Weekly Report on Viruses and Intruders – BarcPhish phishing attack, the Spamta.X and Microsoft vulnerabilities
This week’s report from Panda Software looks at the BarcPhish phishing attack, the Spamta.X worm and the MS06-052, MS06-053 and MS06-054 vulnerabilities affecting some of Microsoft’s products.
BarcPhish is a large-scale phishing attack targeting clients of Barclays Bank’s online services and involving at least 70 variants of a spoof email. The scale of this attack saw the number of fraudulent emails detected daily by PandaLabs increase by 30 percent in just a few hours.
The false emails received by users are designed to appear as if they have been sent from Barclay’s customer services, with the subject field chosen at random from a list of options. Some of these options are: Barclays bank official update, Barclays bank – Security update, Please Read or Verify your data with Barclays bank. The message text, imitating Barclays’ corporate image, informs users that the bank is upgrading software and that they should go to a link in order to confirm their bank details.
Users that click on the link will access for similar to those used by the bank requesting their account number, credit card number or PIN.
Spamta.X is an email worm that sends messages with subjects including Error, Good Day or Mail Delivery System, and text content such as: Mail transaction failed. Partial message is available.
The worm is hidden in an attachment to these messages. This attachment has variable names and two extensions that are also chosen at random from a list of options. It also displays the typical icon of .txt files.
If a user runs the file, Windows notepad opens displaying a list of garbled characters and several files are created on the system along with certain new registry entries.
The action that Spamta.X takes on computers includes modifying the hosts file in order, primarily, to prevent users from accessing security related websites. In order to spread, the worm searches files with certain extensions on the infected computer for addresses to which to send itself.
Finally, we are looking at three vulnerabilities in Microsoft products: MS06-052, MS06-053 and MS06-054. The first of these, MS06-052, is classified as important and could allow attackers to take remote control of computers. The most concerning however is MS06-054, which affects Microsoft Office, in particular, the Publisher application. This security problem has been classified as critical, as it could allow malicious Publisher files to be constructed which, if opened, could run malicious code on the system.