Another alert for WORM_BAGLE.X

NEW DELHI: Trend Micro has issued a "medium risk" alert for WORM_BAGLE.X to alert users of this latest worm variant, which has been sighted in France, UK, Latin America and the US. Unlike previous variants that utilized vulnerabilities in Internet Explorer to automatically execute, this worm uses social engineering, incorporating the domain name of the recipient's email address to appear to be from a colleague. The worm disguises itself as a screensaver or executable, and disables antivirus and security programs once inside the infected system.

WORM_BAGLE.X arrives from the name "Annie", "Christina", "Jessie", or "SecretGurl" using the recipient's domain name, and comes with a .jpg photograph of a young woman embedded in the message. The message uses one of several subject headers, including "Let's socialize, my friend!" or "I'm bored with this life". Attachments bear file extensions such as .COM, .EXE, .SCR, and .ZIP. Once executed, the memory-resident worm drops a copy of itself into the Windows system folder as "Drvsys.exe", and adds itself to the Windows registry keys to automatically run at every startup. This polymorphic worm spreads via email (mass mailing) and network shares.

The worm drops a copy of itself in shared folders, pretending to be illicit programs and downloads, such as "Matrix 3 Revolution", "Microsoft Office 2003 Crack", or "Porno Screensaver". The worm is designed to terminate processes associated with antivirus and security programs to avoid detection. It affects Windows 95, 98, ME, NT, 2000 and XP platforms. This worm can also be known be by the following aliases: W32.Bagle.W@MM or W32/Bagle.z@MM.

CyberMedia News