Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
New worm alert: W32.Beagle.AB@mm
Posted on 16-Jul-2004 13:33. | Tags Filed under: News.



McAfee through its McAfee AVERT (Anti-virus and Vulnerability Emergency Response Team) has raised the risk assessment to Medium-on-Watch on the recently discovered W32/Bagle.af@MM, also known as Worm_Bagle.af (TrendMicro) or W32.Beagle.AB@mm (Symantec). This new variant is a mass-mailing worm that comes in the form of a password-protected .ZIP file, with the password included in the message body as plain text or within an image.

The Bagle.af worm contains its own SMTP engine to construct outgoing messages. It harvests addresses from local files and then uses the harvested addresses in the 'From' field to send itself. This produces a message with a spoofed From address. The attachment can be a password-protected zip file, with the password included in the message body. It contains a remote access component (notification is sent to hacker) and uses mutex names from variants of W32/Netsky to prevent those W32/Netsky variants running on infected machines.

After being executed, Bagle.af copies itself into the Windows System directory (C:\WINNT\SYSTEM32\sysxp.exe). The worm also creates sysxp.exeopen and sysexpopenopen in this directory to perform its functions. The following Registry key is added to hook system startup:

-- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "key" = "C:\WINNT\SYSTEM32\sysxp.exe"

Bagle.af also copies itself to folders that have the phrase shar in the name, such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc. The worm then emails itself to addresses found on the infected host as a password protected .ZIP file with the password included in the message body.

According to Symantec, the worm opens a backdoor on TCP port 1080. The email will have a variable subject, and it'll notify the author on a variety of websites, listed on Symantec's bulletin. The worm will also stop any processes related to personal firewalls or anti-virus software.




More information: http://vil.nai.com/vil/content/v_126792.htm...

comments powered by Disqus




Trending now »

Hot discussions in our forums right now:

Good riddance to Obama and his drones. Pakistani villagers will be saying the same.
Created by amiga500, last reply by Rikkitic on 23-Jan-2017 08:57 (114 replies)
Pages... 6 7 8


The President Of The USA: Donald Trump
Created by TimA, last reply by MikeB4 on 23-Jan-2017 09:14 (1878 replies)
Pages... 124 125 126


Headphones recommendations?
Created by rayonline, last reply by joker97 on 22-Jan-2017 22:33 (16 replies)
Pages... 2


Xtra email no longer receives on Outlook 2003 / Outlook 2011 for MAC
Created by lNomNoml, last reply by hio77 on 22-Jan-2017 13:40 (45 replies)
Pages... 2 3


New Ford Mustang or Holden Commodore or alternatives
Created by MikeB4, last reply by driller2000 on 21-Jan-2017 12:39 (63 replies)
Pages... 3 4 5


Spec check on laptop for GoPro editing please
Created by martyyn, last reply by richms on 20-Jan-2017 17:23 (13 replies)

New Unlimited Fixed Broadband
Created by LivingSkinny, last reply by noroad on 19-Jan-2017 11:14 (55 replies)
Pages... 2 3 4


$1160 for a car battery??!!
Created by jonathan18, last reply by TinyTim on 23-Jan-2017 09:04 (63 replies)
Pages... 3 4 5