Weekly Report on Viruses and Intruders – Bagle.AF, Atak.A and Korgo.Z-, and the Trojan Bagle.AF

Bagle.AF uses its own SMTP engine to send itself out via email to all the addresses it finds in the files with the following extensions on the affected computer: WAB, TXT, MSG, HTM, SHTM, STM, XML, DBX, MBX, MDX, EML, NCH, MMF, ODS, CFG, ASP, PHP, PL, WSH, ADB, TBB, SHT, XLS, OFT, UIN, CGI, MHT, DHTM and JSP.

Bagle.AF ends the processes belonging to security products, such as antivirus protection, and connects to different PHP scripts. This worm also contains code to create a backdoor to open a port and listen in on it.

Today’s second worm is Atak.A, which spreads via email in a message with variable characteristics that contains an attachment with a double extension. The first is JPG or GIF followed by a random number of blank spaces and the second is EXE.

When Atak.A has infected a computer it looks for email addresses in all the files it finds with an ADB or WAB extension, and in files that are smaller than 81920 bytes in size and have one of the following extensions: ASP, CFG, CGI, DBX, EML, HTM, HTML, JSP, LOG, MBX, MHT, MSG, NCH, ODS, PHP, SHT, TBB, UIN, VBS and XML. Then, it sends itself out to all the addresses it has found using its own SMTP engine.

Atak.A creates a mutex to ensure that only one copy of this worm is running. It also checks if a debugger is enabled on the affected computer and if it is, it ends it.

The final worm in this week’s report is Korgo.Z, which exploits the Windows LSASS vulnerability to spread via the Internet and get into computers. It also affects all Windows platforms, but can only automatically get into computers running Windows XP or 2000 that have not been correctly updated.

The Z variant of Korgo goes memory resident and tries to download files from a series of websites and also sends these websites information about which country the computer is located in. Like the worm mentioned above, Korgo.Z creates a mutex to prevent two copies of this worm from being run at the same time.

We are going to finish today’s report with Xebiz.A, a Trojan that connects to a website in order to download a Trojan called Zerolin.A to the affected computer. What’s more, it creates several files and generates several entries in the Windows Registry to ensure that it is run whenever the computer is started up.

Xebiz.A has been mass-mailed in messages with variable characteristics. However, all messages include a form with a button. When the user clicks on this button, Zerolin.A will be downloaded.