This new variant of Bagle is beginning to spread with both Trend and Secunia declaring "Medium Risk" Bagle.AD - MEDIUM RISK (Secunia/Trend)http://secunia.com/virus_information/10447/http://vil.nai.com/vil/content/v_126562.htmhttp://www.trendmicro.com/vinfo/virusencyc...e=WORM_BAGLE.ADhttp://www.sophos.com/virusinfo/analyses/w32baglead.htmlTo control the spread of this BAGLE variant, TrendLabs has declared a Medium Risk (YELLOW) alert as of July 5, 2004, 2:40 AM (GMT -07:00; Daylight Saving Time).
This is a mass-mailing worm with the following characteristics:
* contains its own SMTP engine to construct outgoing messages
* harvests email addresses from the victim machine
* the From: address of messages is spoofed
* attachment can be a password-protected zip file, with the password included in the message body (as plaintext or within an image).
* contains a remote access component (notification is sent to hacker)
* copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
* uses various mutex names selected from those W32/Netsky variants have used, in order to prevent those W32/Netsky variants running on infected machines.
* Port 1234 (TCP) open on the victim machine
From : (address is spoofed)
* Re: Msg reply
* Re: Hello
* Re: Yahoo!
* Re: Thank you!
* Re: Thanks
* RE: Text message
* Re: Document
* Incoming message
* Re: Incoming Message
* RE: Incoming Msg
* RE: Message Notify
* Fax Message
* Protected message
* RE: Protected message
* Forum notify
* Site changes
* Re: Hi
* Encrypted document,0
* Various message bodies are used, in some cases containing the password for an encrypted attachment (either in plaintext, or within an image).
The following filenames are used:
using one the following extensions:
* Script dropper - using one of the following file extensions:
* Executable, using one of the following file extensions:
* Executable dropper, CPL file with .CPL file extension.