[ news_security_news ]
Bagle.az Assessed As Medium Threat By McAfee
SecurityProNews
Staff Writer
2004-09-29
 Insider Reports RSS Feed
McAfee AVERT (Anti-virus and Vulnerability Emergency Response Team) placed the risk assessment at Medium on the recently discovered W32/Bagle.az@MM, also known as Bagle.az.
This new variant is a mass-mailing worm that comes in the form of the .EXE attachment, "bawindo.exe." To date, McAfee AVERT has received numerous reports of the virus within a two hour span, being stopped or infecting users from the field-with most of the reports arriving from a variety of country locations due to the spoofing capabilities of this variant.
Threat Overview
Bagle.az is a mass mailing threat that contains its own SMTP engine to construct outgoing messages. Similar to previous variants, it harvests addresses from local files and then uses the harvested addresses in the 'From' field to send itself. This produces a message with a spoofed From address. It contains a remote access component and copies itself to folders that have the phrase 'shar' in the name, such as common peer-to-peer applications, including KaZaa, Bearshare and Limewire.
Users should be very wary and should most likely delete any email containing the following:
From : (address is spoofed)
Subject : (may be one of the following)
-- Re:
-- Re: Hello
-- Re: Thank you!
-- Re: Thanks :)
-- Re: Hi
Body Text:
--:)
--:))
Attachment: (may be one of the following)
-- Price
-- price
-- Joke
Threat Pathology
When the EXE file is run, the virus copies itself into the Windows System directory as BAWINDO.EXE. For example:
C:WINDOWSSYSTEM32bawindo.exe
It also creates other files in this directory to perform its functions:
-- C:WINDOWSSYSTEM32bawindo.exeopen
-- C:WINDOWSSYSTEM32bawindo.exeopenopen
The following Registry key is added to hook system startup:
-- HKEY_CURRENT_USERSoftwareMicrosoftWindows
CurrentVersionRun "bawindo" = "C:WINDOWSSYSTEM32bawindo.exe"
A mutex is created to ensure only one instance of the worm is running at a time. One of the following mutex names is used in an attempt to stop particular variants of W32/Netsky running on the infected machine:
'D'r'o'p'p'e'd'S'k'y'N'e't'
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
[SkyNet.cz]SystemsMutex
AdmSkynetJklS003
____--->>>>U<<<<--____
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
The worm opens port 81 (TCP) and a random UDP port on the victim machine.
System Protection and Cure
McAfee AVERT is advising its customers to update to the 4395 DATs to stay protected from all the current Bagle threats.
McAfee AVERT Labs is one of the top-ranked anti-virus and vulnerability research organizations in the world, employing researchers in thirteen countries on five continents. McAfee AVERT combines world-class malicious code and anti-virus research with intrusion prevention and vulnerability research expertise from the McAfee® IntruShield® and McAfee Entercept organizations, two research arms that were acquired through IntruVert Networks and Entercept Security. McAfee AVERT protects customers by providing cures that are developed through the combined efforts of McAfee AVERT researchers and McAfee AVERT AutoImmune technology, which applies advanced heuristics, generic detection, and ActiveDAT technology to generate cures for previously undiscovered viruses.
With headquarters in Santa Clara, Calif., McAfee, Inc. creates best-of-breed computer security solutions that prevent intrusions on networks and protect computer systems from the next generation of blended attacks and threats. McAfee's customers span large enterprises, governments, small and medium sized businesses, and consumers.
About the Author:
SecurityProNews is a daily online and email publication focusing on internet security issues.
More news_security_news Articles
Insider Reports RSS Feed
|
|
iEntry 10th Anniversary
RSS
Archive
