Article

AV-disabling Bagle variant may take off

Shawna McAlearney, News Editor

A new variant of the Bagle worm that turns off antivirus and personal firewalls is likely to spread rapidly, warn antivirus experts. Organizations blocking the .exe, .scr, .com and .cpl extensions significantly reduce their risk of infection to this worm, as well as many others.

W32/Bagle-AS@mm spreads via e-mail and peer-to-peer networks, and has a spoofed address and variable subject lines. The worm is also called Bagle-AZ (McAfee), Beagle-AR (Symantec), Worm_Bagle-AM (Trend Micro) and I-Worm.Bagle-AX (Virusbuster).

According to TruSecure Corp. in Herndon, Va., Bagle-AS communicates through backdoors on TCP port 81 and UDP port 81. McAfee Inc. in Santa Clara, Calif. said the worm opens TCP port 81 and a random UDP port on the victim machine.

McAfee lists Bagle-AS as a medium-level threat and said it's a mass-mailing threat that contains its own SMTP engine to construct outgoing messages. "Similar to previous variants, it harvests addresses from local files and then uses the harvested addresses in the from field to send itself. It contains a remote access component and copies itself to folders that have the phrase 'shar' in the name, such as common peer-to-peer applications, including KaZaA, Bearshare and Limewire," according to the McAfee advisory. The advisory also said that when the .exe file is run, the worm copies itself into the Windows System directory as Bawindo.exe.

In an advisory to its clients, TruSecure, soon to be known as Cybertrust, said the

    Requires Free Membership to View

timing of the worm's release was of concern. The company cited both the lapse of nearly a month since the last variant circulated widely and also noted that the Virus Bulletin conference is taking place this week, possibly indicating an opportunity for script-kiddies to take advantage of the absence of many antivirus experts from their offices.

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: