copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Latest Secur... » AU-2004.0011 -- AusCERT Update - Increased Virus Act...
 

AU-2004.0011 -- AusCERT Update - Increased Virus Activity - New Bagel Variant
Date: 10 August 2004
References: AL-2004.037  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

AusCERT Update AU-2004.0011 - Increased Virus Activity - New Bagle Variant
10 August 2004

AusCERT has observed high levels of e-mail borne virus activity due to the
recent Bagel variant known as: Beagle.AO[1], Bagle.AQ[2,3], Bagel.AC[4],
Bagle.AG[5], Bagle.AM[6], and Bagle.AL[7].

Bagel is a mass-mailing virus which masquerades as a variety of mail messages
designed to entice a user to run a malicious attachement. It also spreads
through peer-to-peer (P2P) file sharing programs. Details of this email
message include:

FROM ADDRESS: <forged e-mail address>

SUBJECT: <blank>

MESSAGE BODY: New price

ATTACHMENT NAME:
- - 08_price.zip 
- - new__price.zip 
- - new_price.zip 
- - newprice.zip 
- - price.zip 
- - price2.zip 
- - price_08.zip 
- - price_new.zip

The zip file contains the malicious executable file and an HTML file.

Upon execution, the worm copies itself to the system's hard drive as a file 
named %System%\WINdirect.exe, where %System% is C:\Windows\System on
Windows 95/98/Me, C:\Winnt\System32 on Windows NT/2000, or
C:\Windows\System32 on Windows XP.

The virus then adds "win_upd.exe=%System%\WINdirect.exe" to the registry keys:
- - HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The virus then attempts to download a file into %Windir%\~.exe from one of
several web sites and then subsequently execute it.  The ~.exe process then
creates windll.exe, windll.exeopen, windll.exeopenopen and re_file.exe in the
%System% folder, while adding "erthgdr=%System%\windll.exe" to the registry
key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The virus then attempts to terminate firewall and anti-virus software, and
remove such software from registry locations to prevent them from starting
upon the next reboot.  A backdoor is also opened on port 80 TCP and UDP.

AusCERT recommends upgrading all anti-virus software to use the latest
definition files as soon as they become available. See the anti-virus vendor
links for removal instructions and tools.

Users should remain aware of the danger of opening unsolicited email
attachments.

Administrators of IDS software may wish to investigate using rules such
as those for Snort[8] to detect possible infections.

REFERENCES:

[1] http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.ao@mm.html
[2] http://vil.nai.com/vil/content/v_127423.htm
[3] http://www.sophos.com/virusinfo/analyses/w32bagleaq.html
[4] http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.AC
[5] http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39846
[6] http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=50777
[7] http://www.f-secure.com/v-descs/bagle_al.shtml
[8] http://isc.incidents.org/index.php?isc=0707fb18009969931ee0e6d7a707ca80
[9] http://www.auscert.org.au/4251


AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBQRh2Zih9+71yA2DNAQKfUQP/XgVKMc/mxkeH6V9r+cBC46gT20HkAfjj
UpME4FLFGlpiGWFWKHlbeGlICqlRHkaOjeaxa3fnZHiDrz2n4s4ttA9RLPq2fTEk
Xf/kukAlhevlZbFHPIR48dleD9dvzzJ4jtzKLxMGq1v5b41hNgM+1DJc5lG4w6FP
7/UYovuwCb0=
=dukc
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/render.html?cid=4&it=4295