Saturday, January 29, 2005

Rapid propagation of Bagle.BK and Bagle.BL

PandaLabs has detected the appearance of the newworms Bagle.BK and Bagle.BL. They are both designed to spread rapidly via email -in messages that use social engineering-, and using P2P applications like KaZaA.

Panda Software's international support network has alreadybegun to register incidents caused by Bagle.BL in countries such as Holland and the USA, and it is likely, given the characteristics, that the number of computers affected by the worms will start to increase. With this in mind, Panda Software has set the virus alert level at orange.

Bagle.BK and Bagle.BL reach computers in email messages with spoofed sender addresses and with subject fields chosen at random from a list of options.

Possible subjects include: "Delivery by mail" or "Delivery service mail".The message text may include phrases like: "Before use read the help"or"Thanks for use of our software". The message attachments, which actuallycontain the worms, have variable names, although their extension is alwaysCOM, CPL, EXE or SCR.

In order to spread via P2P applications like KaZaA or Morpheus, both worms create -in the programs' shared folders- copies of themselves with names such as ACDSee 9.exe, Adobe Photoshop 9 full.exe or Ahead Nero 7.exe, among others. This is to bait other users into downloading them and then executing them.

Regardless of how they reach computers, when a file containing either of theworms is run, they use their own SMTP engine to send themselves to the emailaddresses they find in files with certain extensions stored on the computer. Nevertheless, they avoid sending themselves out to certain addresses,principally those related to IT security software companies.

The most dangerous action that both variants of Bagle take is thetermination of processes in memory related to antivirus and security applications, leaving computers defenseless against further attack.

They also make several entries in the Windows registry to ensure they are run every time the system is started up and delete others that could existas the result of infection by variants of Netsky.

Due to the high possibility of being infected by Bagle.BK and Bagle.BL,Panda Software advises users to take precautions with any email messages they receive and to update their antivirus software.