|
Beware! BMP files may contain a new virus
Agent, a new Trojan using BMP files has been mailed to users worldwide
Kaspersky Labs, a leading information security software developer has
detected a mass mailing of a new Trojan named Agent. Agent infects
victim machines when users view graphics in BMP format.
Agent exploits a vulnerability in MS Internet Explorer versions 5.0 and
5.5 which allows malicious code to be launched on victim machines via
modified BMP files. This vulnerability was a direct result of the
Windows source code leak and was first detected on February 16, 2004.
Agent was mailed using spammer technology in an infected email that only
contains a BMP file with a random name. The file is created especially
for the Russian version of Windows 2000; the malicious code will not
function on other language versions. This implies that Agent was
probably created in Russia or the CIS country.
Should a user open the BMP file Agent immediately connects to a remote
server located in the Lybian domain zone, downloading and installing a
second Trojan named Throd.
Throd is a classic spyware program. The Trojan first copies itself into
the Windows system registry autorun keys and then awaits further
commands. The 'master' can remotely execute various commands on the
victim machine including copying data, collecting addresses from MS
Outlook and turning the infected computer into a proxy server
functioning as a platform for anonymous cyber crimes.
"Throd is obviously written for spammers," comments Eugene Kaspersky,
Head of Anti-Virus Research at Kaspersky Labs, "the Trojan harvests
email addresses and creates a network of zombie machines for massive
spammer attacks. Once again, we see a confirmation that spammers and
virus-writers are working hand in hand."
To date, Microsoft has not issued a patch for this vulnerability. In
other words, the only protection users have is up-to-date anti-virus
software. "Moreover, it is very likely that malware attacking other
versions of Windows will soon appear", adds Eugene Kaspersky, "I
strongly recommend that users make sure that their anti-virus software
protects them from malware exploiting this particular Windows
vulnerability."
Kaspersky Anti-Virus does scan the contents of BMP files and
automatically detects suspicious objects attempting to penetrate via
either the Internet of email. The solution neutralizes Agent
automatically and our anti-virus databases have been updated to detect
Throd.
Detailed descriptions of both Trojans are available in the Kaspersky
Virus Encyclopedia
(http://www.viruslist.com/eng/viruslist.html?id=1503649,
http://www.viruslist.com/eng/viruslist.html?id=1499171).
Best Regards, Denis Zenkin
Head of Corporate Communications
Kaspersky Labs
|
