Another Bagle Variant


Recommended Posts

hi team

another bagel virus is on the loose out there.

it is raging in the south pacific.

but dosent mention that in this news letter .

how ever where ever it is.

take plenty of precautions .

marty

To read an HTML version of this newsletter, go to:

http://www.trendmicro.com/en/security/report/overview.htm

Issue Preview:

1. Trend Micro Updates - Pattern File & Scan Engine Updates

2. Return of BAGLE – WORM_BAGLE.AZ (Medium Risk)

3. Top 10 Most Prevalent Global Malware

4. Submit your Spam & Suspicious Files for Analysis

5. Webinar: Protect your Growing Business from Viruses and Malicious Code

NOTE: Long URLs may break into two lines in some mail readers.

Should this occur, please copy and paste the URL into your browser window.

************************************************************************

1. Trend Micro Updates - Pattern File & Scan Engine Updates

------------------------------------------------------------------------

PATTERN FILE: 2.375.00

http://trendnewsletter.rsc03.net/servlet/c...pgLlQgLlQgFV2VR

SCAN ENGINE: 7.500

http://trendnewsletter.rsc03.net/servlet/c...pgLlQgLlQgFV2VS

2.Return of BAGLE – WORM_BAGLE.AZ (Medium Risk)

------------------------------------------------------------------------

WORM_BAGLE.AZ is another variant in the BAGLE family. This worm

arrives as

an email attachment, and once executed, it sends copies of itself to all

email

addresses it gathers from files with certain extensions, and skips those

addresses that contain particular strings. The email it sends is

spoofed, and

may appear to have come from a familiar email address. The worm drops a

copy

of itself into the Windows system folder, and looks for folders that have

the

string "shar", then drops copies of itself using file names with

.EXE extensions

(it assumes that these folders are shared). In addition, this worm

displays

various icons and terminates several processes, most of which are related

to

antivirus and security programs. This worm ceases to perform most of its

malicious

routines on April 25, 2006 or later. It is currently spreading

in-the-wild and

infecting computers running Windows 95, 98, ME, 2000, and XP.

Upon execution, this worm drops a copy of itself using the following file

names

into the Windows system folder:

sysformat.exe

sysformat.exeopen

sysformat.exeopenopen

It then creates two registry entries. One registry enty allows it to

execute at

every Windows startup. By adding this entry, it enters an infinite loop

in

100-millisecond intervals. As a result, this worm can never be deleted

as long as

it is in memory. The second registry entry is used to determine how long

it has

executed on a system. If this registry entry indicates that it is 25

days from its

first execution, this worm uninstalls itself from the system. It also

uninstalls

itself when the system date is April 25, 2006 or later.

It looks for folders that have the string "shar" and drops copies of

itself using

the following file names:

1.exe

2.exe

3.exe

4.exe

5.scr

6.exe

7.exe

8.exe

9.exe

10.exe

Ahead Nero 7.exe

Windown Longhorn Beta Leak.exe

Opera 8 New!.exe

XXX hardcore images.exe

WinAmp 6 New!.exe

WinAmp 5 Pro Keygen Crack Update.exe

Adobe Photoshop 9 full.exe

Matrix 3 Revolution English Subtitles.exe

ACDSee 9.exe

This worm attempts to propagate via email using its own Simple Mail

Transfer

Protocol (SMTP) engine. It searches for email addresses with certain

extensions.

View the full list of extensions at: http://www.trendmicro.com/vinfo/virusencyc...LE%2EAZ&VSect=T.

It sends email with the following details:

Subject: (any of the following)

Delivery service mail

Delivery by mail

Registration is accepted

Is delivered mail

You are made active

Message body: (any of the following)

Thanks for use of our software.

Before use read the help

Attachments: (any of the following file names)

guupd02

Jol03

siupd02

upd02

viupd02

wsd01

zupd02

(with any of the following extensions)

COM

CPL

EXE

SCR

The worm skips email addressess that contain certain strings. It

terminates specific

processes, mostly related to antivirus and security programs. It also

attempts to

connect to, and download files from, certain Web sites. For the complete

list of

strings, processes and Web sites, visit http://www.trendmicro.com/vinfo/virusencyc...LE%2EAZ&VSect=T.

Several registry entries associated with WORM_NETSKY variants are also

deleted, and

mutexes are created to prevent NETSKY variants from running on the systems

already

infected with this BAGLE worm.

This worm opens opens a port and listens for commands coming from a remote

malicious

user. It executes these commands on an infected system, providing the

remote malicious

user virtual control over the system.

If you would like to scan your computer for WORM_BAGLE.AZ or thousands

of

other worms, viruses, Trojans and malicious code, visit HouseCall, Trend

Micro's free, online virus scanner at:

http://trendnewsletter.rsc03.net/servlet/c...pgLlQgLlQgFV2VT

WORM_BAGLE.AZ is detected and cleaned by Trend Micro pattern file

#2.375.00

and above.

For additional information about WORM_BAGLE.AZ please visit:

http://trendnewsletter.rsc03.net/servlet/c...pgLlQgLlQgFV2VU

3. Top 10 Most Prevalent Global Malware

(from January 21 to January 27, 2005)

------------------------------------------------------------------------

1. WORM_NETSKY.P

2. HTML_NETSKY.P

3. JAVA_BYTEVER.A

4. WORM_NETSKY.D

5. SPYW_GATOR.D

6. WORM_NETSKY.B

7. WORM_NETSKY.C

8. DOS_AGOBOT.GEN

9. SPYW_GATOR.C

10. TROJ_ISTBAR.GM

4. Submit your Spam & Suspicious Files for Analysis

------------------------------------------------------------------------

Found a file on your computer, with a strange name, and it's not detected

as

malware? Tired of getting spam email? Send it to us, for our engineers to

analyze.

Submit your spam for analysis:

http://trendnewsletter.rsc03.net/servlet/c...pgLlQgLlQgFV2VW

Submit a suspicious file or undetected virus for analysis:

http://trendnewsletter.rsc03.net/servlet/c...pgLlQgLlQgFV2VY

5. Webinar: Protect your Growing Business from Viruses and Malicious Code

------------------------------------------------------------------------

Please join in on February 8 from 11:00 a.m. - noon (Pacific Time),

for a stimulating

presentation on how Trend Micro, HP, and Microsoft are working together to

address

the Small and Medium Business (SMB) Infrastructure and Internet security

needs.

Presenters include:

Bala Venkat, Sr. Product Marketing Manager (SMB segment), Trend Micro

Harry Brelsford, Founder, SMB Nation

Marc Semadeni, Global Product Marketing Manager, Hewlett-Packard

During this presentation, you’ll learn about:

-Trend Micro SMB security offerings, and how they can protect your

business from

threats of viruses, and spam

-The unique Trend Micro SMB value proposition and key competitive

differentiators

-Trend Micro SMB programs

-Extending Microsoft Small Business Server 2003 (SBS) with Trend Micro

Client/Server/Messaging Suite for SMB (CSM for SMB)

-CSM for SMB features that work nicely with SBS 2003 server

-The turnkey solution – HP ProLiant server with Microsoft SBS 2003 and

Trend Micro

CSM for SMB as the fastest, easiest, most reliable and least expensive

solution on a

trusted, industry-standard server platform

Register online at:

https://trendmicro.webex.com/trendmicro/myw...961531197605092

********************************************************************************

***

______________________________________________________________________

This message was sent by Trend Micro's Newsletters Editor using Responsys

Interact .

To unsubscribe from Trend Micro's Newsletters Editor:

http://trendnewsletter.rsc03.net/servlet/o...RFpgLmDgLmDgSE0

To update your subscription preference, or to change your email address:

http://trendnewsletter.rsc03.net/servlet/w...pkNlyLihkm_U_VB

To view our permission marketing policy:

http://www.rsvp0.net

Copyright 1989-2004 Trend Micro, Inc. All rights reserved

Trend Micro, Inc., 10101 N. De Anza Blvd., Suite 200, Cupertino, CA

95014

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...