Trend Alert: WORM_BAGLE.AU

Discussion in 'malware problems & news' started by Randy_Bell, Oct 29, 2004.

Thread Status:
Not open for further replies.
  1. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Dear Trend Micro customer,

    As of October 29, 2004 9:40 AM (GMT -7:00; Daylight Saving Time), TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_BAGLE.AU. TrendLabs has received several infection reports indicating that this malware is spreading in US, Japan, Sweden, Germany, Mexico, France, Argentina, Chile, Brazil, and Canada.

    Like other BAGLE variants, the success of this worm may be attributed to its plain and brief email messages that bear the following details:


    From:<spoofed>
    Subject any of the following
    • Re:
    • Re: Hello
    • Re: Hi
    • Re: Thank you!
    • Re: Thanks

    Message body: any of the following

    :))

    Attachment:
    any of the following
    • PRICE
    • JOKE

    with the following extension names
    • COM
    • CPL
    • EXE
    • SCR

    This worm scans an infected system for files with certain extension names to acquire its target recipients. It then uses its own SMTP engine and the domain servers of its harvested email addresses for its mailing routine. Unsuspecting users may then receive email messages from trusted acquaintances and readily execute the attachment, thus launching this worm.

    When run, it proceeds to drop copies of itself in folders with names containing the text string shar, or in shared folders. It also uses file names that appear legitimate and attractive. This enables this worm to propagate through the network as other users may accidentally download a copy of this worm thinking it is a normal application or a text file.

    This worm also compromises system security by terminating several antivirus and security-related applications if found active on a system. It also connects to a list of Web sites where it may download components. It also opens port 81 possibly for its backdoor activities.

    Continuing a notable BAGLE routine, it attacks another worm family known as NETSKY. It deletes several registry entries and file names associated with NETSKY. It also creates several mutexes that prevent the execution of NETSKY variants on the infected machine.

    It runs on Windows 95, 98, ME, NT, 2000, and XP.


    TrendLabs will be releasing the following EPS deliverables:

    TMCM Outbreak Prevention Policy 132
    Official Pattern Release 2.226.00
    Damage Cleanup Template 445

    For more information on WORM_BAGLE.AU, you can visit our Web site at:
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.AU
     
  2. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Panda Alert: new Bagle variants, BD and BE

    - RED ALERT: While the Bagle.BC continues causing
    incidents worldwide, new variants, BD and BE, have appeared -
    Virus Alerts, by Panda Software (http://www.pandasoftware.com) ​

    MADRID, October 29, 2004 - The Bagle.BC worm is increasing its already high rate of propagation, causing more and more incidents in users' computers worldwide. Just a few hours after it appeared, it has made the top half of the ranking of the viruses most frequently detected by the online antivirus scanner, Panda ActiveScan. Even so, the number of incidents caused by this worm is expected to continue increasing and new variants are expected to emerge over the next few hours.

    This has prompted Panda Software to declare a Red Virus Alert as a preventive measure, so that all users can protect themselves against these worms and prevent their computers from being infected. Similarly, companies also risk their communications being slowed down by the large number of emails that mail servers will have to process.

    In addition to this worm, PandaLabs has detected the appearance of the two new variants, BD and BE, of the same worm. As with Bagle.BC, Panda Software clients that have already installed the new TruPrevent Technologies have preventive protection against these worms, as they were able to detect and block these new variants of the Bagle worm without needing to be able to identify them first (more information about the new TruPrevent Technologies at http://www.pandasoftware.com/truprevent).

    Panda Software has made the corresponding updates available to its clients to detect and disinfect these new worms. What's more, it has made its free PQRemove utility available to all users to effectively detect and eliminate Bagle.BC from computers affected by this worm. Users can download this utility from http://www.pandasoftware.com/download/utilities/

    With the appearance of these new variants, the objective of the authors of these worms is obvious: release the maximum number of malicious code to increase the huge probability of computers being hit by one of them. According to Luis Corrons: "this is a technique that is being used more often. Virus creators know that the reaction time to new threats is critical, and therefore, the faster they can release various viruses, the easier it is for users to take too long to update their system. This problem is resolved with our TruPrevent Technologies, which have blocked these new worms without users needing to do a thing."

    The new variants detected are very similar to Bagle.BC, a worm that spreads via email, networks and P2P applications like KaZaA. However, they do have some difference, such as the number of files they generate on the computers they infect.

    The three new Bagle worms share the fact that they have been designed to end the processes belonging to antivirus and security applications running in memory. However, none of these worms can affect the functioning of the TruPrevent Technologies.

    To prevent incidents involving the new variants of Bagle, Panda Software advises users to take precautions and to keep their antivirus software updated.

    Panda Software's clients can already access the updates for installing the new TruPrevent Technologies along with their antivirus protection, providing a preventive layer of protection against these and other new malicious code. For users with a different antivirus program installed, Panda TruPrevent Personal is the perfect solution, as it is both compatible with and complements these products, providing a second layer of preventive protection that acts while the new virus is still being studied and the corresponding update is incorporated into traditional antivirus programs, decreasing the risk of infection. More information about TruPrevent Technologies at http://www.pandasoftware.com/truprevent

    For further information about Bagle.BC, Bagle.BD and Bagle.BE, visit Panda Software's Virus Encyclopedia at: http://www.pandasoftware.com/virus_info/encyclopedia/

    In addition, users can scan their computers online for free with Panda ActiveScan, available at http://www.pandasoftware.com
     
  3. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
Thread Status:
Not open for further replies.