- 18 January 2004 10:29
Yellow Level Virus Alert – WORM_BAGLE.A
Trend Micro provides same day protection for WORM_BAGLE.A
Leading anti-virus and content security company, Trend Micro has declared new virus, WORM_BAGLE.A, a Medium Risk (Yellow) Alert as of January 18, 2004, 5:13 PM (US Pacific Time) in order to control the spread of the malware which is the latest strain of mass-mailing worms.
TrendLabs HQ has received several reports, initially from Australia, the US and subsequently from Europe, that this new memory-resident worm is propagating itself around the world via email.
A non-encrypted malware of 15,872 bytes, WORM_BAGLE.A sends an English language email message to addresses gathered from files with certain extensions, adding itself as an attachment.
Within minutes of today’s WORM_BAGLE.A outbreak, Trend Micro issued an Outbreak Prevention Policy (OPP) to all of its Enterprise Protection Strategy (EPS) customers, which was then centrally deployed company-wide, stemming the attack.
Anthony Edwards, Technical Services Manager for Trend Micro Australia said, “As WORM_BAGLE.A is transmitted via .EXE files, only a few Australian companies have been affected since its outbreak.” However, Edwards stated that all Trend Micro customers were protected well in advance of any serious infection occurring.
“While infections resulting from WORM_BAGLE.A are not a threat to mission critical systems, they do act as a timely reminder to all Australia organisations to review their policies and procedures for blocking .EXE files. For more information Trend Micro advises administrators to utilise its www.antivirus.com/vinfo website.”
“Similarly, users should remember to never open an email when they don’t personally know the message sender. Trend Micro’s InterScan Messaging Security Suite, ScanMail or EPS-aligned products, however, will ensue that the user is protected in a timely and effective manner,” said Anthony Edwards.
WORM_BAGLE.A runs on Windows 95, 98, ME, NT, 2000 and XP, may allow remote access to infected systems and uses Simple Mail Transfer Protocol (SMTP) to send out an email with the following details:
Subject: Hi Message body: Test =)
Test, yep. Attachment: .EXE
Upon execution, this memory-resident worm drops a copy of itself in the Windows system folder under the name, BBEAGLE.EXE.
WORM_BAGLE.A creates the following registry entries so that it runs at every system startup:
· HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Rund3dupdate.exe = "%System%\bbeagle.exe"
· HKEY_USERS\%SystemInfo%\Software\Microsoft\Windows\CurrentVersion\Rund3dupdate.exe = "%System%\bbeagle.exe"
Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP. %SystemInfo% refers to a system information, such as a Class ID or Username.
Email Propagation To propagate via email, this worm searches for, and acquires email addresses from, files with the following extensions: · WAB · HTM · TXT · HTML
It avoids email addresses that contain the following strings:
· @hotmail.com ·@microsoft · @msn.com ·@avp
WORM_BAGLE.A then sends an email message to all email addresses gathered, and adds itself as an attachment. WORM_BAGLE.A may also perform port scanning to achieve remote connection.
Other Registry Modification The worm may also create the following registry entries to keep track of its activities on the system:
· HKEY_USERS\%SystemInfo%\Software\Windows98 Uid = · HKEY_USERS\%SystemInfo%\Software\Windows98 Frun = %SystemInfo%
Stealth Mechanism WORM_BAGLE.A disguises itself as the Windows calculator application. It uses the Calculator program to hide its malicious routines in the background.
About Trend Micro Trend Micro is the world leader in providing centrally controlled server-based virus protection and content-filtering products and services. By protecting information that flows through Internet gateways, email servers and file servers, Trend Micro allows companies and service providers worldwide to stop viruses and other malicious code from a central point before they enter the network. For more information visit www.trendmicro.com
Trend Micro, and the t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated. All other company or product names may be trademarks or registered trademarks of their owners.