Tuesday, August 10, 2004

New Virus Bagle.AM causing widespread damage.

- A new virus, Bagle.AM, menaces the Internet -

Virus Alerts, by Panda Software (http://www.pandasoftware.com)

MADRID, August 10 2004 - In the last hours, a new virus has appeared:Bagle.AM, also known as Bagle.AQ and Bagle.AC. Belonging to the Baglefamily, which appeared in January this year, this new variant has begun to spread and to infect several hundred thousand users.

Due the high number of incidences, PandaSoftware has declared Orange Alert level for this new threat. Panda Software's customers which already has the new TruPrevent Technologies has been protected in a preventive way, as they were capable of detect and block this new virus without knowing it beforehand (more information about the new TruPrevent Technologies is available at www.pandasoftware.com/truprevent).

Luis Corrons, PandaLabs Director, says: "Bagle.AM is following a large family of worms which begun 7 months ago. It is using the social engineering also, as it tries to cheat users sending a file with a content referring to prices or passwords.

It combines different infection methods. The number of incidences can grow up in the following hours, and this situation is more dangerous as there are a large number of users in different countries with free time to enjoy the Internet".

Bagle.AM spreads via e-mail and sends a ZIP files of 6 Kbytes in size which includes a hidden EXE file and an HTML file with the same name. If a user executes the HTML file, it will launch the EXE file. This EXE file copy itself in the system and create the following registry keys:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run win_upd2.exe =%systemdir%\WINdirect.exe

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run win_upd2.exe = %systemdir%\WINdirect.exe

On the other hand, Bagle.AM creates and executes a 11,776 bytes in size DLL library in %systemdir%\_dll.exe which will stops all the processes with the following names:

FIREWALL.EXE
ATUPDATER.EXE
winxp.exe sys_xp.exe sysxp.exe
LUALL.EXE
DRWEBUPW.EXE
AUTODOWN.EXE
NUPGRADE.EXE
OUTPOST.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ESCANH95.EXE A
VXQUAR.EXE
ESCANHNT.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
AVWUPD32.EXE
AVPUPD.EXE
CFIAUDIT.EXE
UPDATE.EXE
NUPGRADE.EXE
MCUPDATE.EXE

In addition, it will try to download a fake JPG file from several URLs. Actually it is another EXE file which includes the rest of the Bagle.AM worm, that, once executed will spread via e-mail.

To prevent incidents involving Bagle.AM, Panda Software advises users tot ake precautions and update their antivirus software.

Panda Software has made the corresponding updates available to its clients to detect and disinfect this new malicious code.

Panda Software's customers has available the upgrades to install the newTruPrevent Technologies besides their current antivirus and protect themselves in a preventive way against this or other malicious code.

On the other hand, for users with other antivirus protection different from Panda, Panda TruPrevent Personal is compatible and complementary with them. It provides a second line of defense and a preventive protection meanwhile the antivirus is updated, decreasing the risk of being infected.

More information about the new TruPrevent Technologies is available at www.pandasoftware.com/truprevent.

For further information about Bagle.AM and other computer threats, visit Panda Software's Virus Encyclopedia at: http://www.pandasoftware.com/virus_info/encyclopedia/

In addition, users can scan their computers online for free with the ActiveScan solution, available on the company's web page at: http://www.pandasoftware.com