How to stop yourself being bitten by Bagle.az
Published: 30 Sep 2004 10:20 BST
Using techniques learned from previous versions, another variation of the Bagle virus attempts to download a file called ws.jpg, which may or may not be an infected JPEG file. Bagle.az (w32.bagle.az@mm), also known as Bagle.ak (Norman), Bagle.am (Trend Micro), Bagle.ar (Symantec) Bagle.as (F-Secure), and Bagle.bb (Panda), spreads via e-mail and shared network files, harvesting e-mail addresses from infected machines and using its own SMTP engine to send copies of itself to those addresses. Bagle.az also attempts to terminate security apps, such as antivirus and firewall software, then opens a backdoor on port 81 on infected machines to allow remote access. Bagle infects only Windows machines; users of Linux, Mac OS, and Unix are not affected. Because Bagle.az spreads via e-mail and opens a port for remote access, this worm rates a 6 on the CNET/ZDNet Virus Meter.
How it works
Bagle.az arrives as e-mail with a fake return address. The subject line reads either Re: ; Re: Hello; Re: Thank you!; Re: Thanks :); or Re: Hi. The body text reads, simply, :) or :)) . The infected attachment is named either "price" or "joke" with the following file extensions: .exe, .scr, .com, or .cpl. Bagle.az adds the file bawindo.exe to the Windows system directory and creates other files in this directory, such as:
C:\WINDOWS\SYSTEM32\bawindo.exeopen C:\WINDOWS\SYSTEM32\bawindo.exeopenopen
It also adds the following Registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run "bawindo" = "C:\WINDOWS\SYSTEM32\bawindo.exe"
In addition, Bagle.az shuts down antivirus and firewall software and opens a backdoor on port 81 plus another, random port to allow remote access inside infected PCs. It attempts to connect to about 100 Web sites worldwide to download a file called ws.jpg
Prevention Variations of the Bagle worm do not rely on a specific Microsoft vulnerability but on simple social engineering. Remember to never open attached e-mail files without first saving them to the hard drive and scanning them for known viruses. The latest signature file from your antivirus vendor should protect you against these Bagle variations. Additionally, the use of a personal firewall will prevent the backdoor Trojan horse from communicating with the virus author.
Removal Most antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Computer Associates, F-Secure, McAfee, Norman, Panda, Sophos, Symantec, and Trend Micro.
Did you find this article useful?
90 out of 214 people found this useful
- Share this article:
