-=PCTechTalk=- Fw: [WinTips-Tricks] W32/Bagle-mm spreading rapidly
- From: "Lionel." <percy10@xxxxxxxxxxxxxxx>
- To: <pctechtalk@xxxxxxxxxxxxx>
- Date: Tue, 20 Jan 2004 17:28:12 +1100
Just in case some of you did not see this. Lionel.
----- Original Message -----
From: Mike
To: WinTips-Tricks@xxxxxxxxxxxxxxx
Sent: Tuesday, January 20, 2004 10:59 AM
Subject: [WinTips-Tricks] W32/Bagle-mm spreading rapidly
There is a new virus making the round this week,
it's Subject is " Hi " please use caution with your email.
Try to find a more descriptive keyword.
____________________________
From: VirusEye@xxxxxxxxxxxxxxx
Subject: MessageLabs Intelligence virus alert: W32/Bagle-mm, HIGH LEVEL
W32/Bagle-mm spreading rapidly
During 18th and 19th January 2004, MessageLabs, the email security
company, intercepted a significant number of copies of a new virus known
as W32/Bagle-mm. The majority of intercepted copies have been sent from
Australia.
Name: W32/Bagle-mm
Aliases: I-Worm.Bagle, W32/Bagle@MM, W32.Beagle.A@mm,
W32/Bagle-A, Bagle, WORM_BAGLE.A
General
The worm arrives as an attachment to an email and has a random filename,
with a .exe extension.
W32/Bagle-mm searches the infected machine for email addresses and then
uses its own SMTP engine to send itself to the addresses found.
Email Characteristics
Subject: Hi
Text: Test =)
Attached file: <random name>.exe
The attached file may appear as a calculator icon.
The worm deliberately launches the Calculator application as a disguise.
W32/Bagle-A copies itself to bbeagle.exe in the Windows system folder and
sets the following registry entry to ensure the worm is run at logon:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\d3dupdate.exe
The worm also sets the following registry entries:
HKCU\Software\Windows98\uid
HKCU\Software\Windows98\frun
W32/Bagle-A includes a backdoor component which listens on TCP port 6777.
This allows an attacker to upload and execute arbitrary programs on infected
computers.
From; F-Secure
Detailed technical description of the worm as well as screenshots are
available in the F-Secure Virus Description Database at
http://www.f-secure.com/v-descs/bagle.shtml
Disinfection
Special Disinfection Tool
F-Secure has developed a special disinfection tool for this worm.
The tool will detect and remove an active Bagle infection from the
computer.
The Bagle removal tool can be downloaded in a ZIP file from:
http://www.f-secure.com/tools/f-bagle.zip
ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.zip
From Panda;
Panda Software offers all users its free PQREMOVE application,
designed to effectively clean any computer affected by Bagle.A.
This tool can be downloaded from the following address:
** http://www.pandasoftware.com/download/utilities/ **
More information:
Computer Associates
http://www3.ca.com/virusinfo/virus.aspx?ID=38019
Sophos
http://www.sophos.com/virusinfo/analyses/w32baglea.html
Symantec
http://www.symantec.com/avcenter/venc/data/w32.beagle.a@xxxxxxx
Trend;
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.A
___________________________________________
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<http://www3.telus.net/mikebike/mikes_virus_page.htm>
A Technical Support Alliance & OWTA Charter Member
--------------------------------------------------------------------------------
Yahoo! Groups Links
a.. To visit your group on the web, go to:
http://groups.yahoo.com/group/WinTips-Tricks/
b.. To unsubscribe from this group, send an email to:
WinTips-Tricks-unsubscribe@xxxxxxxxxxxxxxx
c.. Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.
To unsub or change your email settings:
//www.freelists.org/webpage/pctechtalk
To access our Archives:
http://groups.yahoo.com/group/PCTechTalk/messages/
//www.freelists.org/archives/pctechtalk/
For more info:
//www.freelists.org/cgi-bin/list?list_id=pctechtalk
Other related posts:
- » -=PCTechTalk=- Fw: [WinTips-Tricks] W32/Bagle-mm spreading rapidly
