[24hoursupport] W32/Bagle-mm spreading rapidly

  • From: "Mike" <mikebike@xxxxxxxxx>
  • To: 24hoursupport@xxxxxxxxxxxxx
  • Date: Mon, 19 Jan 2004 15:58:33 -0800

 
There is a new virus making the round this week,

 it's Subject is "  Hi  " please use caution with your email. 

Try to find a more descriptive keyword.
____________________________

From: VirusEye@xxxxxxxxxxxxxxx
Subject: MessageLabs Intelligence virus alert: W32/Bagle-mm, HIGH LEVEL

W32/Bagle-mm spreading rapidly

During 18th and 19th January 2004, MessageLabs, the email security
company, intercepted a significant number of copies of a new virus known
as W32/Bagle-mm. The majority of intercepted copies have been sent from
Australia.


Name:  W32/Bagle-mm  

Aliases:  I-Worm.Bagle, W32/Bagle@MM, W32.Beagle.A@mm, 
W32/Bagle-A, Bagle, WORM_BAGLE.A

General

The worm arrives as an attachment to an email and has a random filename,
with a .exe extension.

W32/Bagle-mm searches the infected machine for email addresses and then
uses its own SMTP engine to send itself to the addresses found.

Email Characteristics

Subject: Hi
Text:   Test =)
   
Attached file: <random name>.exe 


The attached file may appear as a calculator icon. 
The worm deliberately launches the Calculator application as a disguise. 

W32/Bagle-A copies itself to bbeagle.exe in the Windows system folder and
sets the following registry entry to ensure the worm is run at logon: 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\d3dupdate.exe 

The worm also sets the following registry entries: 

HKCU\Software\Windows98\uid
HKCU\Software\Windows98\frun 

W32/Bagle-A includes a backdoor component which listens on TCP port 6777. 
This allows an attacker to upload and execute arbitrary programs on infected
computers. 

From; F-Secure

Detailed technical description of the worm as well as screenshots are
available in the F-Secure Virus Description Database at
http://www.f-secure.com/v-descs/bagle.shtml

Disinfection 

Special Disinfection Tool 

F-Secure has developed a special disinfection tool for this worm. 
The tool will detect and remove an active Bagle infection from the
computer.


The Bagle removal tool can be downloaded in a ZIP file from: 

http://www.f-secure.com/tools/f-bagle.zip 

ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.zip 

From Panda;
 Panda Software offers all users its free PQREMOVE application, 
designed to effectively clean any computer affected by Bagle.A.

This tool can be downloaded from the following address:
**  http://www.pandasoftware.com/download/utilities/  **

More information:
Computer Associates
http://www3.ca.com/virusinfo/virus.aspx?ID=38019

Sophos
http://www.sophos.com/virusinfo/analyses/w32baglea.html

Symantec
http://www.symantec.com/avcenter/venc/data/w32.beagle.a@xxxxxxx

Trend;
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.A
___________________________________________

Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike 
<http://www3.telus.net/mikebike/mikes_virus_page.htm>
A Technical Support Alliance & OWTA Charter Member 



For a web-based membership management utility and information on list policies, 
please see http://nibec.com/24hoursupport/

To unsubscribe, send a blank email to 24hoursupport-request@xxxxxxxxxxxxx with 
"unsubscribe" (without quotes) in the subject.


Other related posts: