Weekly Report on Viruses – Goldun.IL Trojan, HarBag.A and false blog virus

By | April 21, 2006

This week´s report includes two new codes that, although they have different functions and characteristics, share the same aim: steal user data. What´s more, PandaLabs warns of the concern that a false virus could cause.

A clear example of the new cyber-crime tendency is the Goldun.IL Trojan, which is a password stealer that tries to capture the e-gold payment details of the affected user. To do this, it goes memory resident on computers without carry out any actions until it detects that the user has accessed the e-gold web page. When this happens, it captures the passwords typed and sends them to another computer. The author of this code can collect the details from this computer and carry out operations with the user´s account.

Goldun.IL has been spread through spamming techniques. It has been mass-mailed in a file attached to an email message. The message carrying the malicious file containing Goldun.IL encourages the user to install a Service Pack that supposedly blocks Trojans that try to steal e-gold details.

This week´s PandaLabs report also refers to another Trojan called HarBag.A, whose basic mission is to collect email address to which to send the Bagle worm. To do this, it looks for 28 types of files and scans them for email addresses. These file types are files that usually contain email addresses, such as the Windows Address Book, database, temporary Internet files, etc.

After collecting the addresses, it sends them to a server where all the information is centralized. A curious feature of HarBag.A is that it only runs once on each computer, so that the hacker that receives the email addresses collected does not receive the same addresses twice.

Finally, PandaLabs includes information about a false virus for blogs that is starting to generate confusion in the blogosphere. This is simply a joke created by a Dutch author which suggests inserting an animated graphic in blogs. The graphic is a picture of a virus that makes a series of comments, such as how it intends to infect blogs around the world.

PandaLabs reminds users that even though this ´virus´ poses no threat, there is a possibility that by exploiting the impact of this joke on many blogs, the same technique might be used to spread genuinely damaging malicious code. To avoid such possible problems, PandaLabs advises users not to insert references to third-party code on personal web pages, even if they are simply jokes. For those who want to insert items from other sites, it is important to ensure that no calls are made to remote servers and that the content is hosted on the author´s server.

Leave a Reply