Panda: new "Bagle-Mitglieder" wave threatens users

- A new wave of malware with variants of Bagle
and Mitglieder now threatens users -
Virus Alerts, by Panda Software (http://www.pandasoftware.es)​

MADRID, March 1st, 2005- In the last few hours, PandaLabs has detected the appearance of six variants (BN, BO, BP, BQ, BR and BS) of the Bagle email worm, as well as four variants (BO, BP, BQ and BR) of the Mitglieder Trojan. Of these, the most active at present are Bagle.BN and Mitglieder.BO. According to Panda Software's international tech support network, the latter is causing incidents in users' computers around the globe, and is already one of the viruses most frequently detected by Panda ActiveScan, the free online scanner.

Bagle.BN and Mitglieder.BO work hand-in-glove to spread as widely as possible. Mitglieder.BO reaches computers in an email message, in an attachment that could have names like price.zip or price2.zip. If a user runs this file, the Trojan activates and tries to connect to an Internet address from which it downloads the Bagle.BN worm onto the system. Once Bagle.BN is installed on a computer, it sends Mitglieder.BO to the addresses that it finds in a file called EML.EXE, which is also downloaded from the Internet. To do this the worm uses its own SMTP engine.

In addition, Mitglieder.BO terminates processes belonging to various antivirus and security programs, and overwrites the Windows 'hosts' file to prevent users from connecting to certain web pages.

"We are up against a similar wave of viruses to the one witnessed in 2004. It would seem that given the similarities that we have detected in the source code, the new Bagle and Mitglieder variants are the work of the same person or of an organized group. In fact, the whole process began with the massive, manual sending of thousands of emails infected with Mitglieder.BO. Moreover, in order to confuse both antivirus vendors and users alike, a large number of variants have been created and circulated in a very short period of time. For this reason it is possible that new variants of both malicious codes will continue to appear over the next few hours", explains Luis Corrons, director of PandaLabs.

As Panda Software's International Tech Support has already detected incidents caused by the new malicious code, users are advised to take precautions and keep their antivirus software updated. Panda Software clients already have the updates available to detect and disinfect the new malicious code.

Panda Software's clients can already access the updates for installing the new TruPreventTM Technologies along with their antivirus protection, providing a preventive layer of protection against new malicious code. For users with a different antivirus program installed, Panda TruPreventTM Personal is the perfect solution, as it is both compatible with and complements these products, providing a second layer of preventive protection that acts while the new virus is still being studied and the corresponding update is incorporated into traditional antivirus programs, decreasing the risk of infection. More information about TruPreventTM Technologies at http://www.pandasoftware.com/truprevent.

Users can also scan and disinfect their computers using Panda ActiveScan, the free, online scanner available from: www.pandasoftware.com.

More information about the new variants of Bagle and Mitglieder is available from: http://www.pandasoftware.com/virus_info/encyclopedia/

 

McAfee Email VIRUS ADVISORY - W32/Bagle.dldr

What is it?

Mass-spammed over the past 24 hours, W32/Bagle.dldr is a Medium Risk Trojan downloader that tries to:

* Open a communication port on your computer
* Download a .jpg picture file from various sites
* Terminate security services like anti-virus updating

Unlike earlier variants, W32/Bagle.dldr does not appear to mass-mail itself to stolen email contacts.

Note: To fortify your anti-virus defense against threats like W32/Bagle.dldr that need Internet access to spread, we recommend installing McAfee Personal Firewall Plus.

How do I know if I've been infected?

W32/Bagle.dldr copies itself to the Windows\System32 directory as winshost.exe, which VirusScan detects as W32/Bagle.dll.gen.

How do I find out more?
View details about W32/Bagle.dldr here.