Weekly virus report – Downloader.AC, Bookmark.C and Agent.A. Trojans and Exploit/URLSpoof

Exploit/URLSpoof is not cataloged as a virus, Trojan or worm, as it is HTML code which is included in a message or website to exploit a vulnerability in Internet Explorer. This security problem could allow a hyperlink to be crafted which if clicked, would access a different address from the one displayed in the browser address bar.

Over the last few days, there have been a lot of e-mails in circulation exploiting the URLSpoof vulnerability, aimed at tricking users into divulging confidential information, such as account numbers, user names, passwords or other secret codes. These false messages claim to have been sent from banks -like Citibank or Barclays- and tell users that due to an error, they should go to a web page to check their data. However, the web page that they access via the malicious link will channel any information entered to the attacker who will then be able to use it for fraudulent purposes.

Downloader.AC, on the other hand, is sent in spam, and has the subject: “PAYPAL.COM NEW YEAR OFFER”, and includes an attachment: “PAYPAL.EXE”. When the file is run, the Trojan connects to a web page and downloads a file called “Temp”, which it runs and saves in the hard disk root directory.

The second Trojan we’re looking at today is Bookmark.C, which carries out a series of actions on the affected computer, such as changing the home page in Internet Explorer and adding links to pornographic websites to the favorites folder. It also redirects the default search page in Internet Explorer and, in some computers, it displays an error message saying it couldn’t find a file.

Finally, Agent.A is a Trojan which goes memory resident and listens on port 46204 and another generated at random. It tries to update itself by connecting to web pages, which actually don’t exist.