Bagle.az prevention and cure

by Guest Contributor | Sep 30, 2004 2:34:00 PM

Tags: Guest Contributor

Takeaway: The latest variation of the Bagle virus attempts to download a file called ws.jpg, which may or may not be an infected JPEG file.

Virus writers never take a day off, and neither can you. Go to the Virus Threat Center now to get daily security alerts and updates that will help you keep your systems safe.

By Robert Vamosi
CNET Reviews

Using techniques learned from previous versions, another variation of the Bagle virus attempts to download a file called ws.jpg, which may or may not be an infected JPEG file. Bagle.az (w32.bagle.az@mm), also known as Bagle.ak (Norman), Bagle.am (Trend Micro), Bagle.ar (Symantec) Bagle.as (F-Secure), and Bagle.bb (Panda), spreads via e-mail and shared network files, harvesting e-mail addresses from infected machines and using its own SMTP engine to send copies of itself to those addresses. Bagle.az also attempts to terminate security apps, such as antivirus and firewall software, then opens a backdoor on port 81 on infected machines to allow remote access. Bagle infects only Windows machines; users of Linux, Mac OS, and Unix are not affected. Because Bagle.az spreads via e-mail and opens a port for remote access, this worm rates a 6 on the CNET/ZDNet Virus Meter.

How it works
Bagle.az arrives as e-mail with a fake return address. The subject line reads either Re: ; Re: Hello; Re: Thank you!; Re: Thanks :); or Re: Hi. The body text reads, simply, :) or :)) . The infected attachment is named either "price" or "joke" with the following file extensions: .exe, .scr, .com, or .cpl. Bagle.az adds the file bawindo.exe to the Windows system directory and creates other files in this directory, such as:

C:\WINDOWS\SYSTEM32\bawindo.exeopen
C:\WINDOWS\SYSTEM32\bawindo.exeopenopen

It also adds the following Registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run "bawindo" = "C:\WINDOWS\SYSTEM32\bawindo.exe"

In addition, Bagle.az shuts down antivirus and firewall software and opens a backdoor on port 81 plus another, random port to allow remote access inside infected PCs. It attempts to connect to about 100 Web sites worldwide to download a file called ws.jpg

Prevention
Variations of the Bagle worm do not rely on a specific Microsoft vulnerability but on simple social engineering. Remember to never open attached e-mail files without first saving them to the hard drive and scanning them for known viruses. The latest signature file from your antivirus vendor should protect you against these Bagle variations. Additionally, the use of a personal firewall will prevent the backdoor Trojan horse from communicating with the virus author.

Removal
Most antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Computer Associates, F-Secure, McAfee, Norman, Panda, Sophos, Symantec, and Trend Micro.

Stay on top of network security issues with TechRepublic's new NetWork Security newsletter. Automatically sign up today!

Print/View all Posts Comments on this article

Virii and TCO  | 09/30/04

What virus????rschmid@...  | 10/05/04

If you say it enuf times..Dr Dij  | 11/01/04