April 28, 2004 - Trend Micro issued a "medium risk" alert for WORM_BAGLE.Z to alert users of this latest BAGLE worm variant, which has been sighted in Europe and the U.S. Similar to its predecessor WORM_BAGLE.X that utilized social engineering techniques to confuse users into opening attachments, WORM_BAGLE.Z combines recent features with a variation on a previous ploy, disguising itself as a password protected document or reply notification. This mass-mailer continues to use its own SMTP engine to propagate, harvest email addresses from victims' machines, and utilizes network shares to spread. The worm also targets several notable German web sites, including
www.speigel.de,
www.heise.de (media web sites), museum web sites such as
www.deutsches-museum.de, and even the official German national web site
www.deutschland.de. It should also be noted that some of the German web sites listed actually click through to Russian text, for example
http://www.tekeli.de/ (for a comprehensive list of web sites in question, please see
http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=WORM_BAGLE.Z)
Raimund Genes, President of European Operations, Trend Micro says, "Motives for such action are not entirely clear. It is possible that the writers of this worm are trying to create a denial-of- service attack on these web sites. It is also possible that one of the URLs in question is the real infection counter, whilst the others are listed simply to disguise this source of infection. Alternatively this method could have been created as a means of reporting the infected systems to the virus creator through special scripts"
WORM_BAGLE.Z arrives with a message subject header like "Protected message" or "RE: Msg reply". The message body includes a .jpg file that is supposed to contain a password required for viewing an attachment, which comes with names like "Alive_condom", "Loves_money", or "MoreInfo". The attachment actually includes a memory-resident worm that drops a copy of itself into Windows (as DRVDDLL.exe) and adds itself to Windows registry keys to execute at every system restart.
As well as directing infecting systems to the various German web sites (listed above) WORM_BAGLE.Z deletes registry key entries that would automatically launch NETSKY variants, again suggesting the rivalry between these two viruses. WORM_BAGLE.Z, like previous variants, designed to terminate processes associated with antivirus and security programs to avoid detection.
WORM_BAGLE.Z affects Windows 95, 98, ME, NT, 2000 and XP platforms. This worm may also be known by the following aliases: W32.Bagle.X@MM or W32/Bagle.aa@MM.
Trend Micro customers are protected through the latest pattern file (number 877 or later). Customers of Outbreak Prevention Services should download OPP 109 to help protect against spread of this threat. For customers of Damage Cleanup Services, Damage Cleanup template # 329 should be downloaded to help with automated restoration of affected systems.
Other users should use Trend Micro's free online virus scanner, Housecall, which can be found at http://housecall.trendmicro.com/
# # #
About Trend Micro
Trend Micro is a leader in network antivirus and Internet content security software and services. The Tokyo-based corporation has its European headquarters in Marlow, England, and business units worldwide. Trend Micro products are sold through corporate, value-added resellers and managed service providers. For additional information and evaluation copies of all Trend Micro products, visit: www.trendmicro-europe.com.
Trend Micro and the t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated. All other company or product names may be trademarks or registered trademarks of their owners. Information is accurate time it was written and is subject to change without notice.
For more information please contact:
Trend Micro
Anna Wright
EMEA PR Manager
Tel: +44 (0)1628 400534
E-mail: Anna_Wright@trendmicro.co.uk
Lammers van Toorenburg Benelux PR
Anja Breunis / Annegees van Linge
Tel: +31 (0)30 6565 070
E-mail: anja@lvtpr.nl / annegees@lvtpr.nl