On February 17, Bagle.B started to spread rapidly around the globe in an e-mail message with an attached file that has the same icon as a WAV audio file. This worm spoofs the address of the sender, which could lead to recipients of the infected message believing that it has come from a reliable source and running the attached file that actually contains the worm's code.
When it is run, Bagle.B creates a copy of itself in the Windows system directory under the name AU.EXE and inserts an entry in the Windows registry to ensure it is run whenever the computer is started up. It also tries to connect to several web pages that host a PHP script. By doing this, it notifies its author that the affected computer can be accessed through port 8866. Bagle.B only runs if the system date is February 25, 2004 or earlier.
The next two worms we are going to look at are Netsky.A and Netsky.B, which have the following characteristics in common:
- They spread via e-mail, through P2P (peer to peer) file sharing programs and across computer networks.
- They delete the entries that belong to several worms, including Mydoom.A and Mimail.T.
- When they are run, they display an error message on screen.
- They create a copy of themselves in the Windows directory under the name SERVICES.EXE.
The differences between variant A and variant B of Netsky include:
- In order to trick users, Netsky.B spoofs the address of the sender of the message it sends out by using one of the addresses it finds in certain files on the affected computer.
- Netsky.A creates the mutex AdmMoodownJklS003 to ensure that it is not run several times at the same time.
Today's fourth worm is Deadhat.C, which spreads via the Internet and the P2P file sharing program SoulSeek. It causes boot problems in the affected computer, as it deletes files that are essential to the correct functioning of the computer. It also ends processes belonging to certain antivirus and firewall programs, leaving the computer vulnerable to attack from other malware. Similarly, it ends the processes corresponding to the Mydoom.A and Mydoom.B worms. Another characteristics of Deadhat.C worth mentioning is that it opens TCP port 2766, allowing files to be downloaded to the computer through a remote connection.
Mydoom.E spreads via e-mail in a message with variable characteristics and through the P2P file sharing program KaZaA. It drops a dynamic link library (DLL) which, in turn, creates a backdoor that opens the first TCP available between 3127 and 3198. This component allows an executable file to be downloaded and run, which acts as a proxy TCP server, allowing a hacker to gain remote access to the network resources. This worm is designed to stop carrying out its actions and end its process whenever it is run after February 14, 2004.
We are going to finish today's report with Agent.B, a Trojan that has been mass-mailed in a message with an attachment or link that exploits the Internet Explorer vulnerability known as URLSpoof. Agent.B goes memory resident and captures the keystrokes the user enters in forms or web pages that contain certain key words, the majority of which belong to financial entities. It saves the data it obtains in a file, which it then sends out via e-mail.