Segnaliamo la velocissima diffusione e l'identificazione nell'arco di poche ore di pił varianti del virus Bagle.
Bagle.bb [WINGO.EXE]
Bagle.bc [bawindo.exe]
Bagle.bd [WINGO.EXE]
Le caratteristiche sostanziali non differiscono dal suo antenato : arriva come allegato di posta elettronica e se eseguito disabilita i pił diffusi antivirus e firewall.
When executed (as an EXE), the worm installs itself to the victim machine with the Windows system folder as WINGO.EXE. For example:
C:\WINNT\SYSTEM32\WINGO.EXE
If the worm is received as a CPL file, when this is executed it serves to drop and execute the worm. The CPL dropper copies itself as CJECTOR.EXE within the Windows directory, for example:
C:\WINNT\CJECTOR.EXE
The following Registry key is added to hook system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "wingo" = C:\WINNT\SYSTEM32\WINGO.EXE
The following Registry key is also added to store data (within a "TimeKey" key):
HKEY_CURRENT_USER\Software\Params
Additionally, the virus may make multiple copies of itself in the Windows system directory, appending the string "open" to the filename. For example:
C:\WINNT\SYSTEM32\WINGO.EXEOPEN
C:\WINNT\SYSTEM32\WINGO.EXEOPENOPEN
etc
A mutex is created to ensure only one instance of the worm is running at a time. One of the following mutex names is used in an attempt to stop particular variants of W32/Netsky running on the infected machine:
{z4wMuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
'D'r'o'p'p'e'd'S'k'y'N'e't'
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
[SkyNet.cz]SystemsMutex
AdmSkynetJklS003
____--->>>>U<<<<--____
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
Port 81 (TCP) is also opened on the victim machine.
Gli utenti con un livello di attenzione anche minimo non hanno motivo di preoccuparsi. Tutti gli altri sono invitati ad aggiornare l'antivirus e a non doppiocliccare qualsiasi file arrivi a tiro di mouse.
Tools di rimozione :
McAfee Stinger
BitDefender
++ Ultimo aggiornamento del 30/10/2004 h 04:26 ++
