An E-Mail Worm, the New Bagle Infects Many Users
'Bagle.KT', a new variant of the notorious 'Bagle' family of worms was a recent discovery of PandaLabs on December 14, 2006. The firm says that the malware has already caused a number of damages, so users should exercise caution while opening e-mails.
The 'Bagle.KT' acts similar to its predecessors. An e-mail worm, it uses its own SMTP engine to spread itself to addresses it harvests on infected PCs.
The e-mail containing 'Bagle.KT' has different subjects, while there is no text in the message. The worm goes through a ZIP attachment in the e-mail message. The name of the attachment is like 'new_price%date%', where '%date%' is the date of the infection, for e.g., 'new_price12-Dec-2006'.
When the user opens the attachment, the worm becomes active, sending itself to all the e-mail ids it finds in the various files saved on the computer. The worm also attempts to download files from some Internet addresses. In addition, the worm creates a number of entries in the 'Windows Registry' so that it can run every time the computer is logged on.
Director of PandaLabs, Luis Corrons explains that even if 'Bagle.KT' is not a particularly dangerous variant, it has the typical characteristic of propagation. In order to spread, it uses an effective 'social engineering' technique such as mimicking a 'price list'. Corrons also says that the activity of the worm emphasizes the need to add proactive technologies to traditional anti-virus solutions. It would not be right to just leave the decision of opening e-mail to 'instinct'.
In an earlier warning 'F-Secure' said that since the viruses accessed a number of URLs and re-activated them, a 'Bagle' attack could be unavoidable. The company noted that the URLs were loaded with a new 188KB executable file, due to which they would automatically download once the computer is infected by the 'Bagle' virus.
The worm-carrying e-mail includes a 'gif' image, which shows the password needed to view the attachment. On running the attachment, it installs the file and opens a false 'error code' in 'Notepad' or 'Registry Editor'. The 'Bagle.KT' uses a 'rootkit' to keep its presence hidden on infected systems.
Related article: An Internet Hack That Lasted 12 Hours
» SPAMfighter News - 22-12-2006