Menu
Media releases are provided as is by companies and have not been edited or checked for accuracy. Any queries should be directed to the company itself.

Threat Advisory: McAfee AVERT Raises Risk Assessment to Medium on New W32/Bagle.aq@MM Virus

  • 10 August, 2004 09:14

<p>McAfee AVERT Reports New Bagle Virus In-the-Wild</p>
<p>SYDNEY, August 10, 2004 — McAfee, Inc. the leading provider of intrusion prevention solutions, today announced that McAfee AVERT (Anti-virus and Vulnerability Emergency Response Team), the world-class research division of McAfee, raised the risk assessment to Medium on the recently discovered W32/Bagle.aq@MM, also known as Bagle.aq. This new variant is a mass-mailing worm that comes in the form of a ZIP file.</p>
<p>To date, McAfee AVERT has received over 150 reports of the virus since its discovery, being stopped or infecting users from the field—with most of the reports arriving from Brazil, Canada, France, the Netherlands, Taiwan and the United States. The majority of samples received by McAfee AVERT have been from home users versus corporate users.</p>
<p>Threat Overview</p>
<p>Bagle.aq is a mass mailing threat that contains its own SMTP engine to construct outgoing messages. It harvests addresses from local files and then uses the harvested addresses in the ‘From’ field to send itself. This produces a message with a spoofed From address. It contains a remote access component (notification is sent to hacker) and copies itself to folders that have the phrase shar in the name, such as common peer-to-peer applications such as KaZaa, Bearshare and Limewire.</p>
<p>The worm sends out a ZIP file which contains an HTML and EXE file. The EXE file is within a folder in the ZIP file so that when it’s viewed with Explorer (rather than a stand-alone ZIP file handler like WinZip or PKzip) the HTML file and a separate folder is what is visible. The HTML file contains exploit code which, on vulnerable systems, will automatically run the EXE file which is a downloader Trojan. The downloader Trojan then contacts a large number of remote Web sites to retrieve the virus itself. Users should be very wary and should most likely delete any email containing the following:</p>
<p>From : (address is spoofed)</p>
<p>Subject : (blank)</p>
<p>Body Text:</p>
<p>• new price</p>
<p>There is indication in the file that it may also try to password-protect some ZIP files, in which case it will add one of the following to the message body:</p>
<p>• The password is</p>
<p>• Password:</p>
<p>The password will then be contained in an embedded image file.</p>
<p>Attachment: (may be one of the following)</p>
<p>• price.zip</p>
<p>• price2.zip</p>
<p>• price_new.zip</p>
<p>• price_08.zip</p>
<p>• 08_price.zip</p>
<p>• newprice.zip</p>
<p>• new_price.zip</p>
<p>• new__price.zip</p>
<p>The ZIP file contains PRICE.EXE and PRICE.HTML.</p>
<p>Threat Pathology</p>
<p>When the EXE file is run (either manually or automatically by the HTML file), it will copy itself to the Windows System directory as WINDIRECT.EXE. For example:</p>
<p>• C:\WINNT\SYSTEM32\WINdirect.exe</p>
<p>It also drops a DLL file in this directory:</p>
<p>• _dll.exe</p>
<p>The following Registry keys are added to hook system startup:</p>
<p>• HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "win_upd2.exe" = C:\WINNT\SYSTEM32\windll.exe</p>
<p>• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "win_upd2.exe" = C:\WINNT\SYSTEM32\windll.exe</p>
<p>Once the virus executable is downloaded and run by the downloader Trojan, the virus copies itself into the Windows System directory as WINDLL.EXE. For example:</p>
<p>• C:\WINNT\SYSTEM32\windll.exe</p>
<p>It also creates other files in this directory to perform its functions:</p>
<p>• C:\WINNT\SYSTEM32\windll.exeopen</p>
<p>• C:\WINNT\SYSTEM32\windll.exeopenopen</p>
<p>The following Registry key is added to hook system startup:</p>
<p>• HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "erthgdr" = "C:\WINNT\SYSTEM32\windll.exe"</p>
<p>Additionally, the following Registry keys are added:</p>
<p>• HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Ru1n</p>
<p>A mutex is created to ensure only one instance of the worm is running at a time. One of the following mutex names is used in an attempt to stop particular variants of W32/Netsky running on the infected machine:</p>
<p>• 'D'r'o'p'p'e'd'S'k'y'N'e't'</p>
<p>• _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_</p>
<p>• [SkyNet.cz]SystemsMutex</p>
<p>• AdmSkynetJklS003</p>
<p>• ____---&gt;&gt;&gt;&gt;U&lt;&lt;&lt;
</p><p>• _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_</p>
<p>The worm opens Port 80 (TCP) and a random UDP port on the victim machine.</p>
<p>System Protection and Cure</p>
<p>More information on Bagle.aq and cure for this worm can be found online at the McAfee AVERT site located at http://vil.nai.com/vil/content/v_127423.htm. McAfee AVERT is advising its customers to update to the 4384 DATs to stay protected from all the current Bagle threats.</p>
<p>McAfee AVERT Labs is one of the top-ranked anti-virus and vulnerability research organizations in the world, employing researchers in thirteen countries on five continents. McAfee AVERT combines world-class malicious code and anti-virus research with intrusion prevention and vulnerability research expertise from the McAfee IntruShield and McAfee Entercept organisations, two research arms that were acquired through the IntruVert Networks and Entercept Security. McAfee AVERT protects customers by providing cures that are developed through the combined efforts of McAfee AVERT researchers and McAfee AVERT AutoImmune technology, which applies advanced heuristics, generic detection, and ActiveDAT technology to generate cures for previously undiscovered viruses.</p>
<p>About McAfee, Inc.</p>
<p>With headquarters in Santa Clara, Calif., McAfee, Inc. (NYSE: MFE) creates best-of-breed computer security solutions that prevent intrusions on networks and protect computer systems from the next generation of blended attacks and threats. McAfee’s customers span large enterprises, governments, small and medium sized businesses, and consumers. For more information, McAfee, Inc. can be reached on the Internet at http://www.mcafee.com/.</p>
<p># # #</p>
<p>NOTE: McAfee and AVERT are either registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the United States and/or other countries. All other registered and unregistered trademarks herein are the sole property of their respective owners. *2004 McAfee, Inc. All Rights Reserved.</p>
<p>For further information, please contact:</p>
<p>Natalie Connor</p>
<p>Tel: +61 (0)2 9956 5733</p>
<p>Mobile: +61 (0)417 259 054</p>
<p>E-mail: natalie.connor@text100.com.au</p>

Most Popular

Market Place

Computerworld
ARN
Techworld
CMO