|
Description:
As of August 9, 2004, 11:30 AM (GMT -07:00; Daylight Saving Time), TrendLabs has declared a YELLOW alert to control the spread of this BAGLE variant. Several infection reports indicate that it has been propagating rapidly in the United States.
Unlike earlier BAGLE worms, this particular variant deviates a little from the usual BAGLE propagation routine of directly mass-mailing itself to a list of recipients. Instead, it makes use of a Trojan downloader component and an HTML script component to propagate.
(Note: Trend Micro detects the Trojan and HTML components as TROJ_BAGLE.AC and HTML_BAGLE.AC, respectively.)
Using a built-in SMTP (Simple Mail Transfer Protocol) engine, this worm sends an email with a spoofed sender's name and the message, "new price". The email does not have a subject but has a .ZIP file attachment, which contains the worm's components, as mentioned above.
This worm harvests its target recipients from certain files found in the system, but it noticeably avoids sending email to addresses that contain certain strings.
HTML_BAGLE.AC is specifically designed to trigger the execution of the Trojan downloader component. This HTML script exploits a known security vulnerability affecting Microsoft virtual machine to accomplish its intended task.
(Note: For more details about the Microsoft vulnerability, please click here.)
TROJ_BAGLE.AC, on the other hand, downloads and executes WORM_BAGLE.AC from a long list of Web sites and saves it as a randomly named .EXE file in the Windows folder. It also creates an autorun registry entry to ensure its automatic execution at system startup, which, in an indirect way, also serves to ensure the automatic execution of the worm at every startup.
Apart from the email propagation described, this worm also attempts to propagate via network shares by dropping copies of itself in folders that contain the string shar in their names. It assumes that these folders are shared in local networks or in peer-to-peer networks.
Staying true to its "bloodline", this BAGLE worm, like most of its predecessors, continues on with the BAGLE vs NETSKY war by removing autorun registry entries and mutexes associated with the rival worm.
(Note: Mutexes are exclusion objects that prevent processes from sharing the same resources. This worm uses the mutexes to prevent the NETSKY variants from running on infected systems.)
This PeX-compressed worm runs on Windows NT, 2000, and XP.
For additional information about this threat, see:
Solution
Technical Details
Description created: Aug. 9, 2004 11:21:20 AM GMT -0800
Description updated: Feb. 25, 2005 11:27:56 PM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
