Trend Alert: PE_BAGLE.Q

Discussion in 'malware problems & news' started by Randy_Bell, Mar 19, 2004.

Thread Status:
Not open for further replies.
  1. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Dear Trend Micro Customer:

    As of 1:08 AM PST, March 18, 2004, TrendLabs has declared a Yellow Alert to control the spread of PE_BAGLE.Q. TrendLabs has received numerous infection reports of this malware spreading in Korea and Japan.

    This new BAGLE variant is capable of infecting files. It propagates via email in two ways. The first is by sending emails, which do not have an attachment. Instead it contains a link, which upon opening the email, starts a series of events that eventually downloads this file infector into the system. The second is that the email may contain varying subjects, message bodies, and attachment file names, just like its earlier variants.

    TrendLabs will be releasing the following EPS deliverables:

    TMCM Outbreak Prevention Policy 95
    Official Pattern Release 826
    Damage Cleanup Template 292

    Please inform us if there are any infection reports in your region.

    For more information on PE_BAGLE.Q, you can visit our Web site at:
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_BAGLE.Q
     
  2. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    PE_BAGLE.Q is similar to other recent BAGLE variants, in that it also infects files. It attempts to spread via peer-to-peer file-sharing networks, and has backdoor capabilities, but its distinctive feature is the use of a known vulnerability to propagate. This virus propagates by sending itself as an email attachment to target addresses it gathers from the infected system, and by exploiting a known vulnerability to increase its chances of spreading. More information about the vulnerability is available from the following Microsoft page: http://www.microsoft.com/technet/security/bulletin/MS03-040.mspx

    PE_BAGLE.Q runs on Windows 98, ME, NT, 2000 and XP.

    This new BAGLE variant drops the following files in the Windows system folder:

    DIRECTS.EXE
    DIRECTS.EXEOPEN

    It also adds a registry entry that allows it to execute at every Windows startup.

    This virus propagates by exploiting a vulnerability within Internet Explorer that allows a malicious user to run arbitrary code on a user's system, by creating an HTML-based email that uses this exploit. Using this exploit, the virus sends an email message that does not contain an attachment, but a link to the virus copy in a remote location. When viewed, this email message automatically downloads an .HTML file. The downloaded .HTML file drops a Visual Basic script (VBS) file named Q.VBS in the Windows system folder. The dropped .VBS file, in turn, accesses a remote location in order to download and execute PE_BAGLE.Q. VBS_BAGLE.Q also downloads and executes a randomly named file (usually with a JPEG extension), in the Windows system folder. It saves this file as SM.EXE.

    This file infector may also use another routine for spreading via email, but this routine did not manifest during lab testing. Obtaining its target email recipients from the infected system, this virus should send email messages. It avoids sending copies of itself to email addresses containing the following strings:

    @avp.
    @hotmail
    @iana
    @messagelab
    @microsoft
    abuse
    admin
    anyone@
    bugs@
    cafee
    certific
    contract@
    feste
    free-av
    f-secur
    gold-certs@
    google
    help@
    icrosoft
    info@
    linux
    listserv
    local
    nobody@
    noone@
    noreply
    ntivi
    panda
    postmaster@
    rating@
    root@
    samples
    sopho
    support
    winrar
    winzip

    This virus also drops copies of itself in folders with the string "shar" in their names. The dropped copies may have any of the following file names:

    ACDSee 9.exe
    Adobe Photoshop 9 full.exe
    Ahead Nero 7.exe
    Matrix 3 Revolution English Subtitles.exe
    Microsoft Office 2003 Crack, Working!.exe
    Microsoft Office XP working Crack, Keygen.exe
    Microsoft Windows XP, WinXP Crack, working Keygen.exe
    Opera 8 New!.exe
    Porno pics arhive, xxx.exe
    Porno Screensaver.scr
    Porno, sex, oral, anal cool, awesome!!.exe
    Serials.txt.exe
    WinAmp 5 Pro Keygen Crack Update.exe
    WinAmp 6 New!.exe
    Windown Longhorn Beta Leak.exe
    Windows Sourcecode update.doc.exe
    XXX hardcore images.exe

    PE_BAGLE.Q also has a backdoor component that listens and waits for remote commands.

    If you would like to scan your computer for PE_BAGLE.Q or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com

    PE_BAGLE.Q is detected and cleaned by Trend Micro pattern file #827 and above.
     
  3. Fung Kuei

    Fung Kuei Guest

    Trend Micro detected PE_Bagle.Q only AFTER it had infected >15 thousand files at my employer's network in Taiwan. :-(
     
Thread Status:
Not open for further replies.