April 26, 2004 - Trend Micro issued a "medium risk" alert for WORM_BAGLE.X to alert users of this latest worm variant, which has been sighted in France, UK, Latin America and the U.S. Unlike previous variants that utilized vulnerabilities in Internet Explorer to automatically execute, WORM_BAGLE.X utilizes social engineering, incorporating the domain name of the recipient's email address to appear to be from a colleague. The worm disguises itself as a screensaver or executable, and disables antivirus and security programs once inside the infected system.
WORM_BAGLE.X arrives from the name "Annie", "Christina", "Jessie", or "SecretGurl" using the recipient's domain name, and comes with a .jpg photograph of a young woman embedded in the message. The message uses one of several subject headers, including "Let's socialize, my friend!" or "I'm bored with this life". Attachments bear file extensions such as .COM, .EXE, .SCR, and .ZIP. Once executed, the memory-resident worm drops a copy of itself into the Windows system folder as "Drvsys.exe", and adds itself to the Windows registry keys to automatically run at every startup. This polymorphic worm spreads via email (mass mailing) and network shares.
The worm drops a copy of itself in shared folders, pretending to be illicit programs and downloads, such as "Matrix 3 Revolution", "Microsoft Office 2003 Crack", or "Porno Screensaver". The worm is designed to terminate processes associated with antivirus and security programs to avoid detection.
WORM_BAGLE.X affects Windows 95, 98, ME, NT, 2000 and XP platforms. This worm may also known be by the following aliases: W32.Bagle.W@MM or W32/Bagle.z@MM.
Trend Micro customers are protected through the latest pattern file, number 869, or later. Customers of Outbreak Prevention Services should download OPP 107 to help protect against spread of this threat. For customers of Damage Cleanup Services, Damage Cleanup template # 325 should be downloaded to help with automated restoration of affected systems.
Other users should use Trend Micro's free online virus scanner, Housecall, which can be found at http://housecall.trendmicro.com/ For more information, please visit http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.X.
# # #
About Trend Micro
Trend Micro is a leader in network antivirus and Internet content security software and services. The Tokyo-based corporation has its European headquarters in Marlow, England, and business units worldwide. Trend Micro products are sold through corporate, value-added resellers and managed service providers. For additional information and evaluation copies of all Trend Micro products, visit: http://www.trendmicro-europe.com
# # #
Trend Micro and the t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated. All other company or product names may be trademarks or registered trademarks of their owners. Information is accurate time it was written and is subject to change without notice.
For more information and please contact:
Trend Micro
Anna Wright
EMEA PR Manager
Tel: +44 (0)1628 400534
E-mail: Anna_Wright@trendmicro.co.uk
Lammers van Toorenburg Benelux PR
Anja Breunis / Annegees van Linge
Tel: +31 (0)30 6565 070
E-mail: anja@lvtpr.nl / annegees@lvtpr.nl