[virusinfo] New variant of Bagle widely spammed
- From: "Mike" <mikebike@xxxxxxxxx>
- To: virusinfo@xxxxxxxxxxxxx
- Date: Thu, 21 Apr 2005 08:36:29 -0700
From Kapersky Virus News. Wednesday, April 20, 2005
******************************************************************
1. New variant of Bagle widely spammed
2. Security Rules
****
1. New variant of Bagle widely spammed
Kaspersky Lab, a leading developer of secure content management
solutions, has detected Email-Worm.Win32.Bagle.bn. The author of Bagle
has been particularly active since the beginning of 2005, releasing a
new malicious program every few days. Kaspersky Lab virus analysts have
detected two mass mailings of this latest modification, and believe that
this latest modification has been spammed in order to maintain the
botnets made up of machines infected by Bagle variants.
Bagle.bn arrives as an attachment to infected messages that have a blank
subject field and a blank body. The attachment itself is a ZIP file,
19KB in size, which contains an EXE file called 19_04_2005.exe.
Once the user launches the executable file, the worm creates a text file
in the Windows temporary directory. The file name begins with a tilde
(~) and ends with a .txt extension; the rest of the name consists of
randomly generated characters. Bagle.bn uses the default text editor on
the infected machine (usually notepad) to open this file - the user will
see the word 'Sorry' displayed on screen.
Bagle extracts a file named winshost.exe from its body, saves it to the
Windows system directory and registers it in the system registry. This
ensures that the worm will be launched each time Windows is rebooted on
the infected machine.
Bagle.bn will prevent antivirus solutions from being run by deleting a
number of system registry values. It also terminates processes connected
with some antivirus and firewall applications, and overwrites the hosts
file to prevent users of infected machines from viewing antivirus
websites.
Fortunately, Bagle.bn is unable to self-replicate. However, this does
not mean that the author will not use spammer technologies to mass mail
additional copies of the worm.
Kaspersky Anti-Virus databases have already been updated with detection
for Bagle.bn. You can find more information about this malicious program
in the Kaspersky Virus Encyclopaedia.
(http://www.viruslist.com/en/viruses/encyclopedia?virusid=79033)
**
2. Security Rules
To avert unsanctioned attempts to distribute false or forged email news
messages under purportedly originating from Kaspersky Labs please note that
real Kaspersky Labs news messages are sent only in plain text format and
never include file attachments.
If you receive an email disregarding these strict guidelines, please do not
open it, but rather forward it to Kaspersky Labs technical support
(support@xxxxxxxxxxxxx) so its contents can be examined.
****
Best Regards,
Kaspersky Labs Threats Information Department
-----
10 Geroyev Panfilovtsev St.,
125363, Moscow
Russia
Telephone/Facsimile: +7 (095) 797 87 00
WWW: http://www.kaspersky.com
FTP: ftp://ftp.kaspersky.com
Email: webmaster@xxxxxxxxxxxxx
*********** MIKE"S REPLY SEPARATOR ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance and OWTA Charter Member
Other related posts:
- » [virusinfo] New variant of Bagle widely spammed
