From; eSecurityPlanet part of the Earthweb network; New Bagle Variant Spreads Via Email, Network Shares Trend Micro Friday issued a medium-level threat alert for Worm_Bagle.Z, a memory-resident worm that spreads via email and network shares. http://nl.internet.com/ct.html?rtr=on&s=1,vvf,1,ka16,648t,1std,6jmd New Bagle Variant Spreads Via Email, Network Shares May 7, 2004 Trend Micro Friday issued a medium-level threat alert for Worm_Bagle.Z, a memory-resident worm that spreads via email and network shares. Upon execution, it drops a copy of itself in the Windows system folder using any of the following file names: DRVDDLL.EXE DRVDDLL.EXEOPEN DRVDDLL.EXEOPENOPEN It uses its own Simple Mail Transfer Protocol (SMTP) engine to propagate. The email it sends out contains a message body only if its attachment is a password-protected .ZIP file. View a sample email that this worm sends out and other information at this Trend Micro page. http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.Z Malware Has Several Malicious Capabilities Bkdr_Spybot.ZA is malware usually downloaded from a particular FTP (File Transfer Protocol) site by the malicious batch file detected as BAT_SPYBOT.ZA. Similar to its earlier variants, this malware has the following capabilities: Terminate processes Log keystrokes Execute programs Obtain names of active windows/dialog boxes Create/remove directories Scan ports Join/quit a channel Join/quit an IRC server Redirect packet from one port to another Send raw message List all running processes Technical details are at this Trend Micro page. http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_SPYBOT.Z A&VSect=T Lovgate Variant Copies Itself to Windows Folder, Drops Files W32/Lovgate-V is a variant of the W32/Lovgate family of worms that spread via email, network shares and filesharing networks. W32/Lovgate-V copies itself to the Windows system folder as the files WinHelp.exe, iexplore.exe, kernel66.dll and ravmond.exe and to the Windows folder as systra.exe. The worm also drops the files msjdbc11.dll, mssign30.dll and odbc16.dll which provide unauthorised remote access to the computer over a network. The worm drops ZIP files containing a copy of the worm onto accessible drives. The ZIP file may also carry a RAR extension. The name of the packed file is chosen from the following list: WORK setup important bak letter pass The name of the contained unpacked file is either PassWord, email or book, with a file extension of EXE, SCR, PIF or COM. More information is at this Sophos page. http://www.sophos.com/virusinfo/analyses/w32lovgatev.html Worm Copies Itself to Temp Folder, Drops Files W32/Famus-C will make an additional copy of itself as Red7324.exe in the Temp folder along with other files which are used for mailing the worm. Among these will be the file SMTP.OCX, which is a freeware SMTP engine used in the mailing of W32/Famus-C to email addresses found on the computer. Other dropped files include: c:/En Cuba no hay libertad de expresion - an empty file /temp/Casper9247.exe - used by the worm /temp/att1.att1 - contains the email's file attchment name /temp/msg.msg - contains the email's message text /temp/sub.sub - contains the email's subject line The email sent by the worm will have the following characteristics: Subject line: Famous / Famosos Message Text: ?Sabes por que los famosos son famosos? ?Do you know why the famous are famous? Password: "123" Attachment: Famous.exe Another email may also be sent out without a copy of the worm with certain characteristics. View them and other information at this Sophos page. http://www.sophos.com/virusinfo/analyses/w32famusc.html Sdbot Worm Variant Sets Registry Entries to Run at System Logon Sophos also issued an alert for W32/Sdbot-JT, a member of the W32/Sdbot family of worms. W32/Sdbot-JT copies itself to the Windows system folder as nmsmtp32.exe and sets the following registry entries to ensure it is run at system logon: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ Windows driver update = \nmsmtp32.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ Windows driver update = \nmsmtp32.exe --Compiled by Esther Shein ~ eSecurityPlanet *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member