Trend Micro Virus Alert: new Bagles

Discussion in 'malware problems & news' started by Randy_Bell, Nov 4, 2005.

Thread Status:
Not open for further replies.
  1. Randy_Bell

    Randy_Bell Registered Member

    May 24, 2002
    Santa Clara, CA
    The Trouble with BAGLEs
    from Trend Micro NewsLetter, Novermber 4, 2005

    Trend Micro researchers have discovered two new variants of the notorious BAGLE family of worms. Although WORM_BAGLE.BQ and WORM_BAGLE.BS have not caused a high number of infections, they are utilizing a relatively new technique – adding a downloader between the Trojan and worm components as part of a “tri-component” technique – which enables a far more dynamic spreading mechanism and a higher potential for damage. Although security experts first saw this technique in mid-September with a series of other BAGLE variants, its re-emergence suggests that this could become more prominent – and destructive – in the future.

    According to Jamz Yaneza, Senior Research Engineer at Trend Micro, the URLs to which the code points are continuously changing to prevent the downloader from being detected. “At times they appear to be down, then they are brought back up again. This appears to give the author enough time to repack the code, thereby modifying the identifying file,” he said.

    Security experts warn that these new variants could possibly mark the beginning of a concerning trend. A future variant with a slightly better refined propagation technique – including the use of a packer with polymorphic capabilities and utilizing an established Bot network – could lead to a significant number of infections.

    If you would like to scan your computer for WORM_BAGLE.BQ and WORM_BAGLE.BS, or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at:

    For additional information about WORM_BAGLE.BQ and WORM_BAGLE.BS please visit: and
  2. lotuseclat79

    lotuseclat79 Registered Member

    Jun 16, 2005
    Virus Scan Pattern 2-927 protects against and according to the WhatsNew file for update 2-927. Note: VSP 2-929 is currently latest released.

    -- Tom
  3. Rmus

    Rmus Exploit Analyst

    Mar 16, 2005
    Thanks, Randy, for that update.

    The success of a trojan depends on its downloader.

    From F-Secure Virus Descriptions : Trojan-Downloader

    "Trojan downloader, when run, usually installs itself to system and waits until Internet connection becomes available. After that it attempts to connect to a web or ftp site, download specific file or files and run them."

    Should the trojan somehow get installed, the firewall can contain the damage locally by blocking the outbound connection, as in this example of a bagle variant, here first attempting to disable the firewall (as shown by the password box), then to connect out:


    ~~Be ALERT!!! ~~
    Last edited: Nov 5, 2005
Thread Status:
Not open for further replies.