Subscriptions | RSS Feeds | Discussions | Polls | Site Map




All Threats

Viruses

Hackers

Spam
Whole site    Viruses
  
Virus Encyclopedia
Riskware
Alerts
Analysis
News
Glossary
Weblog

 
Archive

<< 2010  
Jan Feb  
     
     
     
Virus Alert Danger Levels
Virus Alert Danger Levels

Wonder what the current virus alert means for your computer? Find out more about our Virus Alerts Threat Levels.

Free Removal Tools
Free Removal Tools

The Kaspersky Lab website removal tools section provides free utilities for removing dangerous viruses during an epidemic.
Antivirus Database Updates
Antivirus Database Updates

Kaspersky Anti-Virus users can always find the latest virus definitions in the database updates on the Kaspersky website.

 		 

  Home / Viruses / Alerts

Email-Worm.Win32.Bagle.bz, .ca, .cb, .cc

08.11.05 13:16 GMT   |  comment

Status : moderate risk

Kaspersky Lab has detected four new Bagle variants today: Bagle.bz, Bagle.ca, and Bagle.cb.

They are all similar, but packed using different packers. They all include a list of URLS which will be periodically checked. Files placed on these sites may be new versions of Bagle, or other malicious programs which can be downloaded and installed on victim machines.

Preliminary analysis shows that Bagle.cc is functionally similar to Email-Worm.Win32.Bagle.bj. It is incapable of replicating independently, and was widely spammed as an attachment to infected messages. Infected messages either have an empty message subject and body, or one which contains random text. The attachment name is "to_reduce_the_tax.zip" and it is a ZIP file approximately 18KB in size.

When launched, the worm will cause the default text editor (usually Notepad) to open and display a blank window.

It creates files named ""winshost.exe" and "wiwshost.exe" in the Windows system directory:

%System%\winshost.exe
%System%\wiwshost.exe

It also creates the following registry keys:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"winshost.exe" = "%System%\winshost.exe"

The worm deletes the following registry keys to prevent antivirus solutions and firewalls from being launched:

[HKLM\SOFTWARE\Agnitum]
[HKLM\SOFTWARE\KasperskyLab]
[HKLM\SOFTWARE\McAfee]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\APVXDWIN]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\avg7_cc]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\avg7_emc]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ccApp]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KAV50]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\McAfee Guardian]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\McAfee.InstantUpdate.Monitor]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NAV CfgWiz]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SSC_UserPrompt]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Symantec NetDriver Monitor]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client]
[HKLM\SOFTWARE\Panda Software]
[HKLM\SOFTWARE\Symantec]
[HKLM\SOFTWARE\Zone Labs]

It also terminates a range of processes connected with antivirus programs and firewalls.

Bagle.cc modifies %System%\drivers\etc\hosts. After modification, only the following record is left in the file: 

127.0.0.1 localhost

Urgent updates have been released to provide protection against all the new Bagle versions. Users are strongly recommended to download the latest updates.

Related links
Analysis
Malware Evolution: April Roundup
The Bagle botnet
Malware Evolution: October Roundup
Malware Evolution: July Roundup
Malware Evolution: May Roundup
Blog
Meanwhile, on the other side of the galaxy...
An increase in the Bagle activity
Bagle's birthday
No rest for the Bagles - or for the virus analysts
And another Bagle
Alerts
Email-Worm.Win32.Bagle.fy
Email-Worm.Win32.Bagle.fj
Trojan-Downloader.Win32.Bagle.f
Email-Worm.Win32.Bagle.eb
Email-Worm.Win32.Bagle.cx-dw
 

Copyright © 1996 - 2010
Kaspersky Lab
Industry-leading Antivirus Software
All rights reserved
 

Email: webmaster@viruslist.com