#1
As of August 9, 2004, 11:30 AM PST, TrendLabs has declared a YELLOW alert to control the spread of WORM_BAGLE.AC. Several infection reports indicates that this mass-mailing worm is spreading in the United States.
This memory-resident worm is downloaded by TROJ_BAGLE.AC.
It drops copies of itself using the following filenames in the Windows system folder:
This memory-resident worm is downloaded by TROJ_BAGLE.AC.
It drops copies of itself using the following filenames in the Windows system folder:
* WINDLL.EXE
* WINDLL.EXEOPEN
* WINDLL.EXEOPENOPEN
It sends out .ZIP compressed files containing TR[img]OJ_BAGLE.AC and HTML_BAGLE.AC.
The email it sends has the following details:
From: <spoofed>
Subject: <none>
Message body: new price
Attachment: <any of the following>
price.zip
price2.zip
price_new.zip
price_08.zip
08_price.zip
newprice.zip
new_price.zip
new__price.zip
This PEX-compressed worm runs on Windows 95, 98, ME, NT, 2000, and XP.
http://de.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=WORM_BAGLE.AC