.