Worm_bagle.ah - Medium Risk alert!

#1 As of 12:30 PM July 19, 2004 (GMT -07:00; Daylight Savings Time), TrendLabs has declared a Medium Risk alert to control the spread of this new BAGLE variant that is spreading via email and network shares. Infection reports have been received from the U.S.

This mass-mailing, memory resident worm propagates via email using a built-in mailing engine that utilizes Simple Mail Transfer Protocol (SMTP). Details of its email can be found in the Technical Details section.

This worm also propagates via network shares. However, it does not deliberately search for all available shared folders. Instead, it searches for local folders with names that contain the character string “shar.” It assumes that these folders are shared and drops a copy of itself into these folders.

It uses attractive file names (like Adobe Photoshop 9 full.exe and Porno Screensaver.scr) for its copies so that other users who have access to the folders are enticed into obtaining the files. This propagation technique usually works on systems running peer-to-peer file sharing applications like Kazaa.

This BAGLE variant continues to assail NETSKY worms by deleting registry entries created by members of the NETSKY family. It also assails security programs by terminating them.

This worm runs on Windows 95, 98, ME, NT, 2000, and XP. It is compressed using UPX.

http://de.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=WORM_BAGLE.AH
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.ag@mm.html