Trend Alert: WORM_BAGLE.AZ

Discussion in 'malware problems & news' started by Randy_Bell, Jan 27, 2005.

Thread Status:
Not open for further replies.
  1. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Trend Micro Medium Risk Virus Alert - WORM_BAGLE.AZ

    Dear Trend Micro customer,

    As of January 27, 2005 1:42 AM PST (Pacific Standard Time/GMT -8:00), TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_BAGLE.AZ. TrendLabs has received several infection reports indicating that this malware is spreading in US, China, and Japan.

    This WORM_BAGLE variant arrives on a system as an email attachment. It sends copies of itself to all email addresses it gathers from files with certain extensions but skips those addresses that contain particular strings.

    ===============================
    Users must be wary of the email it sends that have the following details:

    Subject: (any of the following)
    Delivery service mail
    Delivery by mail
    Registration is accepted
    Is delivered mail
    You are made active
    Thanks for use of our software.
    Before use read the help

    Message body: (any of the following)
    Delivery service mail
    Delivery by mail
    Registration is accepted
    Is delivered mail
    You are made active
    Thanks for use of our software.
    Before use read the help

    Attachments: (any of the following file names)
    guupd02.exe
    Jol03.exe
    siupd02.exe
    upd02.exe
    viupd02.exe
    wsd01.exe
    zupd02.exe

    (with any of the following extensions)
    COM
    CPL
    EXE
    SCR
    ===============================

    The email is spoofed and may appear to have come from a familiar email address. As a general rule, users should avoid opening the attachments of unsolicited email.

    This worm drops a copy of itself using the following file names into the Windows system folder:

    sysformat.exe
    sysformat.exeopen
    sysformat.exeopenopen

    It also looks for folders that have the string shar then drops copies of itself using file names with EXE extensions into those folders.

    In addition, this worm terminates several processes, most of which are related to antivirus and security programs.

    TrendLabs has uploaded the following:

    TMCM Outbreak Prevention Policy 140
    Official Pattern Release 2.375.00
    Damage Cleanup Template 495

    For more information on WORM_BAGLE.AZ, you can visit our Web site at: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.AZ

    Contact av_query@support.trendmicro.com for inquiries and to report infections in your region.
     
  2. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Panda: Orange Alert: Bagle.BK and Bagle.BL

    - Panda Software warns of the rapid propagation
    of Bagle.BK and Bagle.BL -
    Virus Alerts, by Panda Software (http://www.pandasoftware.com) ​

    Madrid, January 27, 2005 - PandaLabs has detected the appearance of the new worms Bagle.BK and Bagle.BL. They are both designed to spread rapidly via email -in messages that use social engineering-, and using P2P applications like KaZaA. Panda Software's international support network has already begun to register incidents caused by Bagle.BL in countries such as Holland and the USA, and it is likely, given the characteristics, that the number of computers affected by the worms will start to increase. With this in mind, Panda Software has set the virus alert level at orange.

    Panda Software clients that already have TruPrevent Technologies to combat unknown viruses and, have had preventive protection against Bagle.BK and Bagle.BL from the moment they first appeared, as they can detect and block them without having previously identified them (more information about the new TruPrevent Technologies at http://www.pandasoftware.com/truprevent).

    Bagle.BK and Bagle.BL reach computers in email messages with spoofed sender addresses and with subject fields chosen at random from a list of options. Possible subjects include: "Delivery by mail" or "Delivery service mail". The message text may include phrases like: "Before use read the help" or "Thanks for use of our software". The message attachments, which actually contain the worms, have variable names, although their extension is always COM, CPL, EXE or SCR.

    Full information on the characteristics of the messages in which Bagle.BK and Bagle.BL are spread is available in Panda Software's Virus Encyclopedia.

    In order to spread via P2P applications like KaZaA or Morpheus, both worms create -in the programs' shared folders- copies of themselves with names such as ACDSee 9.exe, Adobe Photoshop 9 full.exe or Ahead Nero 7.exe, among others. This is to bait other users into downloading them and then executing them.

    Regardless of how they reach computers, when a file containing either of the worms is run, they use their own SMTP engine to send themselves to the email addresses they find in files with certain extensions stored on the computer. Nevertheless, they avoid sending themselves out to certain addresses, principally those related to IT security software companies.

    The most dangerous action that both variants of Bagle take is the termination of processes in memory related to antivirus and security applications, leaving computers defenseless against further attack.

    They also make several entries in the Windows registry to ensure they are run every time the system is started up and delete others that could exist as the result of infection by variants of Netsky.

    Due to the high possibility of being infected by Bagle.BK and Bagle.BL, Panda Software advises users to take precautions with any email messages they receive and to update their antivirus software. Panda Software has made the corresponding updates available to its clients to detect and disinfect these new malicious codes.

    Panda Software clients who already have the new TruPrevent Technologies installed along with their antivirus have been protected since the worms first emerged, as these preventive technologies have been able to detect and block them without needing to be able to identify them first (more information about the new TruPrevent Technologies at http://www.pandasoftware.com/truprevent).

    Users can also scan and disinfect their computers using Panda ActiveScan, the free, online scanner available from: www.pandasoftware.com

    More information about Bagle.BK and Bagle.BL is available from Panda Software's Virus Encyclopedia, at http://www.pandasoftware.com/virus_info/encyclopedia/
     
  3. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    More Details, from Trend NewsLetter

    WORM_BAGLE.AZ is another variant in the BAGLE family. This worm arrives as an email attachment, and once executed, it sends copies of itself to all email addresses it gathers from files with certain extensions, and skips those addresses that contain particular strings. The email it sends is spoofed, and may appear to have come from a familiar email address. The worm drops a copy of itself into the Windows system folder, and looks for folders that have the string "shar", then drops copies of itself using file names with .EXE extensions (it assumes that these folders are shared). In addition, this worm displays various icons and terminates several processes, most of which are related to antivirus and security programs. This worm ceases to perform most of its malicious routines on April 25, 2006 or later. It is currently spreading in-the-wild and infecting computers running Windows 95, 98, ME, 2000, and XP.

    Upon execution, this worm drops a copy of itself using the following file names into the Windows system folder:

    * sysformat.exe
    * sysformat.exeopen
    * sysformat.exeopenopen

    It then creates two registry entries. One registry enty allows it to execute at every Windows startup. By adding this entry, it enters an infinite loop in 100-millisecond intervals. As a result, this worm can never be deleted as long as it is in memory. The second registry entry is used to determine how long it has executed on a system. If this registry entry indicates that it is 25 days from its first execution, this worm uninstalls itself from the system. It also uninstalls itself when the system date is April 25, 2006 or later.

    It looks for folders that have the string "shar" and drops copies of itself using the following file names:

    * 1.exe
    * 2.exe
    * 3.exe
    * 4.exe
    * 5.scr
    * 6.exe
    * 7.exe
    * 8.exe
    * 9.exe
    * 10.exe
    * Ahead Nero 7.exe
    * Windown Longhorn Beta Leak.exe
    * Opera 8 New!.exe
    * XXX hardcore images.exe
    * WinAmp 6 New!.exe
    * WinAmp 5 Pro Keygen Crack Update.exe
    * Adobe Photoshop 9 full.exe
    * Matrix 3 Revolution English Subtitles.exe
    * ACDSee 9.exe

    This worm attempts to propagate via email using its own Simple Mail Transfer Protocol (SMTP) engine. It searches for email addresses with certain extensions. View the full list of extensions.

    It sends email with the following details:

    Subject: (any of the following)

    * Delivery service mail
    * Delivery by mail
    * Registration is accepted
    * Is delivered mail
    * You are made active

    Message body: (any of the following)

    * Thanks for use of our software.
    * Before use read the help

    Attachments: (any of the following file names)

    * guupd02
    * Jol03
    * siupd02
    * upd02
    * viupd02
    * wsd01
    * zupd02

    (with any of the following extensions)

    * COM
    * CPL
    * EXE
    * SCR

    The worm skips email addressess that contain certain strings. It terminates specific processes, mostly related to antivirus and security programs. It also attempts to connect to, and download files from, certain Web sites. View the complete list of strings, processes and Web sites in the Technical Details section of Trend's Site..

    Several registry entries associated with WORM_NETSKY variants are also deleted, and mutexes are created to prevent NETSKY variants from running on the systems already infected with this BAGLE worm.

    This worm opens opens a port and listens for commands coming from a remote malicious user. It executes these commands on an infected system, providing the remote malicious user virtual control over the system.

    If you would like to scan your computer for WORM_BAGLE.AZ or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/

    WORM_BAGLE.AZ is detected and cleaned by Trend Micro pattern file #2.375.00 and above.
     
  4. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Panda Free Tool for Removing new Bagle Variants

    - Free tool for removing the Bagle.BK and Bagle.BL worms -
    Virus Alerts, by Panda Software (http://www.pandasoftware.com) ​

    Madrid, January 28, 2005 - Variants BK and BL of the Bagle worm are still causing incidents in users computers worldwide. In fact, according to data gathered by the free online antivirus Panda ActiveScan, Bagle.BL is already one of the most frequently detected viruses and the USA, Spain and Poland are the most affected countries.

    To prevent these worms from continuing to spread, especially through computers that do not have adequate anti-malware protection installed, Panda Software has released its free PQRemove utility, which detects and eliminates Bagle.BK and Bagle.BL from all the computers they may have infected. This tool can be downloaded from: http://www.pandasoftware.com/download/utilities?track=17610

    Panda Software clients who already have the new TruPrevent Technologies installed have been protected since these worms first emerged, as these preventive technologies have been able to detect and block Bagle.BK and Bagle.BL without needing to be able to identify them first. More information about the new TruPrevent Technologies at http://www.pandasoftware.com/truprevent.

    Bagle.BK and Bagle.BL reach computers in email messages with spoofed sender addresses and with subjects chosen at random from a list of options. Possible subjects include: 'Delivery by mail' or 'Delivery service mail'. The message text may include phrases like: 'Before use read the help' or 'Thanks for use of our software'. The message attachments, which actually contain the worms, have variable names, although their extension is always COM, CPL, EXE or SCR. They can also spread using P2P applications like KaZaA or Morpheus by creating copies of themselves under names like ACDSee 9.exe or Adobe Photoshop 9 full.exe.

    The most dangerous action that both variants of Bagle take is to end the processes in memory related to antivirus and security applications, leaving computers defenseless against possible attacks.

    Due to the high possibility of being infected by Bagle.BK and Bagle.BL, Panda Software advises users to take precautions with any email messages they receive and to update their antivirus software. Panda Software has made the corresponding updates available to its clients to detect and disinfect these new malicious code.

    Panda Software clients who already have the new TruPrevent Technologies installed along with their antivirus have been protected since the worms first emerged, as these preventive technologies have been able to detect and block them without needing to be able to identify them first. More information about the new TruPrevent Technologies at http://www.pandasoftware.com/truprevent.

    Users can also scan and disinfect their computers using Panda ActiveScan, the free, online scanner available from: www.pandasoftware.com

    More information about Bagle.BK and Bagle.BL is available from Panda Software's Virus Encyclopedia, at http://www.pandasoftware.com/virus_info/encyclopedia/
     
Thread Status:
Not open for further replies.