Weekly Report on Viruses and Intrusions – Bagle and NetSky Variants, Gimered and Gaobot Worms

This week’s report on viruses and intrusions focuses on three variants of Bagle -Z, AA, and AB-, two variants of Netsky -AA and AB-, and the Gimered.A and Gaobot.PX worms.

Even though they are all variants of the same malicious code, the three new members of the Bagle worm family have some significant differences. For example, in order to spread, Bagle.AA uses e-mail messages with variable characteristics that contain images in the form of attached files with a JPEG extension. Bagle.AB spreads via P2P file sharing programs as well as e-mail.

Unlike the two variants above, Bagle.Z does not spread automatically. This worm needs a malicious user’s intervention to reach the affected computer. The means of transmission it can use include floppy disks, CD-ROMs, e-mail messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.

The three Bagle variants can connect to several web pages that host a certain PHP script. By doing this, these worms notify their author when a computer has been affected. They also end processes belonging to antivirus and firewalls programs, as well as those corresponding to many worms.

Netsky.AA and Netsky.AB are two very similar variants. Both of them spread via e-mail in a message with variable characteristics and an attached file with a PIF extension. However, they have different effects: when run, Nestky.AA displays a fake error message on screen, whereas Netsky AB deletes the entries that other worms, like Bagle, insert in the Windows Registry.

Gimared.A is a malicious code that spreads via e-mail. When run on a Windows NT computers, it displays a message on the screen about the social and political situation in Cuba, the country where the worm was created.

Gimared.A also notifies the affected user of its presence by sending a message to the user’s mail account.

Gaobot.PX is a dangerous worm that can carry out several actions on affected computers, as it has been designed to exploit several Windows vulnerabilities and use backdoors opened by the worms Bagle.A and Mydoom.A on infected computers.

Gaobot.PX also ends the processes belonging to antivirus programs and firewalls, leaving infected computers vulnerable to virus attacks. It also prevents many antiviruses from connecting to the web pages that allow them to update.

Gaobot.PX connects to specific IRC servers and waits for instructions from malicious users. In this way, it can download files, run commands or update itself. It can also steal confidential data, obtain system information and launch distributed denial of service (DDoS) attacks.

For further information about these and other computer threats, visit Panda Software’s Virus Encyclopedia at: http://www.pandasoftware.com/virus_info/encyclopedia/

Additional information

– Script: The term script refers to files or sections of code written in programming languages like Visual Basic Script (VBScript), JavaScript, etc.

– IRC (Internet Relay Chat): System that allows users to have written conversations over the Internet in real time. It is based on a client-server technology, that is, in order to use it is necessary to have a program (client) that establishes a connection with the computer (server) that offers the service.