Information on Renova.B and Bagle.KT worms

This week’s report includes information about the Renova.B and Bagle.KT worms, and the MS06-072, MS06-073, MS06-074, MS06-075, MS06-076, MS06-077 and MS06-078 vulnerabilities announced by Microsoft, three of which have been classified as critical. 

Renova.B is a worm that, when run, installs itself on the infected computer and makes copies of itself in different paths. It also renames the msvbvm60.dll library as msvbvm60.Renova, affecting the functionality of programs that use this file. It also directly attacks certain security programs, even blocking access to the program folders of this software.

As it is a worm, its principal aim is to propagate, which it does by attaching itself to replies to email messages in the inbox and copying itself to shared folders of the KaZaA P2P program.

Another feature of Renova.B is that it changes the home pages of the most common Internet browsers, such as Internet Explorer, Firefox and Opera.
Bagle.TK is an email worm that uses its own SMTP engine to spread. It reaches users in email messages with variable subject fields and a ZIP attachment, with names like new_price%date%, where %date% is the date of the infection. When this attachment is run, the worm is downloaded onto the system.

This malicious code is designed to download files from certain websites. These can be any type of file, including malware. Bagle.TK creates a series of entries in the Windows Registry in order to ensure it is run every time the system is started up.

The security bulletins published this week by Microsoft include three “critical’ vulnerabilities in Internet Explorer (MS06-072), Visual Studio 2005 (MS06-073) and Windows Media Player (MS06-078). Another four vulnerabilities are classified as “important” and refer to remote code execution (MS06-074 and MS06-077) and privilege elevation in Windows (MS06-075). The vulnerability described in bulletin MS06-076 affects Outlook Express.

Don't miss