From Kapersky Virus News. Wednesday, April 20, 2005 ****************************************************************** 1. New variant of Bagle widely spammed 2. Security Rules **** 1. New variant of Bagle widely spammed Kaspersky Lab, a leading developer of secure content management solutions, has detected Email-Worm.Win32.Bagle.bn. The author of Bagle has been particularly active since the beginning of 2005, releasing a new malicious program every few days. Kaspersky Lab virus analysts have detected two mass mailings of this latest modification, and believe that this latest modification has been spammed in order to maintain the botnets made up of machines infected by Bagle variants. Bagle.bn arrives as an attachment to infected messages that have a blank subject field and a blank body. The attachment itself is a ZIP file, 19KB in size, which contains an EXE file called 19_04_2005.exe. Once the user launches the executable file, the worm creates a text file in the Windows temporary directory. The file name begins with a tilde (~) and ends with a .txt extension; the rest of the name consists of randomly generated characters. Bagle.bn uses the default text editor on the infected machine (usually notepad) to open this file - the user will see the word 'Sorry' displayed on screen. Bagle extracts a file named winshost.exe from its body, saves it to the Windows system directory and registers it in the system registry. This ensures that the worm will be launched each time Windows is rebooted on the infected machine. Bagle.bn will prevent antivirus solutions from being run by deleting a number of system registry values. It also terminates processes connected with some antivirus and firewall applications, and overwrites the hosts file to prevent users of infected machines from viewing antivirus websites. Fortunately, Bagle.bn is unable to self-replicate. However, this does not mean that the author will not use spammer technologies to mass mail additional copies of the worm. Kaspersky Anti-Virus databases have already been updated with detection for Bagle.bn. You can find more information about this malicious program in the Kaspersky Virus Encyclopaedia. (http://www.viruslist.com/en/viruses/encyclopedia?virusid=79033) ** 2. Security Rules To avert unsanctioned attempts to distribute false or forged email news messages under purportedly originating from Kaspersky Labs please note that real Kaspersky Labs news messages are sent only in plain text format and never include file attachments. If you receive an email disregarding these strict guidelines, please do not open it, but rather forward it to Kaspersky Labs technical support (support@xxxxxxxxxxxxx) so its contents can be examined. **** Best Regards, Kaspersky Labs Threats Information Department ----- 10 Geroyev Panfilovtsev St., 125363, Moscow Russia Telephone/Facsimile: +7 (095) 797 87 00 WWW: http://www.kaspersky.com FTP: ftp://ftp.kaspersky.com Email: webmaster@xxxxxxxxxxxxx *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member