Wednesday, March 02, 2005

- A new wave of malware with variants of Bagle
and Mitglieder now threatens users -
Virus Alerts, by Panda Software

MADRID, March 1st, 2005- In the last few hours, PandaLabs has detected the
appearance of six variants (BN, BO, BP, BQ, BR and BS) of the Bagle email
worm, as well as four variants (BO, BP, BQ and BR) of the Mitglieder Trojan.
Of these, the most active at present are Bagle.BN and Mitglieder.BO.
According to Panda Software's international tech support network, the latter
is causing incidents in users' computers around the globe, and is already
one of the viruses most frequently detected by Panda ActiveScan, the free
online scanner.

Bagle.BN and Mitglieder.BO work hand-in-glove to spread as widely as
possible. Mitglieder.BO reaches computers in an email message, in an
attachment that could have names like price.zip or price2.zip. If a user
runs this file, the Trojan activates and tries to connect to an Internet
address from which it downloads the Bagle.BN worm onto the system. Once
Bagle.BN is installed on a computer, it sends Mitglieder.BO to the addresses
that it finds in a file called EML.EXE, which is also downloaded from the
Internet. To do this the worm uses its own SMTP engine.

In addition, Mitglieder.BO terminates processes belonging to various
antivirus and security programs, and overwrites the Windows 'hosts' file to
prevent users from connecting to certain web pages.

"We are up against a similar wave of viruses to the one witnessed in 2004.
It would seem that given the similarities that we have detected in the
source code, the new Bagle and Mitglieder variants are the work of the same
person or of an organized group. In fact, the whole process began with the
massive, manual sending of thousands of emails infected with Mitglieder.BO.
Moreover, in order to confuse both antivirus vendors and users alike, a
large number of variants have been created and circulated in a very short
period of time. For this reason it is possible that new variants of both
malicious codes will continue to appear over the next few hours", explains
Luis Corrons, director of PandaLabs.

As Panda Software's International Tech Support has already detected
incidents caused by the new malicious code, users are advised to take
precautions and keep their antivirus software updated. Panda Software
clients already have the updates available to detect and disinfect the new
malicious code.