Media releases are provided as is by companies and have not been edited or checked for accuracy. Any queries should be directed to the company itself.

VIRUS ADVISORY: McAfee AVERT Raises Risk Assessment to Medium on New W32/BAGLE.AB@MM Virus

  • 11 May, 2004 09:02

<p>For further information or to arrange an interview, please contact:</p>
<p>Natalie Connor</p>
<p>Tel: +61 (0)2 9956 5733</p>
<p>Mobile: +61 (0)417 259 054</p>
<p>E-mail: nataliec@text100.com.au</p>
<p>McAfee AVERT Receives More Than 100 Customer Reports of the Virus In-the-Wild</p>
<p>SYDNEY, May 11, 2004 –Network Associates, the leading provider of intrusion prevention solutions, today announced that McAfee AVERT (Anti-virus and Vulnerability Emergency Response Team), the world-class research division of Network Associates, raised the risk assessment to medium on the recently discovered W32/Bagle.ab@MM, also known as Bagle.ab. This new variant is a mass-mailing worm that comes packed using UPX in the form of a password protected .ZIP file. To date, McAfee AVERT reports more than 100 reports of the virus being stopped or infecting users from the field—with the most number of infected files being reported from the United States. The samples received by McAfee AVERT have been from users versus the virus, which is similar to other Bagle reports throughout the past three months.</p>
<p>Symptoms</p>
<p>The Bagle.ab worm is a mass mailing threat that harvests addresses from local files and then uses the harvested addresses in the ‘From’ field to send itself. Once activated, the worm copies itself to folders in the System Directory that have the phrase “shar” in the name, such as common peer-to-peer applications, and adds a registry key to the system start-up. The worm then proceeds into the remote access component of the virus, which listens to TCP port 2535 for remote connections. Users should be very weary and should probably delete any email containing the following:</p>
<p>From: (address is spoofed)</p>
<p>Subject:</p>
<p>• Re: Msg reply</p>
<p>• Re: Hello</p>
<p>• Re: Yahoo!</p>
<p>• Re: Thank you!</p>
<p>• Re: Thanks :)</p>
<p>• RE: Text message</p>
<p>• Re: Document</p>
<p>• Incoming message</p>
<p>• Re: Incoming Message</p>
<p>• RE: Incoming Msg</p>
<p>• RE: Message Notify</p>
<p>• Notification</p>
<p>• Changes..</p>
<p>• New changes</p>
<p>• Hidden message</p>
<p>• Fax Message Received</p>
<p>• Protected message</p>
<p>• RE: Protected message</p>
<p>• Forum notify</p>
<p>• Site changes</p>
<p>• Re: Hi</p>
<p>• Encrypted document</p>
<p>Body Text: (Uses various constructed strings)</p>
<p>Attachment: May be one of the following:</p>
<p>• Information</p>
<p>• Details</p>
<p>• text_document</p>
<p>• Readme</p>
<p>• Document</p>
<p>• Info</p>
<p>• the_message</p>
<p>• Details</p>
<p>• MoreInfo</p>
<p>• Message</p>
<p>• You_will_answer_to_me</p>
<p>• Half_Live</p>
<p>• Counter_strike</p>
<p>• Loves_money</p>
<p>• the_message</p>
<p>• Alive_condom</p>
<p>• Joke</p>
<p>• Toy</p>
<p>• Nervous_illnesses</p>
<p>• Manufacture</p>
<p>• You_are_dismissed</p>
<p>• Your_complaint</p>
<p>• Your_money</p>
<p>• Smoke</p>
<p>• I_search_for_you</p>
<p>Pathology</p>
<p>After being executed, Bagle.ab emails itself to addresses found on the infected host as a password protected .ZIP file with the password included in the message body. The virus listens on TCP port 2535 for remote connections. It attempts to notify the author that the infected system is ready to accept commands, by contacting various Web sites and calling a PHP script on the remote sites.</p>
<p>Cure</p>
<p>Immediate information and cure for this worm can be found online at the Network Associates McAfee AVERT site located at http://vil.nai.com/vil/content/v_125089.htm. McAfee AVERT is advising its customers to update to the 4354 or higher DATs to stay protected from all the current Bagle threats.</p>
<p>McAfee AVERT Labs is one of the top-ranked anti-virus and vulnerability research organizations in the world, employing researchers in offices on five continents. McAfee AVERT protects customers by developing and providing solutions that are created through the combined efforts of McAfee AVERT researchers and McAfee AVERT AutoImmune technology, which applies advanced heuristics, generic detection and ActiveDAT technology to generate cures for previously undiscovered viruses.</p>
<p>About Network Associates</p>
<p>With headquarters in Santa Clara, California, Network Associates, Inc. (NYSE: NET) creates best-of-breed computer security solutions that prevent intrusions on networks and protect computer systems from the next generation of blended attacks and threats. Offering two families of products, McAfee System Protection Solutions, securing desktops and servers, and McAfee Network Protection Solutions, ensuring the protection and performance of the corporate network, Network Associates offers computer security to large enterprises, governments, small and medium sized businesses, and consumers. For more information, Network Associates can be reached on the Internet at http://www.networkassociates.com.</p>
<p># # #</p>
<p>NOTE: Network Associates, McAfee and AVERT are either registered trademarks or trademarks of Network Associates, Inc. and/or its affiliates in the United States and/or other countries. All other registered and unregistered trademarks herein are the sole property of their respective owners. *2004 Networks Associates Technology, Inc. All Rights Reserved.</p>

Most Popular

Market Place