03/29/04 - W32/Bagle.u@MM
This threat has had its risk assessment upgraded to Medium due to increased prevalence.
--
This is a new variant of W32/Bagle@MM . It is packed with FSG.
If you think that you may be infected with Bagle.u, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present. This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).
Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.
Mail Propagation
This variant mass-mails itself to recipients extracted from the victim machine. Addresses are harvested from the following files:
.wab
.txt
.msg
.htm
.shtm
.stm
.xml
.dbx
.mbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.pl
.wsh
.adb
.tbb
.sht
.xls
.oft
.uin
.cgi
.mht
.dhtm
.jsp
The mails are formatted as follows:
From: (spoofed - using one of the harvested email addresses)
Subject: (blank)
Body: (blank)
Attachment: randomly named executable, with a .EXE extension
The worm does not mail itself to addresses containing the following:
@avp.
@microsoft
Remote Access Component
The worm also opens a port on the victim machine - TCP port 4751.
The worm sends notification via HTTP to a remote script (notification contains port number and ID number). Users should block outgoing HTTP traffic to the following domain:
http://www.werde.de
The exact functionality offered by this backdoor is under investigation. It is suspected that it may allow for the downloading and execution of other files (akin to that for W32/Mydoom.a@MM ).
More info on this worm:
http://vil.nai.com/vil/content/v_101141.htm
Removal Instructions
Go to the following website for removal instructions:
http://vil.nai.com/vil/content/v_101141.htm Download Stinger to Scan for infection:
http://vil.nai.com/vil/stinger |
