Weekly Report on Viruses and Intruders – Bagle Worm IB and IZ Variants

Every week, Panda Software publishes a report with information explaining the most notable viruses and threats that have appeared during the week. In this week’s report, PandaLabs looks at two variants of the notorious Bagle worm, IB and HZ, as well as a malicious code that exploits a vulnerability in Internet Explorer.

Bagle.IB, the first of the two variants of Bagle in the report, includes rootkit functions. These functions allow it to hide files, Windows registry entries or processes. In order to go unnoticed on the compromised system, it tries to disable no less than 495 different processes, all of them related to security solutions such as antivirus solutions and firewalls.

The other worm from the Bagle family that we are looking at in today’s report, Bagle.HZ, uses almost exactly the same system as the IB variant, but disables a total of 525 processes.

Both variants of Bagle use a file called M_HOOK.SYS, which is in fact the rootkit component. Thanks to this component, the Bagle processes remain hidden to searches carried out.

This technique used by rootkits represents a serious problem, as the hidden processes could be performing dangerous actions such as capturing passwords or stealing user data, without symptoms that can be detected by certain security tools.

Finally, today’s report from Panda Software looks at the code created specifically to exploit the “createTextRange()” vulnerability in Internet Explorer running on Windows 2003/XP/2000/Me/98.

Due to this vulnerability, if Internet Explorer tries to display a web page with an unexpected “createTextRange()” method call to HTML objects, system memory can be corrupted, allowing arbitrary code to be run on the vulnerable computer.

A TextRange object represents text in an HTML document and is used to recover and modify text, to find specific text strings and to run commands that affect the appearance of the text.

To exploit this vulnerability, hackers host malicious code on a web page and then try to convince users to visit it. In addition, it can also be exploited through the sending of messages with links to a malicious web page.

Panda Software detects the code associated with the exploit of this vulnerability as CreatetxtRange, warning users of its presence on web pages visited.

Don't miss