Panda ALERT: New variant, BC, of Bagle worm

- AMBER ALERT: A new variant, BC, of the Bagle worm
appears and spreads rapidly -
Virus Alerts, by Panda Software (http://www.pandasoftware.com) ​

MADRID, October 29, 2004 - PandaLabs has detected the appearance of the BC variant of the Bagle worm. This new malicious code has started spreading rapidly, causing numerous incidents in users' computers around the globe. For this reason, Panda Software has declared an amber alert. Panda Software clients that have already installed the new TruPrevent Technologies have preventive protection against this worm, as they were able to detect and block this new virus without needing to be able to identify it first (more information about the new TruPrevent Technologies at http://www.pandasoftware.com/truprevent).

Panda Software has made the corresponding updates available to its clients to detect and disinfect this new malicious code.

Bagle.BC spreads rapidly via email. The messages carrying this worm have the following characteristics:

Subject: (any of the following):
Re:
Re:Hello
Re:Hi
Re:Thank you!
Re:Thanks

Message: ó )

Attachments (any of the following):
Joke
Price
price

The extension of these files can be: com, cpl, exe or scr.

What's more, Bagle.BC spoofs the address of the sender of the email message that causes the infection.

If the user runs the attachment, Bagle.BC looks for email addresses to send itself out to in the files with certain extensions stored on the affected computer. To do this, and to spread even wider, Bagle.BC copies itself to all the directories whose name contains the text string 'shar', which are usually shared folders. By doing this, it can easily spread across networks and P2P applications. To achieve this aim, it uses a large number of attractive names to entice users, such as ACDSee 9.exe, Adobe Photoshop 9 full.exe or Ahead Nero 7.exe, and many others.

Bagle.BC also ends the processes of many antivirus and security programs, leaving the computer vulnerable to attack from other malicious code, making Bagle.BC an even more dangerous worm. However, Bagle.BC cannot deactivate the TruPrevent Technologies, and therefore, computers with this protection installed are perfectly safe from this worm.

Another dangerous effect of Bagle.BC is that it opens the TCP communications port 81, allowing a hacker to carry out remote attacks. It also tries to download a file called G.JPG from certain Internet addresses.

In order to ensure that it is always present on computers, Bagle.BC creates three copies of itself called wingo.exe, wingo.exeopen and wingo.exeopenopen, and inserts an entry in the Windows Registry to ensure it is run whenever the computer is started up.

According to Luis Corrons, head of PandaLabs, "Bagle.BC is here to pick up the cyberwar that started a few months ago between several groups of virus creators. This time, it is a malicious code that uses social engineering and can spread extremely rapidly. These two characteristics make Bagle.BC a particularly dangerous worm, as users have a high probability of receiving an email message carrying this malicious code."

To prevent incidents involving Bagle.BC, Panda Software advises users to take precautions and update their antivirus software.

Panda Software's clients can already access the updates for installing the new TruPrevent Technologies along with their antivirus protection, providing a preventive layer of protection against this and other new malicious code. For users with a different antivirus program installed, Panda TruPrevent Personal is the perfect solution, as it is both compatible with and complements these products, providing a second layer of preventive protection that acts while the new virus is still being studied and the corresponding update is incorporated into traditional antivirus programs, decreasing the risk of infection. More information about TruPrevent Technologies at http://www.pandasoftware.com/truprevent.

For further information about Bagle.BC, visit Panda Software's Virus Encyclopedia: http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?idvirus=53891.

In addition, users can scan their computers online for free with Panda ActiveScan, available at http://www.pandasoftware.com.

 

WHOAAA!
This is WAR!

My firewall is blocking many attacks from zombie computers right now!
Must be this virus infecting many machines.

 

Too bad I didn't read this earlier today. I was checking my work email from home and I noticed an email that look like it was someone I had not seen in a long time. My curiosity was my undoing, but luckily NOD32 came to the rescue - Virus Log - Win32/Bagle.AU worm - connection terminated!

 

See Also this thread:
Trend Alert: WORM_BAGLE.AU

which along with Trend's alert, contains a similar Panda alert to the above, for the related "BD" and "BE" variants {by Panda's nomenclature} of this worm.