Weekly Report on Viruses and Intruders – W32/Bagle.GZ.worm, OSX/Oomp.A Mac OS X worm

This week’s report focuses on the updates released by Microsoft to correct several errors. As well as the W32/Bagle.GZ.worm, we can also highlight the appearance of OSX/Oomp.A, a worm that affects Mac OSX.

On February 14, Microsoft published seven updates for Windows and Office, two of which are classified as critical. The first update, MS06-004, is applied to fix a critical vulnerability in the Graphics Rendering Engine (generally exploited using an WMF) in computers running Windows 2003/XP/2000/Me/98. This flaw allows remote execution of arbitrary code on vulnerable systems.

The second critical update, MS06-005, corrects problems in Windows Media Player in computers running Windows 2003/XP/2000/Me/98. This flaw also allows remote execution of arbitrary code on vulnerable computers.

Successful exploitation of these vulnerabilities allows hackers to gain remote control of the affected computer, with the same privileges as the logged on user. If this user has administrator rights, the hacker would have complete control of the system, which puts the computer at serious risk.

As well as these two updates, Microsoft has also release five other updates, which are not classified as critical.

The first malicious code in today’s report is Bagle.GZ, a worm that drops the Downloader.HRV Trojan on affected computer, which access several web pages to display advertising.

In order to spread Bagle.GZ sends an email message that tries to get the user’s attention by referring to the Winter Olympics being held in Turin until February 26. When the user opens the file attached to the message, it displays a message to trick the user into thinking that a system error has occurred, while it makes several copies of itself in the system folders.

The Trojan Banbra.BTM is used to steal the passwords of users of the Net Empresa service belonging to the Brazilian bank Bradesco. As well as passwords, this Trojan steals the digital certificates (files with a CRT extension) and keys (files with a KEY extension) used by users to access their current accounts through their computers.

Thanks to the work of PandaLabs, this worm has been deactivated, as the website housing the malicious code has been closed. To download the code, an email message has been mass-mailed that claims to come from an employee of Brandesco Net Empresa, which prompts the user to download the code.

Finally, we will look at a worm called OSX/Oomp.A. This malicious code is developed for the MacOS/X operating system, which replaces other programs in the copy with a copy of itself which includes the original program among its resources.

When it is run, this replacement file runs the malicious code and then tries to execute the original program. However, due to programming errors, the original program is not launched correctly. This worm spreads via instant messaging in a file called “latestpics.tgz’.

Don't miss