Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
New worm threat on the internet starts spreading
Posted on 18-Feb-2004 07:58 | Filed under: News



The risk of new worm named Bagle.B is being upgraded by internet security companies because of its quick spreading.

The malware contains its own SMTP engine to construct outgoing messages, collecting email addresses from the victim machine. As usual in the current wave of mass e-mailers, the From: address of messages is spoofed. It's interesting to note that this program contains a remote access component that notifies the hacker when a machine is infected.
The worm wil stop replicating from 25th February 2004.

According to McAfee security firm, users are reminded that the scanning of compressed files (default option) is required for detection.

Users can also detect and disinfect this and other malicious code using the free online antivirus Panda ActiveScan.

Still according to the antivirus maker, if the date check is satisfied, the virus executes the standard Windows Sound Recorder (SNDREC32.EXE) application. The virus uses the same icon as this application and copies itself into the Windows system directory as AU.EXE.

The following Registry key is added to hook system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run "au.exe" = C:\WINNT\SYSTEM32\AU.EXE
Additionally, the following two Registry keys are added:

HKEY_CURRENT_USER\Software\Windows2000 "frn"
HKEY_CURRENT_USER\Software\Windows2000 "gid"

The virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:

.WAB
.TXT
.HTM
.HTML

The virus spoofs the sender address by using a harvested address in the From: field, using the following e-mail structure:

From : (address is spoofed)
Subject : ID (string)... thanks
Body :
Yours ID (string2)
--
Thank

The e-mail will contain an attachment randomly named of 11,264 bytes with .EXE file extension.

A notification is sent to the author(s) via HTTP. A GET request (containing the port number and "id") is sent to a PHP script on remote server(s). Users are recommended to block access to the following domains:

http://www.47df.de
http://www.strato.de
http://intern.games-ring.de

This worm is also known with other names: W32.Alua@mm, Win32/Bagle.B.Worm [Computer Associates], Bagle.B [F-Secure], W32/Bagle.b@MM [McAfee], W32/Bagle.B@mm [Norman], WORM_BAGLE.B [Trend Mirco], W32/Bagle.B.worm [Panda], W32/Tanx-A [Sophos].


More information: http://us.mcafee.com/virusInfo/default.asp?id...







Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Trending now »

Hot discussions in our forums right now:

Help, someone else was driving my car and had an accident, am I liable?
Created by MzAliceD, last reply by driller2000 on 17-Oct-2019 22:01 (49 replies)
Pages... 2 3 4


Jesse Mulligan says Three 'could close down entire station'
Created by JaseNZ, last reply by loceff13 on 21-Oct-2019 18:35 (96 replies)
Pages... 5 6 7


Genesis Energy, long gap in power shouts
Created by rugrat, last reply by MikeB4 on 21-Oct-2019 21:18 (17 replies)
Pages... 2


Plumbing question - replacing flexible hoses on tap - how to disconnect
Created by timmmay, last reply by mattwnz on 21-Oct-2019 21:27 (13 replies)

Mercury Energy - 2 year fixed price
Created by Dulouz, last reply by driller2000 on 17-Oct-2019 21:56 (25 replies)
Pages... 2


Finding the cause of power usage
Created by Aaroona, last reply by ANglEAUT on 21-Oct-2019 18:23 (11 replies)

Latency issue to Aus
Created by kamicrazy, last reply by NickMack on 21-Oct-2019 11:52 (33 replies)
Pages... 2 3


Nvidia Shield 2019
Created by ShinyChrome, last reply by Handle9 on 19-Oct-2019 03:13 (20 replies)
Pages... 2