January 27, 2005 - Trend Micro issued a "medium risk" alert for WORM_BAGLE.AZ to raise awareness of the latest variant of the BAGLE worm, which was first seen just over one year ago. Sightings of the worm have been reported in Japan, China, US, and parts of Europe.
WORM_BAGLE.AZ arrives an email attachment, pretending to be a delivery notification or confirmation, and uses spoofed addresses to appear to be from a known source. Upon infection, the worm gathers additional email addresses, and drops copies of itself into shared folders, then uses the infected system as a launching pad to spread to other users.
Multiple variants of BAGLE and MYDOOM worms detected in the past few days suggest a resurgence in activity among these virus creators - users are warned to be aware of these latest threats and use added precaution in receiving email.
Users are cautioned to be on the lookout for emails with the following characteristics:
From: (spoofed)
Subject:(any of the following)
Delivery Service Mail
Delivery by mail
Registration is accepted
Is delivered mail
You are made active
Thanks for use of our software.
Before use read the help
Message body:
Delivery service mail
Delivery by mail
Registration is accepted
Is delivered mail
You are made active
Thanks for use of our software.
Before use read the help
Attachment:(any of the following)
guupd02.exe
Jol03.exe
siupd02.exe
upd02.exe
viupd02.exe
wsd01.exe
zupd02.exe
Once inside the infected machine, WORM_BAGLE.AZ terminates several processes related to antivirus and security programs, and tries to connect with one of several Web sites to download JPG files, which are used as a marker that the particular system has already been infected. It also opens random TCP ports (beginning with port numbers 2339) to leave back doors open to the virus creator.
"It is not surprising that threats like BAGLE and MYDOOM are still being seen even a year after they first originated," commented Jamz Yaneza, a senior virus researcher and analyst for Trend Micro. "Their creators are constantly testing new methods of social engineering and propagation techniques to re-spread these threats, and perhaps out-do one another. The best way to combat it is with constant vigilance."
WORM_BAGLE.AZ arrives in a file about 19 KB in size. It affects Windows 95, 98, ME, NT, 2000 and XP platforms. This worm may also known be by the following aliases:W32/Bagle.bk@mm, or W32/Beagle.AZ.mm.
Trend Micro customers are protected through the latest pattern file, number 2.375.00. Customers of Outbreak Prevention Services should download OPP 140 (or later) to help protect against spread of this threat. For customers of Damage Cleanup Services, Damage Cleanup template # 495 should be downloaded to help with automated restoration of affected systems.
Other users should use Trend Micro's free online virus scanner, Housecall, which can be found at http://housecall.trendmicro.com/
For more information, please visit http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.AZ
# # #
About Trend Micro
Trend Micro is a leader in network antivirus and Internet content security software and services. The Tokyo-based corporation has business units worldwide. Trend Micro products are sold through corporate, value-added resellers and managed service providers. For additional information and evaluation copies of all Trend Micro products, visit: www.trendmicro.com.
Trend Micro and the t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated. All other company or product names may be trademarks or registered trademarks of their owners. Information is accurate time it was written and is subject to change without notice.
For more information please contact:
Trend Micro
Mireille Boetje
Tel: +31 (0)30 210 6333
E-mail: Mireille_Boetje@trendmicro.co.uk
Lammers van Toorenburg Benelux PR
Annegees van Linge
Tel: +31 (0)30 6565 070
E-mail: annegees@lvtpr.nl