From: Sophos Alert System: Name: Troj/Bagle-X Aliases: W32/Bagle.X.worm, W32/Bagle.x!proxy, I-Worm.Bagle.v, Troj/Lohav-Fam Type: Trojan Date: 7 April 2004 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the May 2004 (3.81) release of Sophos Anti-Virus. Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update. At the time of writing, Sophos has received no reports from users affected by this Trojan. However, we have issued this advisory following enquiries to our support department from customers. Information about Troj/Bagle-X can be found at: http://www.sophos.com/virusinfo/analyses/trojbaglex.html Description Troj/Bagle-X is a proxy backdoor Trojan. The Trojan runs continuously in the background providing a proxy server on a random port number above 2000. Data can be routed to other computers via the proxy in order to bypass access restrictions and to hide the IP address of the source computer. The proxy may be used to forward SPAM email. When first run the Trojan copies itself to the Windows system folder as window.exe and creates the following registry entry, so that window.exe is run automatically on startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\window.exe = <Windows system folder>\window.exe The following registry entries are also created HKCU\Software\Timeout\uid = <random 9-digit string> HKCU\Software\Timeout\pid = <process ID for the Trojan> HKCU\Software\Timeout\port = <port the Trojan listens on> The Trojan tries to send connection information to several remote locations. Download the IDE file from: http://www.sophos.com/downloads/ide/bagle-x.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html --------------------------------------------------------------------- Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member