Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
New worm alert: W32.Beagle.AB@mm
Posted on 16-Jul-2004 13:33 | Filed under: News



McAfee through its McAfee AVERT (Anti-virus and Vulnerability Emergency Response Team) has raised the risk assessment to Medium-on-Watch on the recently discovered W32/Bagle.af@MM, also known as Worm_Bagle.af (TrendMicro) or W32.Beagle.AB@mm (Symantec). This new variant is a mass-mailing worm that comes in the form of a password-protected .ZIP file, with the password included in the message body as plain text or within an image.

The Bagle.af worm contains its own SMTP engine to construct outgoing messages. It harvests addresses from local files and then uses the harvested addresses in the 'From' field to send itself. This produces a message with a spoofed From address. The attachment can be a password-protected zip file, with the password included in the message body. It contains a remote access component (notification is sent to hacker) and uses mutex names from variants of W32/Netsky to prevent those W32/Netsky variants running on infected machines.

After being executed, Bagle.af copies itself into the Windows System directory (C:\WINNT\SYSTEM32\sysxp.exe). The worm also creates sysxp.exeopen and sysexpopenopen in this directory to perform its functions. The following Registry key is added to hook system startup:

-- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "key" = "C:\WINNT\SYSTEM32\sysxp.exe"

Bagle.af also copies itself to folders that have the phrase shar in the name, such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc. The worm then emails itself to addresses found on the infected host as a password protected .ZIP file with the password included in the message body.

According to Symantec, the worm opens a backdoor on TCP port 1080. The email will have a variable subject, and it'll notify the author on a variety of websites, listed on Symantec's bulletin. The worm will also stop any processes related to personal firewalls or anti-virus software.




More information: http://vil.nai.com/vil/content/v_126792.htm...







Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Trending now »

Hot discussions in our forums right now:

Can't scale display to fill TV monitor
Created by Rikkitic, last reply by Rikkitic on 27-Jan-2020 14:47 (43 replies)
Pages... 2 3


Why I'm not buying Sonos again
Created by dafman, last reply by dafman on 25-Jan-2020 22:16 (82 replies)
Pages... 4 5 6


Recommend an upper midrange plain Android phone
Created by timmmay, last reply by tanivula on 28-Jan-2020 08:10 (38 replies)
Pages... 2 3


Recommendation for new mid-sized SUV
Created by nvpradeepkumar, last reply by scuwp on 27-Jan-2020 17:53 (58 replies)
Pages... 2 3 4


Tile trackers - a bit confused.
Created by GSManiac, last reply by GSManiac on 24-Jan-2020 22:37 (14 replies)

Electric Vehicle Battery Failures: Nissan Leaf etc - Be Prepared!
Created by frednz, last reply by GV27 on 28-Jan-2020 06:56 (39 replies)
Pages... 2 3


VPN Issue on FritzBox
Created by gocheck, last reply by Oblivian on 26-Jan-2020 23:52 (13 replies)

New Orbi Mesh System
Created by JayWehi33, last reply by Jiriteach on 24-Jan-2020 17:10 (13 replies)