Bagle Virus Family

[francois]

some more details about this nasty virus

Bagle. N, Bagle. O and Bagle. P have new trump cards to escape antiviruses, notably of the locking of their enclosures.

While the alerts raised by the main editors of antivirus concerned only few the famous worm Bagle in February 2004 , three versions derived of the original virus and launched could indeed change the view of it. It is about Bagle. N, Bagle. O and Bagle. P.

The dangers of these new versions of the worm - which shook year 2003 - like in their capacity to cross the defences of the standard antiviruses by protecting by a password the infected enclosures which they embark with them, complicating with this fact the systems of protection. While the formeredition of this worm used the utility of Winzip compression to convey the roguish code, the new versions use henceforth Winrar to protect itself.

Other new element in the versions N and O of Bagle, the password to open the file is not any more included in the text joined with the sent e-mail but in the form of images, so strengthening the defences against the usual means of detection. To note that three versions can besides suppress entries of registry to prevent the run of the variants of Netsky (a war between designers of virus indeed rages at the moment, adding to the grostesque of the situation).

Bagle. P aim at the shared documents

And to complicate more the task to the editors of antivirus, the worm duplicates and deposits its code in executables of the hard disk of the victim, what allows him/her to re-infect a beforehand cleaned system if the user relaunches a contaminated executable. Better, its capacity to infect a file extends henceforth in the portable executable files, facilitating by this skew its intervention on any possible operating system.

On the other hand, the objective of the worm remains identical. It is a question for every computer infected to open the TCP port 2556 and to wait in reply for a command typed by a remote user, giving pirates the infected computers.

Bagle. P began to spread at the moment mainly in Korea and in Japan. He follows the same mode of distribution as his small brothers, namely an e-mail containing an attached document, but affects in more any name of file or directory containing the word " shar". He can so get into shared folders of a user and to infect by means of his clean SMTP tool the contacts of the computer victim.

In spite of the capacity of the worm to generate always different mails(couriers) by the object, recipient or message, an element allows to identify them. In the case of Bagle. N, the file in attached document has an icon of police True Type and Bagle. O of an icon WordPad.

<Yves DROTHIER, JDN Solutions >

just a report translated from the web.

francois