Weekly Report on Viruses and Intruders – Mitglieder.GK, WmaDownloader.B, Banbra.BOK and Bancos.LU Trojans
This week’s report looks at a worm -Bagle.FU-, five vulnerabilities -four in Internet Explorer and one in Windows 2000-, four Trojans -Mitglieder.GK, WmaDownloader.B, Banbra.BOK and Bancos.LU-, and one application -Elite-.
Bagle.FU is a worm that terminates several processes and eliminates Windows Registry entries related to other worms. It also sends a ZIP file with a copy of the Mitglieder.GK Trojan.
Mitglieder.GK consults a series of web pages to download files of all types, including malware.
The four Internet Explorer security problems that we’re looking at today affect versions 5.01, 5.5 and 6 of the Microsoft browser when installed on Windows 2003/XP/2000/Me/98. They are classified as “critical’ and could allow remote execution of code in vulnerable systems. The fifth problem has been classified as “Important”, and affects the Windows 2000 kernel, allowing an attacker to take complete control of the affected system.
Microsoft has released two security bulletins announcing the availability of the updates to resolve these problems in Internet Explorer (MS05-054) and Windows 2000 (MS05-055), and advises users to install the patches.
The next threat we’re looking at today is the WmaDownloader.B Trojan, which reaches computers in license-protected multimedia files that can be downloaded from web pages or through peer-to-peer (P2P) file-sharing programs.
WmaDownloader.B exploits Windows Media Digital Rights Management (DRM), technology that requires a valid license number when in order to play a protected Windows Media file. If a user runs a multimedia file containing the Trojan, a window appears asking the user to buy a license which is free if they install IST Toolbar, a program that can be used to allow other threats to enter the computer.
If the user agrees to install IST Toolbar, WmaDownloader.B takes the following action:
– It displays a security warning informing that an ActiveX control will be installed in the computer. If users accept, a message will appear thanking them.
– It connects to a URL (in the drm.ysbweb.com domain), and if the computer is using version 9 or later of Windows Media Player it will download and install IST Toolbar.
The third Trojan we’re looking at is Banbra.BOK which spreads in messages send through Messenger inviting users to see a photo on a certain web page. However, if users go to this page, what actually happens is that the Trojan is downloaded onto the computer. Banbra.BOK can also be downloaded from other websites.
Banbra.BOK goes resident on infected computers and opens port 1036, waiting for users to access certain banking websites in order to steal passwords which it then sends to certain email addresses.
Bancos.LU is a Trojan that saves -in temporary files- information about the computer it affects, such as user names and passwords used in mail accounts, address book information and bank details. Bancos.LU obtains the latter by monitoring use of the Internet and when the user connects to certain banks, it redirects them to spoofed pages requesting information about accounts and passwords. The Trojan logs this information and sends it to its creator.
We end today’s report with Elite, an application that can log information about the action (keystrokes, imagers created, programs used, etc.) taken by users of the computer.