Media releases are provided as is by companies and have not been edited or checked for accuracy. Any queries should be directed to the company itself.

VIRUS ADVISORY: McAfee AVERT raises assessment to medium on new W32/BAGLE.E@MM virus

  • 01 March, 2004 11:15

<p>For further information or comment, please contact Allan Bell directly on the details below:</p>
<p>Allan Bell - Marketing Director</p>
<p>Network Associates</p>
<p>0412 411 929 or
02 9761 4229</p>
<p>Mass Mailer W32/Bagle.e@MM Raised to Medium Based on Prevalence</p>
<p>SYDNEY, March 1, 2004 – Network Associates, the leading provider of intrusion prevention solutions, today announced that McAfee AVERT (Anti-Virus and Vulnerability Emergency Response Team), the world-class anti-virus research division of Network Associates, raised the risk assessment to medium on the recently discovered W32/Bagle.e@MM, also known as Bagle.e. This new variant uses its own SMTP engine to construct outgoing messages and contains a remote access component. It has the same functionalities as one of its predecessors, the W32/Bagle.c@MM variant, which is also currently rated as a medium risk threat. However, it uses different file names to write to the local machine and contains a different file size.</p>
<p>McAfee AVERT researchers first saw Bagle.e yesterday and to date, McAfee AVERT has received over 100 submissions from the McAfee Security customer base. Many users have reported stopping the virus by not allowing files types, such as the one used by this threat and other viruses, into their environment—a practice that McAfee AVERT highly recommends. McAfee AVERT is also seeing increased prevalence on W32/Bagle.f@MM and W32/Bagle.g@MM, which are currently rated at low. Other variants in the Bagle family continue to infect and spread through the Internet. McAfee AVERT is advising its customers to update to the 4330 DATs to stay protected from all the current Bagle threats.</p>
<p>The Bagle.e worm is an Internet mass mailer that harvests addresses from local files and then uses the harvested addresses in the ‘From’ field and sends itself using its own SMTP engine. The next recipient is thus unable to see the true sender. The worm then proceeds into the remote access component of the virus, which listens on TCP port 2745 for remote connections. Users should delete any email containing the following:</p>
<p>From: (address is spoofed)</p>
<p>Body: (Message body is empty)</p>
<p>Accounts department</p>
<p>Daily activity report</p>
<p>Flayers among us</p>
<p>Freedom for everyone</p>
<p>From Hair-cutter</p>
<p>From me</p>
<p>Greet the day</p>
<p>Hardware devices price-list</p>
<p>Hello my friend</p>
<p>Looking for the report</p>
<p>Monthly incomings summary</p>
<p>New Price-list</p>
<p>Price list</p>
<p>Proclivity to servitude</p>
<p>Registration confirmation</p>
<p>The account</p>
<p>The employee</p>
<p>The summary</p>
<p>USA government abolishes the capital punishment</p>
<p>Weekly activity report</p>
<p>You are dismissed</p>
<p>You really love me? he he</p>
<p>After being executed, Bagle.e emails itself to addresses found on the infected host using the filename .ADB, .ASP, .CFG, .DBX, .EML, .HTM, .HTML, .MDX, .MMF, .NCH, .ODS, .PHP, .PL, .SHT, .TXT and .WAB. The filenames listed are the file types that Bagle.e harvests e-mail addresses from. The file name is sent as a text file in the form of a .ZIP. Upon running the file, Notepad.exe is opened with a blank window. However, the virus avoids sending itself to addresses containing,, @microsoft, @avp, noreply, local, root@ and postmaster@. The worm goes completely inactive on the first reboot after March 25, 2004.</p>
<p>Immediate information and cure for this worm can be found online at the Network Associates McAfee AVERT site located at</p>
<p>Network Associates McAfee Protection-in-Depth Strategy delivers the industry’s only complete set of system and network protection solutions differentiated by intrusion prevention technology that can detect and block these types of attacks. This allows customers to protect themselves while they plan their patch deployment strategy.</p>
<p>McAfee AVERT Labs is one of the top-ranked anti-virus and vulnerability research organizations in the world, employing more than 100 researchers in offices on five continents. McAfee AVERT protects customers by providing cures that are developed through the combined efforts of McAfee AVERT researchers and McAfee AVERT AutoImmune technology, which applies advanced heuristics, generic detection, and ActiveDAT technology to generate cures for previously undiscovered viruses.</p>
<p>About Network Associates
With headquarters in Santa Clara, California, Network Associates, Inc. creates best-of-breed computer security solutions that prevent intrusions on networks and protect computer systems from the next generation of blended attacks and threats. Offering two families of products, McAfee System Protection Solutions, securing desktops and servers, and McAfee Network Protection Solutions, ensuring the protection and performance of the corporate network, Network Associates offers computer security to large enterprises, governments, small and medium sized businesses, and consumers. For more information, Network Associates can be reached on the Internet at</p>
<p>NOTE: Network Associates, McAfee and AVERT are either registered trademarks or trademarks of Network Associates, Inc. and/or its affiliates in the United States and/or other countries. All other registered and unregistered trademarks herein are the sole property of their respective owners. *2004 Networks Associates Technology, Inc. All Rights Reserved.</p>

Most Popular