Wednesday, July 21, 2004

Panda Software reports about the new worm Bagle.AH

Virus Alerts, by Panda Software (

Madrid, July, 20th, 2004 - PandaLabs has detected the new worm Bagle.AH(W32/Bagle.AH.worm).

This malicious code is designed to spread quickly through e-mail and P2P networks. Here is the information collected by PandaLabs, this new worm is currently causing several incidences for computer users.Bagle.AH spreads by email and sends a message (using its own SMTP engine)with a fake e-mail address.

The message body may contain one of thefollowing words: "Predators", "Lovely animals", "fotoinfo", "The snake" or"Animals".In addition, the message includes an attached file containing the worm code.

The name of the file may be one of the foillowing: Serials.txt.exe Porno Screensaver.scr Microsoft Office 2003 Crack, Working!.exe

In certain instances, this attached file may come compressed via a password protected ZIP file. In case the file with Bagle.AH is executed, the worm searches for e-mail addresses in which to send. Those addreses are gathered via many sources with different file extensions, like ADB, ASP & CFG, among others.

Once this is done, the worm then sends itself to all of the compiled addresses. Apart from e-mail, Bagle.AH also uses P2P file sharing networks to spread.

It makes copies of itself in KaZaA, Limewire & on Morpheus shared folders. Copies are hidden inside files with names suggestive to other users, so that they download them and execute the files.

In addition, Bagle.AH stops different antivirus and security programs inexecution, leaving a computer unprotected against additional an unrelated attacks. Since Panda Software's technical support international network has received several incidences caused by this worm, Panda Software reccomends updating your antivirus solutions as soon as possible.

Panda Software has also provided all of its customers updates to its solutions to detect and disinfect Bagle.AH, so, if you do not have yoursoftware set up for automatic updates, the antivirus can be updated in

All computer users can check and repair their computers against all computervirus threats for free with Panda's free on-line tool Panda ActiveScan, available at the company web site at

For more information about in Bagle.AH in Panda Software's Virusencyclopedia, available at:

Sunday, July 18, 2004

 - Panda Software warns of the dangerous new Bagle.AF worm -  
Virus Alerts, by Panda Software (
Madrid, July 16 2004 - PandaLabs has detected the presence of Bagle.AF, anew and dangerous variant of the well-known Bagle virus. Incidents involvingthis new variant have already been reported.Bagle.AF reaches computers in an email message with highly variablecharacteristics.
The address of the sender is false and the message text, inHTML format, includes messages like "Read the attach", "Your file isattached" or "More info is in attach", among others.
The attached file, which includes the worm's code, may come under many names including "Information", "Details" or "text_document", and could have an.exe .scr, .com, or .cpl extension.
Sometimes, this attachment could arrive in a password protected Zip file. In these cases, the message also includesthe text: "For security reasons attached file is password protected. Thepassword is: XXXXX" (X is a random number).
More details of the messages that Bagle.AF uses are available from PandaSoftware's virus Encyclopedia at
If a user runs the file, the worm will send itself out to all addresses itfinds in files with certain extensions on the computer. To do this, Bagle.AFuses its own SMTP engine.
In addition, Bagle.AF copies itself -under variousnames- to shared directories for P2P programs like Kazaa or Morpheus.
Bagle.AF terminates memory processes belonging to many antivirus andsecurity programs, leaving the computer vulnerable to further attacks.
The worm also tries to connect to several web pages in order to send outinformation about the infected computer.
Finally, Bagle.AF creates a Windowsregistry entry to make sure it runs every time the system is started up.
To prevent incidents involving Bagle.AF, Panda Software advises users totake precautions and update their antivirus software. Panda Software has made the corresponding updates available to its clients to detect anddisinfect this new malicious code.
For further information about Bagle.AF and other computer threats, visitPanda Software's Virus Encyclopedia at:
In addition, users can scan their computers online for free with theActiveScan solution, available on the company's web page at:
NOTE: The addresses above may not show up on your screen as single lines.This would prevent you from using the links to access the web pages. If thishappens, just use the 'cut' and 'paste' options to join the pieces of theURL.

New Bagle Virus Variant - W32/

What is it?

The 31st variant of the original Bagle virus, W32/ is a Medium-On-Watch Risk mass-mailing worm that, like its predecessors, tries to open a backdoor on an infected PC, giving a hacker remote access to the computer.
The worm spreads by emailing itself to contacts it steals and by using popular file-sharing applications such as KaZaa, Bearshare and Limewire. W32/ also attempts to shut down anti-virus and firewall software running on infected machines.

Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected -- the virus often spoofs the "from" address.

What should I look for?

FROM: Varies (spoofed).
SUBJECT: Varies Examples:
Re: Msg reply, Re: Hello, Re: Yahoo!
BODY: Uses various constructed strings.
ATTACHMENT: Varies. Can be a password-protected zip file, with the password included in the message body (as plaintext or within an image). Examples:
Information, Details, text_document

How do I know if I've been infected?

The virus copies itself into the Windows System directory as sysxp.exe. For example:

Why am I receiving so many alerts?

It's our policy to notify McAfee customers or those who have opted-in to receive alerts of new viruses or variants (e.g., W32/Bagel.aa@MM), which often come in waves, especially as virus writers try to "one up" each other.

How do I find out more?

View details about W32/ here.

New Zone Alarm personal firewall resource added at

Zone Alarm Pro 5 - I've added aa ton of Zone Alarm information and resources to the Net Sense website.

There's 30 pages of tips on how to downlaod and set-up the top-rated personal firewall - Zone Alarm Pro 5.

Check it out if you need personal firewall: Zone Alarm

Hope this helps!

- Weekly report on viruses and intruders -   
Virus Alerts, by Panda Software ( Madrid, July 16, 2004 - This week's report on viruses and intruders willfocus on four malicious code: three worms -Bagle.AF, Atak.A and Korgo.Z-,and the Trojan Xebiz.A.
Bagle.AF uses its own SMTP engine to send itself out via email to all theaddresses it finds in the files with the following extensions on theaffected computer: WAB, TXT, MSG, HTM, SHTM, STM, XML, DBX, MBX, MDX, EML,NCH, MMF, ODS, CFG, ASP, PHP, PL, WSH, ADB, TBB, SHT, XLS, OFT, UIN, CGI,MHT, DHTM and JSP.
Bagle.AF ends the processes belonging to security products, such asantivirus protection, and connects to different PHP scripts. This worm also contains code to create a backdoor to open a port and listen in on it.
Today's second worm is Atak.A, which spreads via email in a message with variable characteristics that contains an attachment with a doubleextension. The first is JPG or GIF followed by a random number of blankspaces and the second is EXE.
When Atak.A has infected a computer it looks for email addresses in all thefiles it finds with an ADB or WAB extension, and in files that are smallerthan 81920 bytes in size and have one of the following extensions: ASP, CFG,CGI, DBX, EML, HTM, HTML, JSP, LOG, MBX, MHT, MSG, NCH, ODS, PHP, SHT, TBB,UIN, VBS and XML.
Then, it sends itself out to all the addresses it hasfound using its own SMTP engine.Atak.A creates a mutex to ensure that only one copy of this worm is running.
It also checks if a debugger is enabled on the affected computer and if itis, it ends it.The final worm in this week's report is Korgo.Z, which exploits the WindowsLSASS vulnerability to spread via the Internet and get into computers.
It also affects all Windows platforms, but can only automatically get into computers running Windows XP or 2000 that have not been correctly updated.
The Z variant of Korgo goes memory resident and tries to download files froma series of websites and also sends these websites information about whichcountry the computer is located in. Like the worm mentioned above, Korgo.Zcreates a mutex to prevent two copies of this worm from being run at thesame time.
We are going to finish today's report with Xebiz.A, a Trojan that connectsto a website in order to download a Trojan called Zerolin.A to the affected computer.
What's more, it creates several files and generates severalentries in the Windows Registry to ensure that it is run whenever thecomputer is started up.
Xebiz.A has been mass-mailed in messages with variable characteristics. However, all messages include a form with a button. When the user clicks onthis button, Zerolin.A will be downloaded.
For further information about these and other computer threats, visit PandaSoftware's Virus Encyclopedia at:
Additional information-
Debugger: A tool for reading the source code of programs.
Mutex: Some viruses can use a mutex to control access to resources(examples: programs or even other viruses) and prevent more than one processfrom simultaneously accessing the same resource. 
More definitions of virus and antivirus terminology at:
NOTE: The addresses above may not show up on your screen as single lines. This would prevent you from using the links to access the web pages. If thishappens, just use the 'cut' and 'paste' options to join the pieces of theURL.