Wednesday, February 18, 2004

Security Alert: Bagle.B Worm Growing Fast:
"While the last Bagle virus scare turned out to be more hole than actual 'bagel,' this new variant is showing some real substance and is spreading at a rate that has some virus watchers upping Bagle.B-mm's threat level.

W32/Bagle.B-mm, also known as W32/Tanx.A, and Beagle.B, is a mass mailing worm that is spreading at outbreak proportions. Discovered, early Tuesday morning, MessageLabs has recorded over 75,000 copies of the virus detected from their customer base by 5 pm, with a peak infection ratio of 1 virus in 16 emails. The virus was classified as a medium threat by most antivirus vendors. Like its predecessor, Bagle.A, it is more performance degrading than destructive, though it sets up a Trojan to listen at a backdoor port, and uses its own SMTP engine to send copies to email addresses it finds on a victims system.

Bagle.B infected e-mails arrive with spoofed 'From' addresses, often people you know.…"

The virus normally runs the Windows sound recorder (sndrec32.exe) when it executes, though according to an analysis by Norman (http://www.norman.com/virus_info/w32_bagle_b_mm.shtml) Antivirus, "this will not happen if the worm starts as result of an update process or if it is started from the System directory." Sound recorder is just an indicator of infection, and put in to confuse the victim, and is not used further ( figure 2 ). However, the virus does open and listen at port 8866 to receive downloads or commands from the virus author. According to Symantec's analysis (http://www.sarc.com/avcenter/venc/data/w32.beagle.b@mm.html) of Bagle.B, the virus "Sends HTTP GET requests every 10,000 seconds to the following Web sites on TCP port 80:


www.strato.de/1.php
www.strato.de/2.php
www.47df.de/wbboard/1.php
www.intern.games-ring.de/2.php

Symantec also notes: "The GET request includes the port number that the infected computer is listening on, and the ID number that is saved in the 'gid' key in the Windows registry. Also, by connecting to the web server, the IP address will be sent." To propagate, Bagle.B harvests e-mail addresses from text based files and the Windows address book on the victim's PC. The virus creates e-mail messages with copies of itself as randomly named attachments, and sends using its own SMTP engine. Bagle.B will not send to email addresses containing the following:

.r1u
@hotmail.com
@msn.com
@microsoft
@avp

http://www.pcmag.com/print_article/0,3048,a=119435,00.asp
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)