New Bagle Worm Variant

Discussion in 'malware problems & news' started by dog, Aug 11, 2004.

Thread Status:
Not open for further replies.
  1. dog

    dog Guest

    Bagle Worm Variant Slips Through Defenses
    August 9, 2004
    By Dennis Fisher

    Another variant of the ubiquitous Bagle worm is now making its way across the Internet, flooding in-boxes with infected Zip files. The newest member of the Bagle family, named Bagle.AQ, arrives via an e-mail message with a spoofed sending address and no subject line. The only text in the message body is typically one or two words, either "price" or "new price."


    One sign of infection is that both TCP and UDP ports 2480 will be open on compromised machines.

    Curry said CA has rated Bagle.AQ as a medium risk at this point, but will almost certainly up it to a high risk by the end of the day.

    Eweek Article

    Another Eweek Article- New Bagle Opens Broad Attack
    Last edited by a moderator: Aug 11, 2004
  2. Randy_Bell

    Randy_Bell Registered Member

    May 24, 2002
    Santa Clara, CA
    Trend NewsLetter: WORM_BAGLE.AC

    WORM_BAGLE.AC is another variant of the BAGLE worm. It is a memory-resident, mass-mailing worm that deviates slightly from the usual BAGLE propagation routine of directly mass-mailing itself to a list of recipients. Instead, it makes use of a Trojan downloader component and an HTML script component to propagate. Using a built-in SMTP (Simple Mail Transfer Protocol) engine, this worm sends an email with a spoofed sender's name and the message, "new price". The email does not have a subject but has a .ZIP file attachment, containing the worm's components. It also attempts to propagate via network shares. Continuing the same pattern as previous versions of the BAGLE worm, this variant removes autorun registry entries and mutexes associated with its rival worm, NETSKY. WORM_BAGLE.AC is currently spreading in-the-wild, and runs on Windows NT, 2000, and XP.

    Upon execution, it drops copies of itself using the following filenames in the Windows system folder: WINDLL.EXE, WINDLL.EXEOPEN, WINDLL.EXEOPENOPEN

    This worm sends out ZIP-compressed files containing TROJ_BAGLE.AC and HTML_BAGLE.AC, using its own Simple Mail Transfer Protocol (SMTP) engine to propagate. It searches for and harvests email addresses from files with the following extension names: ADB ASP CFG CGI DBX DHTM EML HTM JSP MBX MDX MHT MMF MSG NCH ODS OFT PHP PL SHT SHTM STM TBB TXT UIN WAB WSH XLS XML

    It skips email addresses that contain any of the following strings, to avoid certain recipients such as antivirus and software vendors: @avp. @derewrdgrs @foo @iana @messagelab @microsoft @eerswqe abuse admin anyone@ bsd bugs@ cafee certific contract@ feste free-av f-secur gold-certs@ google help@ icrosoft info@ kasp linux listserv local news nobody@ noone@ noreply ntivi panda pgp postmaster@ rating@ root@ samples sopho spam support unix update winrar winzip

    The email it sends has the following details:
    From: <spoofed>
    Subject: <none>
    Message body: new price
    Attachment: (any of the following)

    If the email attachment is a password-protected .ZIP file, this worm may have the following email format:

    Message body:
    Password: <image password>
    Pass - <image password>
    Password - <image password>

    This worm drops copies of itself in folders that contain the string shar in their names. It uses any of the following interesting filenames to trick users into downloading the copies:

    ACDSee 9.exe, Adobe Photoshop 9 full.exe
    Ahead Nero 7.exe
    Kaspersky Antivirus 5.0
    KAV 5.0
    Matrix 3 Revolution English Subtitles.exe
    Microsoft Office 2003 Crack, Working!.exe
    Microsoft Office XP working Crack, Keygen.exe
    Microsoft Windows XP, WinXP Crack, working
    Opera 8 New!.exe
    Porno pics arhive, xxx.exe
    Porno Screensaver.scr
    Porno, sex, oral, anal cool, awesome!!.exe
    WinAmp 5 Pro Keygen Crack Update.exe
    WinAmp 6 New!.exe
    Windown Longhorn Beta Leak.exe
    Windows Sourcecode update.doc.exe
    XXX hardcore images.exe

    This routine allows it to propagate via local network shares and popular peer-to-peer network shares. This worm removes certain entries related to NETSKY variants in several registry keys, and creates mutexes to prevent NETSKY variants from executing.

    If you would like to scan your computer for WORM_BAGLE.AC or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at:

    WORM_BAGLE.AC is detected and cleaned by Trend Micro pattern file 1.953.00 and above.
Thread Status:
Not open for further replies.