New version of Bagle widely spammed.Kaspersky Lab Kaspersky Lab is a computer security company, co-founded by Natalia Kaspersky and Eugene Kaspersky in 1997, offering antivirus, anti-spyware, anti-spam, and anti-intrusion products. , has detected Email-Worm Win32.Bagle.bn. The author of Bagle has been particularly active since the beginning of 2005, releasing a new malicious program every few days. Kaspersky Lab virus analysts have detected two mass mailings of this latest modification, and believe that this latest modification has been spammed in order to maintain the botnets made up of machines infected by Bagle variants. Fortunately, Bagle.bn is unable to self-replicate. However, this does not mean that the author will not use spammer technologies to mass mail additional copies of the worm. Bagle.bn arrives as an attachment to infected messages that have a blank subject field and a blank body. The attachment itself is a ZIP file (1) A file that contains one or more files that have been compressed into the ZIP format. Also called a "ZIP archive," "zipped file" or "zipped archive," the ZIP algorithm is the most popular compression method in use. Not Just the . , 19KB in size, which contains an EXE file (EXEcutable file) Pronounced "ex-ee file." The name given to a program in machine language that is ready to run in DOS, Windows, OS/2 and VMS. The name comes from the .EXE extension at the end of the program name; for example: XYZ.EXE. called 19_04_2005.exe Exe (ĕks), river, c.55 mi (90 km) long, rising in the Exmoor, Somerset, SW England, and flowing S across the Cornwall peninsula, past Exeter to the English Channel at Exmouth. . Once the user launches the executable file, the worm creates a text file in the Windows temporary directory. The file name begins with a tilde A symbol used in Windows, starting with Windows 95, that maintains a short version of a long file or directory name for compatibility with Windows 3.1 and DOS. For example, the short version of a file named "Letter to Joe" would be LETTER~1. Then "Letter to Pat" becomes LETTER~2. (~) and ends with a .txt extension; the rest of the name consists of randomly generated characters. Bagle.bn uses the default text editor m the infected machine (usually notepad The text editor that comes with Windows. It is a very elementary utility, but gets the job done most of the time. See text editor and WordPad. (text, tool) Notepad - The very basic text editor supplied with Microsoft Windows. ) to open this file--the user will see the word "Sorry" displayed on screen. Bagle extracts a file named winshost.exe from its body, saves it to the Windows system directory and registers it in the system registry. This ensures that the worm will be launched each time Windows is rebooted on the infected machine. Bagle.bn will prevent antivirus solutions from being run by deleting a number of system registry values. It also terminates processes connected with some antivirus and firewall applications, and overwrites the hosts file to prevent users of infected machines from viewing antivirus websites. www.kaspersky.com |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion