Thursday, July 22, 2004

Bagle.ag and Bagle.ai - ZDNet: Reviews

Double trouble as these latest versions of Bagle spread quickly:
"The most recent variations of the Bagle worm family appear to be based on code similar to the Bagle.af variation. Bagle.ag (w32.bagle.ag@mm, also known as Beagle.ac and Bagle.ah) and Bagle.ai (w32.bagle.ai@mm, also known as Bagle.ae, Beagle.ag, and Bagle.ah) are mass-mailing worms that vary in length and are packed with the UPX file compressor. They use various subject lines and attached files to spread via e-mail. They also attempt to spread via shared network files. They both try to terminate security apps that may be running on the infected machine and install a backdoor Trojan horse. Additionally, Bagle.ai will attempt to terminate any Netsky virus that may be running on the infected machine. This worm does not affect Linux, Unix, or Mac OS systems. Because Bagle.ag and Bagle.ai spread via e-mail and open a backdoor Trojan, they rate a 6 on the CNET/ZDNet Virus Meter. "

How it works
Both versions of Bagle use a different set of subject and body texts, contain their own SMTP engine to send copies of themselves. They also harvest e-mail addresses from infected machines, spoof the e-mail sender's address, and password-protect the attached file. These worms contain a remote access Trojan horse, copy themselves to folders that use the string "shar" in the name, and will attempt to terminate security programs and other computer viruses and worms.

Additionally, Bagle.ai will use mutex names already used by the Netsky in order to prevent further Netsky infections. Bagle.ai will also delete the registry entries for security apps and other viruses such as Netsky.

Bagle.ag creates the following in the Win/System32 folder

sys_xp.exe
sys_xp.exeopen
sys_xp.exeopenopen

Bagle.ai creates the following in the Win/System32 folder:

WinXP.exe
WinXP.exeopen
WinXP.exeopenopen
WinXP.exeopenopenopen
WinXP.exeopenopenopenopen

Bagle.ag opens TCP port 1080 while Bagle.ai opens ports 1080 (TCP) and 1040 (UDP).

http://reviews-zdnet.com.com/4520-6600_16-5144521.html

No comments: