Weekly Report on Viruses and Intruders – Bagle.JP, Bagle.JQ and Sixem.A worms, Downloader.JFN Trojan

The Bagle.JP, Bagle.JQ and Sixem.A worms, the Downloader.JFN Trojan, the backdoor Trojan Breplibot.R, the spyware Browsezilla, and the vulnerability discovered in HLINK.DLL, are the subject of this week’s report from PandaLabs.

Bagle.JP and Bagle.JQ are worms from the Bagle family, whose first variants appeared in the year 2004. A prime characteristic of this family of worms has been the ability to spread massively by email and the large number of variants launched by the creators. The new Bagle.JP and Bagle.JQ variants spread in a password-protected .zip file attached to an email, which also includes a .gif image with the password needed to open the file. The infection occurs if the user opens the .zip file with the password provided and then runs the file. Both worms collect email addresses from the infected computer in order to spread to other users and have rootkit options to hide their files, processes and registry entries. In addition, they disable a series of processes related with security tools such as antiviruses and firewalls.

Sixem.A is an email worm that uses the subject of the FIFA World Cup as bait. When run, it downloads the Downloader.JGP Trojan onto computers. Among other tactics, it tries to encourage users to open an image supposedly relating to a “nudist world cup’, although this is really an executable file with a double extension. To avoid detection, Sixem.A disables a series of processes related to system security, including antivirus programs and firewalls.

Downloader.JFN is a Trojan that exploits a currently unpatched vulnerability detected in Microsoft Excel that could allow arbitrary code to be run on the computer. The Trojan infects systems through an Excel file created especially to exploit this vulnerability. On opening the malicious Excel file, Downloader.JFN is injected in the Internet Explorer process and then downloads and runs another Trojan. The Trojan cannot spread itself, and requires user interaction in order to infect a computer (e.g. opening an email attachment or file downloaded from a website).

Breplibot.R is a backdoor Trojan that opens a communication port on computers and connects to an IRC server to receive commands that allow remote control over the infected computer. It makes a call to the netsh command to prevent being blocked by the firewall. Breplibot.R also requires user intervention in order to spread, (e.g. opening an email attachment or file downloaded from a website or P2P networks). This worm has been detected attached to messages that refer to an alleged oil fraud involving George W. Bush and Tony Blair.

Browsezilla is an Internet browser that can be downloaded from numerous web pages. When installed, it installs the adware PicsPlace on computers, which in turn connects users, without their knowledge, to certain adult content web pages. This generates an artificial number of hits on these websites, with the consequent financial benefits to the owners of the websites and the creators of Browsezilla. The consequences for users that install this browser are primarily unnecessary bandwidth usage caused by the hidden connection to these web pages. In addition, users could find themselves unjustly accused of visiting these pornographic websites.

PandaLabs has also warned this week of a vulnerability discovered in HLINK.DL, a library used by several Microsoft Office programs, such as Microsoft Excel. Exploits of this vulnerability have been detected that can infect computers using a specially-crafted Excel file. This document could be distributed by email or downloaded from a website. There is currently no patch available for this vulnerability, and users are therefore advised to treat all Excel files received with caution, regardless of their origin.

Don't miss