Virus Alert

[francois]

hi'

here is a translation of an alert I received early this morning,

the alert is serious as one could have the bad idea to open the attached file due to the name ...

here it is ;

Virus

Bagle. FY

Bagle. FY is a virus which propagates by e-mail. it appears under the shape of a message the title of which is a first name, accompanied with a file the extension of which is .ZIP and the access of which is password-protected indicated in the body of the message, by trying be been supposed to be for a declaration of love. If this file is run, the virus sends at the addresses harvested on the computer, tries to download and to run a file since a list of remote Web sites then deactivate the main antiviruses and the software of security.

PREVENTION:

The concerned users have to update their antivirus. Generally speaking, even if its name is intriguing or attractive it does not need to run a doubtful attached file without having made confirm its sending by the sender then it have analyzed with an antivirus up to date.

DISINFECTION:

Before beginning the disinfection, it is imperative to make sure to have applied the precautionary measures above to prevent any reinfection of the computer by the virus. The users not having an antivirus can use free of charge one on-line free antivirus to seek and eliminate the virus.

TYPE:

Worm

SYSTEMS CONCERNED:

Windows 95

Windows 98

Windows Me

Windows NT

Windows 2000

Windows XP

Windows 2003

ALIAS:

Worm / Bagle. GK ( Antivir)

I-Worm / Bagle ( AVG)

Win32.Bagle.ET@mm (Bit Defender)

Trojan. Bagle. BN ( clam)

W32 / Mitglieder ( F-Prot)

W32 / Bagle. FY@mm ( F-Secure)

Email-Worm. Win32. Bagle.fy ( Kaspersky)

W32 / Bagle.fb@MM ( Mc Afee)

Win32 / Bagle. GM ( NOD32)

W32 / Bagle-KL ( Sophos)

W32.Beagle.FF@mm (Symantec)

WORM_BAGLE.FN ( Trend Micro)

SIZE:

Variable (46 in 60 Kb)

DISCOVERY:

20/06/2006

DETAILED DESCRIPTION:

The virus Bagle. FY appears under the shape of an E-mail among which the title, the body and the name of the attached file are variable. The titles of message:

* Ales

* Alice

* Alyce

* Alyce

* Andrew

* Androw

* Androwe

* Ann

* Anna

* Anne

* Anne

* Anthonie

* Anthony

* Anthonye

* Avice

* Opinion

* Bennet

* Bennett

* Christean

* Christian

* Constance

* Cybil

* Daniel

* Danyell

* Dorithie

* Dorothee

* Dorothy

* Edmond

* Edmonde

* Edmund

* Edward

* Edwarde

* Elizabeth

* Elizabethe

* Ellen

* Ellyn

* Emanual

* Emanuell

* Ester

* France

* Francis

* Fraunces

* Gabriell

* Geoffraie

* George

* Grace

* Harry

* Harrye

* Henrie

* Henry

* Henrye

* Hughe

* Humphrey

* Humphrie

* I coil you

* Isabel

* Isabell

* James

* Jane

* Jeames

* Jeffrey

* Jeffrye

* Joane

* Johen

* John

* Josias

* Judeth

* Judith

* Judithe

* Katherine

* Katheryne

* Leonard

* Leonarde

* Margaret

* Margarett

* Margerie

* Margerye

* Margret

* Margrett

* Marie

* Martha

* Mary

* Marye

* Michael

* Mychaell

* Nathaniel

* Nathaniell

* Nathanyell

* Nicholas

* Nicholaus

* Nycholas

* Peter

* Ralph

* Rebecka

* Richard

* Richarde

* Robert

* Roberte

* Roger

* Rose

* Rycharde

* Samuell

* Sara

* Sidney

* Sindony

* Stephen

* Susan

* Susanna

* Suzanna

* Sybyll

* Syndony

* Thomas

* To the beloved

* Valentyne

* William

* Winifred

* Wynefrede

* Wynefreed

* Wynnefreede

The body of the message is a short text in English accompanied with a password under the shape of an image (this last one allows to access files contained in the .ZIP joined archives):

* I love you

Password is [count in 5 figures]

* I love you

Zip password: [number in 5 figures]

* To the beloved

Password [count in 5 figures]

* Password is [count in 5 figures]

* Zip password: [number in 5 figures]

The attached document is a .ZIP file possessing a random(unpredictable) name, of variable size (46 in 60 Kb), the access of which is password-protected (preventing the antivirus gateways from analyzing the contents):

* Ales.zip

* Alice.zip

* Alyce.zip

* Alyce.zip

* Andrew.zip

* Androw.zip

* Androwe.zip

* Ann.zip

* Anna.zip

* Anne.zip

* Annes.zip

* Anthonie.zip

* Anthony.zip

* Anthonye.zip

* Avice.zip

* Avis.zip

* Bennet.zip

* Bennett.zip

* Christean.zip

* Christian.zip

* Constance.zip

* Cybil.zip

* Daniel.zip

* Danyell.zip

* Dorithie.zip

* Dorothee.zip

* Dorothy.zip

* Edmond.zip

* Edmonde.zip

* Edmund.zip

* Edward.zip

* Edwarde.zip

* Elizabeth.zip

* Elizabethe.zip

* Ellen.zip

* Ellyn.zip

* Emanual.zip

* Emanuell.zip

* Ester.zip

* Frances.zip

* Francis.zip

* Fraunces.zip

* Gabriell.zip

* Geoffraie.zip

* George.zip

* Grace.zip

* Harry.zip

* Harrye.zip

* Henrie.zip

* Henry.zip

* Henrye.zip

* Hughe.zip

* Humphrey.zip

* Humphrie.zip

* I you.zip coil

* Isabel.zip

* Isabell.zip

* James.zip

* Jane.zip

* Jeames.zip

* Jeffrey.zip

* Jeffrye.zip

* Joane.zip

* Johen.zip

* John.zip

* Josias.zip

* Judeth.zip

* Judith.zip

* Judithe.zip

* Katherine.zip

* Katheryne.zip

* Leonard.zip

* Leonarde.zip

* Margaret.zip

* Margarett.zip

* Margerie.zip

* Margerye.zip

* Margret.zip

* Margrett.zip

* Marie.zip

* Martha.zip

* Mary.zip

* Marye.zip

* Michael.zip

* Mychaell.zip

* Nathaniel.zip

* Nathaniell.zip

* Nathanyell.zip

* Nicholas.zip

* Nicholaus.zip

* Nycholas.zip

* Peter.zip

* Ralph.zip

* Rebecka.zip

* Richard.zip

* Richarde.zip

* Robert.zip

* Roberte.zip

* Rogerv

* Rose.zip

* Rycharde.zip

* Samuell.zip

* Sara.zip

* Sidneyv

* Sindony.zip

* Stephen.zip

* Susan.zip

* Susanna.zip

* Suzanna.zip

* Sybyll.zip

* Syndony.zip

* Thomas.zip

* To the beloved.zip

* Valentyne.zip

* William.zip

* Winifred.zip

* Wynefrede.zip

* Wynefreed.zip

* Wynnefreede.zip

This file archives in .ZIP contains a file in not roguish .DLL as well as a file in .EXE. If this file is run, the virus copies in the file Data application of the profile of the user under the name hidn.exe, also copy there a rootkit m_hook.sys (Hacktool. Rootkit) to try to avoid being detected by antiviruses, modify the registry to run in every starting up of the computer, then send automatically at the addresses appearing in the Windows address book and the different files via its own SMTP engine. The virus tries then to download and to run a file since a list of remote Web sites, to deactivate the most popular software of safety(security), then it provokes the display of a false error message ("Error").

so, be cautious

francois

[Phil Conners]

No need to post virus warnings. Everybody has (should have) anti virus software installed - and if they don't they sure as **** don't read anti virus warnings either. It's just ends up as spam.

[taxexile]

No need to post virus warnings. Everybody has (should have) anti virus software installed - and if they don't they sure as **** don't read anti virus warnings either. It's just ends up as spam.

thanks , francois , for posting your regular warnings , updates and advice for computer users , especially those users like myself with little knowledge of computers beyond the on/off switch.

i , for one , appreciate your posts.

[Maestro]

No need to post virus warnings. Everybody has (should have) anti virus software installed - and if they don't they sure as **** don't read anti virus warnings either. It's just ends up as spam.

Aside from that, considering the speed at which a virus or worm spreads it makes no sense to post a virus warning 4 months after the virus or worm first appeared.

---------------

Maestro

[francois]

No need to post virus warnings. Everybody has (should have) anti virus software installed - and if they don't they sure as **** don't read anti virus warnings either. It's just ends up as spam.

Aside from that, considering the speed at which a virus or worm spreads it makes no sense to post a virus warning 4 months after the virus or worm first appeared.

---------------

Maestro

bagle FY is dated 20.06.06.

francois

ps; you seem so sure of what you do, I have to incline ...

good luck with one 0day coming to your pc one day coming soon or later ...

you'll see if finished in spam

people pay me to desinfect their machine, I think that I know a little bit about.

just to say ....