Sunday, July 18, 2004

New Bagle Virus Variant - W32/Bagle.af@MM

What is it?

The 31st variant of the original Bagle virus, W32/Bagle.af@MM is a Medium-On-Watch Risk mass-mailing worm that, like its predecessors, tries to open a backdoor on an infected PC, giving a hacker remote access to the computer.
 
The worm spreads by emailing itself to contacts it steals and by using popular file-sharing applications such as KaZaa, Bearshare and Limewire. W32/Bagle.af@MM also attempts to shut down anti-virus and firewall software running on infected machines.

Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected -- the virus often spoofs the "from" address.


What should I look for?

FROM: Varies (spoofed).
SUBJECT: Varies Examples:
Re: Msg reply, Re: Hello, Re: Yahoo!
BODY: Uses various constructed strings.
ATTACHMENT: Varies. Can be a password-protected zip file, with the password included in the message body (as plaintext or within an image). Examples:
Information, Details, text_document

 
How do I know if I've been infected?

The virus copies itself into the Windows System directory as sysxp.exe. For example:
C:\WINNT\SYSTEM32\sysxp.exe


Why am I receiving so many alerts?

It's our policy to notify McAfee customers or those who have opted-in to receive alerts of new viruses or variants (e.g., W32/Bagel.aa@MM), which often come in waves, especially as virus writers try to "one up" each other.

How do I find out more?

View details about W32/Bagle.af@MM here.

Links to this post:

Create a Link

<< Home