Skip to comments.New Bagle Variant Sweeps the Internet
Posted on 08/10/2004 12:24:20 PM PDT by BenLurkin
Antivirus companies are sounding the alarm about a new variant from the long-lived Bagle virus family: On Monday, Bagle.AM, also known as "Bagle.AQ" and "Bagle.AC," began spreading rapidly and infecting users.
The best gadgets to help students through the year, from new phones to gizmos for locking down your stuff.
Due to the high number of incidences, antivirus firms are ranking this new virus on the higher end of the threat spectrum.
Bagle.AQ is a mass-mailing threat that contains its own SMTP engine to construct outgoing messages, according to McAfee AVERT (Anti-virus and Vulnerability Emergency Response Team). The virus mass mails itself to addresses harvested from local files. It produces a message with a spoofed "From" address and contains a remote-access component -- with the notification sent to the hacker. It then copies itself to folders that have "shar" in the name, typically found in P2P applications, such as Kazaa, Bearshare and LimeWire.
The worm sends out a ZIP file that contains an HTML file. On vulnerable systems, it automatically runs an EXE file that is a downloader Trojan. The downloader Trojan then contacts a large number of remote Web sites to retrieve the virus itself.
"Users should be very wary and should most likely delete any e-mail containing "From : (address is spoofed); Subject : (blank); Body Text: * new price," McAfee said.
The virus also has been successful in shutting down various security processes, Panda Software CTO Patrick Hinojosa told NewsFactor. "That is why it was able to spread so quickly. It had a chance to really jumpstart infections."
The virus was already at the top of the list of 20 most-detected viruses this month, Hinojosa said.
So far it does not appear as though the worm was designed to initiate a denial of service attack against a company. "It was obviously a launched worm," Hinojosa says, "aimed at individual machines."
The timing is a little suspect, though, considering the ire most hackers have towards Microsoft (Nasdaq: MSFT - news). "Microsoft came out with its new security service pack on the same day, so I am assuming this was done to take a shot at Microsoft," Hinojosa says.
I suspect the timing.
I love bagels.
For home users, blackhole these sites in your hosts file, and the virus won't be able to connect to them.
If they sent it in tandem with a 'cream cheese' variant, it wouldn't seem so dastardly.
You saw that . . .
Symantic Norton Antivirus failed to clean it out (at least yesterday it did).
MccAfee's Stinger did the trick!
I wonder, when XP SP2 comes out.. Would it be better to use it or to use Trend Micro's firewall?
I already have a hardware router with firewall on, but I'd want to use a software one too just in case. Apparently the SP2's is kinda slick, like Zonealarm.. Asks if it's ok for programs to access the net and all.
Lox of luck
For those running email servers, I recommend GFI Mail Security. It caught it even before the new virus definitions were uploaded. Protects the whole company.
Why can't Windows catch or challenge a process instance at that point? It might add overhead, sure. But processors are fast, and the recently approved instances could be stacked for quick reference in each session. Part of the challenge for communication might simply to be to see if the address is 'spoofed'. But much else could also be checked.
Of course, part of reason that many suggest for other OS being more stable is that Windows is so popular. So the bomb makers who create these things want to break Windows, not any competitor. I still see no reason why that 'price of success' prevents M$ for doing something suggested above.
Between the Bagle and Spam, I should never feel hungry again!
Now, that was truly "nauti"!
The http:// just specifies what protocol you want to connect with. It doesn't have anything to do with the host address.
Linux prevents or allows reading/writing to disk based on the user running at that time. Since most people don't run as root most of the time, access to system-level files and directories is usually prohibited.
As a result, virii cannot proliferate as easily in that environment.
I use the free version of ZoneAlarm firewall. It works great, except that the last update messed up Forte Agent for downloading yenc zipped files in newsgroups.
I un-installed the ZoneAlarm and went back to the previous version. Forte Agent downloads work again.
[I hate when an upgrade to one thing messes up other things. I am always leary of upgrades and whether they end up doing more damage than good.]
I tested McAfee's firewall once. BIG mistake. Couldn't uninstall all the crap it put on my pc. 2 or 3 months afterward, McAfee was still trying to do auto updates, etc. I ended up having to format and re-install everything to get rid of McAfee.
Thanks again, Microsoft! Couldn't do it without you or your crappy malware!
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.