October 29, 2004 - Trend Micro issued a "medium risk" alert for WORM_BAGLE.AT to raise awareness of this SMTP-based mass-mailing worm that arrives with a very simplistic subject and message, but has the ability to disable the Internet Connection Firewall (ICF), Internet Connection Sharing (ICS), and Security Center Service which are available on Windows XP platforms. Without the ICF running, systems maybe exposed to outside data requests, potentially giving virus authors access to infected systems. Sightings of the worm have been reported in Japan, China, Europe and U.S.
Users are cautioned to be on the lookout for emails with the following characteristics:
From: (spoofed)
Subject:(any of the following)
Re Hello
Re Hi
Re Thank you!
Re Thanks :)
Message body:
:))
Attachment:(any of the following)
PRICE.CPL
PRICE.COM
PRICE.EXE
PRICE.SCR
JOKE.CPL
JOKE.COM
JOKE.EXE
WORM_BAGLE.AT propagates via email using SMTP, and then harvests new email addresses through files with specific extensions, and propagates via network shares. Due to the use of spoofed addresses, it may appear to come from someone the recipient knows.
Once inside the infected machine, WORM_BAGLE.AT terminates antivirus and security related programs, and tries to connect with one of several Web sites.
Unlike previous BAGLE Worm variants, this one introduces the ability to disable certain firewall related security features, some of which are default settings with Windows XP Service Pack 2.
"BAGLE.AT could be targeting the home or standalone user," commented Jamz Yaneza, a senior virus researcher and analyst for Trend Micro. "These kinds of systems running Windows XP may rely on the built-in Internet Connection Firewall or Security Center Service, but without these, data requests cannot be blocked."
WORM_BAGLE.AT file size varies. It affects Windows 95, 98, ME, NT, 2000 and XP platforms. This worm may also known be by the following aliases:W32/Bagle.bb@mm, or W32/Beagle.AU.mm.
Trend Micro customers are protected through the latest pattern file, number 2.224.00. Customers of Outbreak Prevention Services should download OPP 131 (or later) to help protect against spread of this threat. For customers of Damage Cleanup Services, Damage Cleanup template # 444 should be downloaded to help with automated restoration of affected systems. Customers with Trend Micro Network VirusWall should download network virus pattern # 144 to enable additional outbreak management features.
Other users should use Trend Micro's free online virus scanner, Housecall, which can be found at http://housecall.trendmicro.com/ For more information, click here.
# # #
About Trend Micro
Trend Micro is a leader in network antivirus and Internet content security software and services. The Tokyo-based corporation has business units worldwide. Trend Micro products are sold through corporate, value-added resellers and managed service providers. For additional information and evaluation copies of all Trend Micro products, visit: www.trendmicro.com.
Trend Micro and the t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated. All other company or product names may be trademarks or registered trademarks of their owners. Information is accurate time it was written and is subject to change without notice.
For more information please contact:
Voor meer informatie:
Trend Micro
Mireille Boetje
Tel: +44 (0)1628 400534
E-mail: mireille_boetje@trendmicro.co.uk
Lammers van Toorenburg Benelux PR
Anja Breunis / Annegees van Linge
Tel: +31 (0)30 6565 070
E-mail: trendmicro@lvtpr.nl