AnTiViRuS NewS
August 10
- A new virus, Bagle.AM, menaces the Internet -
Virus Alerts, by Panda Software http://www.pandasoftware.com


MADRID, August 10 2004 - In the last hours, a new virus has appeared:
Bagle.AM, also known as Bagle.AQ and Bagle.AC. Belonging to the Bagle
family, which appeared in January this year, this new variant has begun to
spread and to infect several users. Due the high number of incidences, Panda
Software has declared Orange Alert level for this new threat.

Panda Software's customers which already has the new TruPrevent Technologies
has been protected in a preventive way, as they were capable of detect and
block this new virus without knowing it beforehand (more information about
the new TruPrevent Technologies is available at
www.pandasoftware.com/truprevent).

Luis Corrons, PandaLabs Director, says: "Bagle.AM is following a large
family of worms which begun 7 months ago. It is using the social engineering
also, as it tries to cheat users sending a file with a content referring to
prices or passwords. It combines different infection methods. The number of
incidences can grow up in the following hours, and this situation is more
dangerous as there are a large number of users in different countries with
free time to enjoy the Internet".

Bagle.AM spreads via e-mail and sends a ZIP files of 6 Kbytes in size which
includes a hidden EXE file and an HTML file with the same name. If a user
executes the HTML file, it will launch the EXE file.
This EXE file copy itself in the system and create the following registry
keys:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run win_upd2.exe =
%systemdir%\WINdirect.exe

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run win_upd2.exe =
%systemdir%\WINdirect.exe

On the other hand, Bagle.AM creates and executes a 11,776 bytes in size DLL
library in %systemdir%\_dll.exe which will stops all the process with the
following names:

FIREWALL.EXE
ATUPDATER.EXE
winxp.exe
sys_xp.exe
sysxp.exe
LUALL.EXE
DRWEBUPW.EXE
AUTODOWN.EXE
NUPGRADE.EXE
OUTPOST.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ESCANH95.EXE
AVXQUAR.EXE
ESCANHNT.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
AVWUPD32.EXE
AVPUPD.EXE
CFIAUDIT.EXE
UPDATE.EXE
NUPGRADE.EXE
MCUPDATE.EXE

In addition, it will try to download a fake JPG file from several URLs.
Actually it is another EXE file which includes the rest of the Bagle.AM
worm, that, once executed will spread via e-mail.

To prevent incidents involving Bagle.AM, Panda Software advises users to
take precautions and update their antivirus software. Panda Software has
made the corresponding updates available to its clients to detect and
disinfect this new malicious code.

Panda Software's customers has available the upgrades to install the new
TruPrevent Technologies besides their current antivirus and protect
theirselves in a preventive way against this or other malicious code. On the
other hand, for users with other antivirus protection different from Panda,
Panda TruPrevent Personal is compatible and complementary with them. It
provides a second line of defense and a preventive protection meanwhile the
antivirus is updated, decreasing the risk of being infecting. More
information about the new TruPrevent Technologies is available at
www.pandasoftware.com/truprevent.

For further information about Bagle.AM and other computer threats, visit
Panda Software's Virus Encyclopedia at:
http://www.pandasoftware.com/virus_info/encyclopedia/

In addition, users can scan their computers online for free with the
ActiveScan solution, available on the company's web page at:
www.pandasoftware.com

What kind of windows are u running on?
What kind of windows are u running on?

view results


Panda ActiveScan - Free Online Virus Check





Supports Internet Explorer & Netscape







Google
WWW http://alanlim.htmlplanet.com

© Copyright 2004 Alan Lim. All Rights Reserved