Panda Software reports on the new Bagle.B worm - 02 /17/04]

Discussion in 'malware problems & news' started by Marianna, Feb 17, 2004.

Thread Status:
Not open for further replies.
  1. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Bagle.B has been designed to spread highly effectively by e-mail. The
    greatest danger however, lies in its ability to spoof the address of the
    sender. This could lead to recipients of the infected message believing that
    it has come from a reliable source and running the attached file which
    actually contains the worm.

    The rest of the message containing Bagle.B has the following
    characteristics:

    Subject:

    ID <random text>... thanks

    Message text:

    Yours <random text>
    --
    Thank

    The attachment itself has a name generated at random.

    When it is run, Bagle.B creates a copy of itself under the name au.exe and
    makes an entry in the Windows registry to ensure it is run on every system
    start up.

    Bagle.B has also been designed to update itself form certain web pages and
    is programmed to cease its activity on February 25.

    More information on Bagle.B is available from Panda Software's Virus
    Encyclopedia at: http://www.pandasoftware.com/virus_info/encyclopedia/

    SAME as: W32/Tanx-A

    Aliases
    Win32/Bagle.B

    http://www.sophos.com/virusinfo/analyses/w32tanxa.html
     
  2. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    Heads-up on this one, everyone. Gathering steam... :doubt:
     
  3. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    More info from Kasperski:

    This worm spreads via the Internet in the form of an attachment to infected emails.
    The worm itself is a PE EXE file of approximately 11KB, compressed using UPX. The size of the decompressed file is approximately 16KB.

    Characteristics of infected messages:

    Message header:

    ID x... thanks

    with x being a string of random characters.
    Message text:

    Yours ID x
    --
    Thank

    with x being a string of random characters.
    File Attachment:
    The attachment has a random name, with a file size of 11KB.

    Installation
    Once launched, the worm copies itself to the Windows system directory using the filename 'au.exe' and registers this file in the system registry auto-run key:
    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "au.exe" = "%system%\au.exe"

    The worm attempts to connect to a number of remote sites, all of which are in some way connected with the Trojan proxy server TrojanProxy.Win32.Mitglieder On launching, the worm launches the Sound Recorder utility (sndrec32.exe)
    Propagation
    The worm searches for files with the following extensions: wab, txt, htm, html and sends itself to all email addresses found in these files. The worm uses its own SMTP server to send email.
    Remote administration
    The worm opens and monitors port 8866. A backdoor function means that commands can then be executed and files can be downloaded on the victim computer, with all of this being done from a remote location.
    Further information
    The worm is programmed to stop propagating after 25th February 2004.

    http://www.avp.ch/avpve/worms/email/bagleb.stm
     
Loading...
Thread Status:
Not open for further replies.