Previous
Panda Software News: ORANGE ALERT Panda Software warns of the rapid propagation of Bagle.BK and Bagl
Added: (Fri Jan 28 2005)
ALERT LEVEL – ORANGE
Panda Software warns of the rapid propagation of Bagle.BK and Bagle.BL
- These two worms are designed to spread rapidly via email and P2P applications.
- Incidents have already been reported involving Bagle.BL, and it is likely, given the characteristics, that the number of computers affected by the worms will start to increase.
- The new TruPrevent Technologies, which combat unknown viruses and intruders, detect and block the worms without having previously identified them.
CAMBRIDGE, January 28 2005
PandaLabs has detected the appearance of the new worms Bagle.BK and Bagle.BL. They are both designed to spread rapidly via email, in messages that use social engineering, and using P2P applications like KaZaA. Panda Software’s international support network has already begun to register incidents caused by Bagle.BL in countries such as Holland and the USA, and it is likely, given the characteristics, that the number of computers affected by the worms will start to increase. With this in mind, Panda Software has set the virus alert level at orange.
Panda Software clients that already have TruPrevent Technologies to combat unknown viruses and, have had preventive protection against Bagle.BK and Bagle.BL from the moment they first appeared, as they can detect and block them without having previously identified them (more information about the new TruPrevent Technologies at http://www.pandasoftware.com/truprevent).
Bagle.BK and Bagle.BL reach computers in email messages with spoofed sender addresses and with subject fields chosen at random from a list of options. Possible subjects include: “Delivery by mail” or “Delivery service mail”. The message text may include phrases like: “Before use read the help” or”Thanks for use of our software”. The message attachments, which actually contain the worms, have variable names, although their extension is always COM, CPL, EXE or SCR.
Full information on the characteristics of the messages in which Bagle.BK and Bagle.BL are spread is available in Panda Software’s Virus Encyclopaedia.
In order to spread via P2P applications like KaZaA or Morpheus, both worms create, in the programs’ shared folders, copies of themselves with names such as ACDSee 9.exe, Adobe Photoshop 9 full.exe or Ahead Nero 7.exe, among others. This is to bait other users into downloading them and then executing them.
Regardless of how they reach computers, when a file containing either of the worms is run, they use their own SMTP engine to send themselves to the email addresses they find in files with certain extensions stored on the computer. Nevertheless, they avoid sending themselves out to certain addresses, principally those related to IT security software companies.
The most dangerous action that both variants of Bagle take is the termination of processes in memory related to antivirus and security applications, leaving computers defenceless against further attack.
They also make several entries in the Windows registry to ensure they are run every time the system is started up and delete others that could exist as the result of infection by variants of Netsky.
Due to the high possibility of being infected by Bagle.BK and Bagle.BL, Panda Software advises users to take precautions with any email messages they receive and to update their antivirus software. Panda Software has made the corresponding updates available to its clients to detect and disinfect these new malicious codes.
Panda Software clients who already have the new TruPrevent Technologies installed along with their antivirus have been protected since the worms first emerged, as these preventive technologies have been able to detect and block them without needing to be able to identify them first (more information about the new TruPrevent Technologies at http://www.pandasoftware.com/truprevent).
Users can also scan and disinfect their computers using Panda ActiveScan, the free, online scanner available from: www.pandasoftware.com
More information about Bagle.BK and Bagle.BL is available from Panda Software’s Virus Encyclopaedia
About Panda Software's virus laboratory
On receiving a possibly infected file, Panda Software's technical staff get straight down to work. The file is analysed and depending on the type, the action taken may include: disassembly, macro scanning, code analysis etc. If the file does in fact contain a new virus, the disinfection and detection routines are prepared and quickly distributed to users.
For more information: http://www.pandasoftware.com/virus_info/
Andy Mckewan
amckewan@pandasoftware.co.uk
(0)870 444 5640