mardi, mars 01, 2005

New Bagles spreading actively

5 new Bagles in one night.

The first day of spring brought us five new Bagle variants within a few hours. We detect them as Email-Worm.win32.Bagle.bb-.bf and antivirus database updates with protection against all of them are available.

We are analysing the worms in detail and will keep you posted if anything interesting shows up. We suspect that the worms have been seeded via a spammer mailing. a spam mailing. A full description will be available once the analysis is complete.

Kaspersky Lab has detected some new variants of Email-Worm.Win32.Bagle that are spreading at this time. We have updated our antivirus databases already. A description of Email-Worm.Win32.Bagle.bb is now available. The other variants are very simliar.

Description :
- Email-Worm.Win32.Bagle.bb

Technical Details

This is an email worm that is clearly a member of the Bagle family except that it is missing a propagation routine. According to our classification system it is still a Bagle, simply not a fully-functional, but an intended variant.

The file is 34304 bytes in size and encrypted.
Installation

During the first execution Bagle.bb copies itself into the Windows System folder under the name winshost.exe and adds the following key to the system registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"winshost.exe"

The worm then extracts a file (18944 bytes) from itself and saves it in the system directory as wiwshot.exe.

 

Google
 
Web eurenet.blogspot.com