Weekly Report on Viruses and Intruders – Lovgate.AO, Korgo.X, Evaman. A and Bagle.A Worms
Lovgate.AO is a virus with worm-type characteristics and which spreads via email and shared network drives and resources, and exploiting the Buffer Overrun in RPC DCOM Interface vulnerability. It affects computers with Windows 2003/XP/2000/NT and infects files with EXE extensions, inserting code at the beginning and end of the files.
Lovgate.AO installs a backdoor on the infected computer, which listens on a port selected at random. It does this in order to allow remote access to the computer, and it takes action that could compromise the confidentiality of data stored on the system (it collects information which it then sends to the person who created the code) or impede the users from working on the computer. In addition, if Lovgate.AO finds certain processes -related to antivirus programs and other worms- active in memory, it terminates them.
The first actual worm that we’ll look at today is Korgo.X, which uses the Windows LSASS vulnerability to spread across the Internet and insert itself automatically in computers. It also affects all Windows platforms, although it only automatically enters system with Windows XP and 2000 that haven’t been updated.
The “X’ variant of Korgo goes memory resident and connects to a series of IRC servers, from which it can download files and run them on the infected computer.
The next worm we’ll be talking about today is Evaman.A. It spreads via an email simulating an error message, to all the addresses it finds on a certain website. On some occasions, when Evaman.A is run for the first time it opens Notepad.
This report will finish by looking at Bagle.AD, a worm that spreads both via e-mail and P2P file-sharing applications.
Bagle.AD opens and listens on TCP port 1234 waiting for a remote connection. Through this connection, it could allow an attacker to compromise confidential data or take action that would impede the normal use of the computer. This feature of the worm will remain active until January 24 2005. To notify its creator that the PC is remotely accessible through the open port, the worm connects to a website with a PHP script.
Bagle.AD eliminates entries corresponding to some variants of the Netsky worm from the Windows registry, preventing it from activating when Windows is started up. When it is run it displays a false error message.