Warning: Bagle worm attacks on network

A new worm variant is rapidly spreading from Asia and Europe to North America, filling the user's mailbox.

MessageShabs senior anti-virus expert Alex Shipp said this is a new variant of the Bagle worm, with the same attack power as MyDoom, the virus that transforms Google and other Internet search sites into " tortoise & quot; in January. Currently, MessageLabs has received about 900,000 emails containing the virus. According to Shipp estimates, this figure only accounts for about 1% of the total e-mails containing the worm distributed in this batch. Since each computer often receives multiple e-mails containing worms and viruses, it is difficult to predict exactly how many users are "sticking".

Identified

With the names Bagle.AT, Bagle.BB, and Bagle.AU, the new variants themselves disguise them as jokes. If you receive the file with the attachment "Joke" or & quot; price & quot; It is best to be careful, they may be encapsulating the virus inside.

The body of the virus usually does not contain anything except an emoticon or a smiley face. They can take down all computers running Windows 95, 98, ME, NT, 2000 and XP.

The common subject of the fake messages is Re:, Re: Hello, Re: Hi, Re: Thanks, Re: Thanks you.

After entering the machine, the virus will & quot; catch & quot; All email addresses are in Microsoft Outlook and then use automated emailing software to distribute itself to new victims. The victim computer will be turned off security systems such as firewalls and anti-virus software that protects the computer. The Win XP computer also disabled the central security service because of the Bagle.AT variant.

Another security software vendor, McAfee, said that Bagle's new variant, which spread rapidly throughout the day, "looks like it does not destroy files or destroy software." Version variants can be spread through email and file sharing. They attach themselves to a file and then automatically send it to the email addresses they find on the infected computer. If the receiver opens, Bagle will create a back door program. If another person communicates with the infected machine, malicious files will automatically spread to his computer. More dangerous, this variant Bagle also disabled the security software.

McAfee received the first reports of new variants from Europe. Meanwhile, Symantec said the first complaints came from Japan. Early yesterday, Bagle landed in the United States. However, according to experts, standard security software can detect and protect computers against the latest variants of the Bagle worm.

If you do not register with the software company, you can visit the McAfee website to download a free rescue program called Stinger.

Mechanism of operation & nbsp;

After entering the machine, the virus will & quot; catch & quot; All email addresses are in Microsoft Outlook and then use automated emailing software to distribute itself to new victims. The victim computer will be turned off security systems such as firewalls and anti-virus software that protects the computer. The Win XP computer also disabled the central security service because of the Bagle.AT variant.

Another security software vendor, McAfee, said that Bagle's new variant, which spread rapidly throughout the day, "looks like it does not destroy files or destroy software." Version variants can be spread through email and file sharing. They attach themselves to a file and then automatically send it to the email addresses they find on the infected computer. If the receiver opens, Bagle will create a back door program. If another person communicates with the infected machine, malicious files will automatically spread to his computer. More dangerous, this variant Bagle also disabled the security software.

McAfee received the first reports of new variants from Europe. Meanwhile, Symantec said the first complaints came from Japan. Early yesterday, Bagle landed in the United States. However, according to experts, standard security software can detect and protect computers against the latest variants of the Bagle worm.

If you do not register with the software company, you can visit the McAfee website to download a free rescue program called Stinger. (According to VietnamNet)

. Download Bkav software version BKAV 561 about a folder on the machine.

If you use Windows Me or XP, you must turn off the function System Restore of the operating system go.

. If your computer has installed other anti-virus programs such as NAV, McAffe must be temporary Turn off the Auto Protect function of those programs.

. Running Bkav561, Select to scan all files, all drives.

Restart computer.

Some features of the W32.Beagle.AV virus

Make copies of itself in the System folder of the system under the following names:

wingo.exe
wingo.exeopen
wingo.exeopenopen The following files may also be included: wingo.exeopenopenopen
wingo.exeopenopenopenopen

Create key wingo Viruses can be automatically activated each time the operating system boots. This key is located at:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

Find and finish the processes of antivirus and firewall programs:

mcagent.exe
mcvsshld.exe
mcshield.exe
mcvsescn.exe
mcvsrte.exe
DefWatch.exe
Rtvscan.exe
ccEvtMgr.exe
NISUM.EXE
ccPxySvc.exe
navapsvc.exe
NPROTECT.EXE
nopdb.exe
ccApp.exe
Avsynmgr.exe
VsStat.exe
Vshwin32.exe
alogserv.exe
RuLaunch.exe
Avconsol.exe
PavFires.exe
FIREWALL.EXE
ATUPDATER.EXE
LUALL.EXE
DRWEBUPW.EXE
AUTODOWN.EXE
NUPGRADE.EXE
OUTPOST.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ESCANH95.EXE
AVXQUAR.EXE
ESCANHNT.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
AVWUPD32.EXE
AVPUPD.EXE
CFIAUDIT.EXE
UPDATE.EXE
NUPGRADE.EXE
MCUPDATE.EXE
pavsrv50.exe
AVENGINE.EXE
APVXDWIN.EXE
pavProxy.exe
navapw32.exe
navapsvc.exe
ccProxy.exe
navapsvc.exe
NPROTECT.EXE
SAVScan.exe
SNDSrvc.exe
symlcsvc.exe
LUCOMS ~ 1.EXE
blackd.exe
bawindo.exe
FrameworkService.exe
VsTskMgr.exe
SHSTAT.EXE
UpdaterUI.exe

Play as a backdoor, open and wait at the gate Allows the vandals to control the victim machine.

. Scan entire drives, find files and folders:

If the directory contains the string Shar (Usually shared folders), the virus will copy itself to that directory with the following names:

Microsoft Office 2003 Crack, Working! .exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porn, sex, blowjob, anal cool, awesome !!
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New! .exe
XXX hardcore images.exe
WinAmp 6 New! .exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe

If it is a file, check that the file extension is one of the types found in its dictionary to find the email addresses it contains. The dictionary of virus file types includes:

.wab
.txt
.msg
.htm
.shtm
.stm
.xml
.dbx
.mbx
.mdx
.eml
.nch
.mf
.ods
.cfg
.asp
.php
.pl
.wsh
.adb
.bb
.sht
.xls
.oft
.in
.cgi
.mht
.dhtm

Download file g.jpg from the following sites:

http://www.bottombouncer.com/g.jpg
http://www.bottombouncer.com/g.jpg
http://www.anthonyflanagan.com/g.jpg
http://www.bradster.com/g.jpg
http://www.traverse.com/g.jpg
http://www.ims-i.com/g.jpg
http://www.realgps.com/g.jpg
http://www.aviation-center.de/g.jpg
http://www.gci-bln.de/g.jpg
http://www.pankration.com/g.jpg
http://www.jansenboiler.com/g.jpg
http://www.corpsite.com/g.jpg
http://www.everett.wednet.edu/g.jpg
http://www.onepositiveplace.org/g.jpg
http://www.raecoinc.com/g.jpg
http://www.wwwebad.com/g.jpg
http://www.corpsite.com/g.jpg
http://www.wwwebmaster.com/g.jpg
http://www.wwwebad.com/g.jpg
http://www.dragcar.com/g.jpg
http://www.wwwebad.com/g.jpg
http://www.oohlala-kirkland.com/g.jpg
http://www.calderwoodinn.com/g.jpg
http://www.buddyboymusic.com/g.jpg
http://www.smacgreetings.com/g.jpg
http://www.tkd2xcell.com/g.jpg
http://www.curtmarsh.com/g.jpg
http://www.dontbeaweekendparent.com/g.jpg
http://www.soloconsulting.com/g.jpg
http://www.lasermach.com/g.jpg
http://www.generationnow.net/g.jpg
http://www.flashcorp.com/g.jpg
http://www.kencorbett.com/g.jpg
http://www.FritoPie.NET/g.jpg
http://www.leonhendrix.com/g.jpg
http://www.transportation.gov.bh/g.jpg
http://www.transportation.gov.bh/g.jpg
http://www.jhaforpresident.7p.com/g.jpg
http://www.DarrkSydebaby.com/g.jpg
http://www.cntv.info/g.jpg
http://www.sugardas.lt/g.jpg
http://www.adhdtests.com/g.jpg
http://www.argontech.net/g.jpg
http://www.customloyal.com/g.jpg
http://www.ohiolimo.com/g.jpg
http://www.topko.sk/g.jpg
http://www.alupass.lu/g.jpg
http://www.sigi.lu/g.jpg
http://www.redlightpictures.com/g.jpg
http://www.irinaswelt.de/g.jpg
http://www.bueroservice-it.de/g.jpg
http://www.kranenberg.de/g.jpg
http://www.kranenberg.de/g.jpg
http://www.the-fabulous-lions.de/g.jpg
http://www.the-fabulous-lions.de/g.jpg
http://www.mongolische-renner.de/g.jpg
http://www.mongolische-renner.de/g.jpg
http://www.capri-frames.de/g.jpg
http://www.capri-frames.de/g.jpg
http://www.aimcenter.net/g.jpg
http://www.boneheadmusic.com/g.jpg
http://www.fludir.is/g.jpg
http://www.sljinc.com/g.jpg
http://www.tivogoddess.com/g.jpg
http://www.fcpages.com/g.jpg
http://www.andara.com/g.jpg
http://www.freeservers.com/g.jpg
http://www.programmierung2000.de/g.jpg
http://www.asianfestival.nl/g.jpg
http://www.aviation-center.de/g.jpg
http://www.gci-bln.de/g.jpg
http://www.mass-i.kiev.ua/g.jpg
http://www.jasnet.pl/g.jpg
http://www.atlantisteste.hpg.com.br/g.jpg
http://www.fludir.is/g.jpg
http://www.rieraquadros.com.br/g.jpg
http://www.metal.pl/g.jpg
http://www.handsforhealth.com/g.jpg
http://www.angelartsanctuary.com/g.jpg
http://www.firstnightoceancounty.org/g.jpg
http://www.chinasenfa.com/g.jpg
http://www.chinasenfa.com/g.jpg
http://www.ulpiano.org/g.jpg
http://www.gamp.pl/g.jpg
http://www.vikingpc.pl/g.jpg
http://www.woundedshepherds.com/g.jpg
http://www.cpc.adv.br/g.jpg
http://www.velocityprint.com/g.jpg
http://www.esperanzaparalafamilia.com/g.jpg
http://www.celula.com.mx/g.jpg
http://www.mexis.com/g.jpg
http://www.wecompete.com/g.jpg
http://www.vbw.info/g.jpg
http://www.gfn.org/g.jpg
http://www.aegee.org/g.jpg
http://www.deadrobot.com/g.jpg
http://www.cscliberec.cz/g.jpg
http://www.ecofotos.com.br/g.jpg
http://www.amanit.ru/g.jpg
http://www.bga-gsm.ru/g.jpg
http://www.innnewport.com/g.jpg
http://www.knicks.nl/g.jpg
http://www.srg-neuburg.de/g.jpg
http://www.mepmh.de/g.jpg
http://www.mepbisu.de/g.jpg
http://www.kradtraining.de/g.jpg
http://www.polizeimotorrad.de/g.jpg
http://www.sea.bz.it/g.jpg
http://www.uslungiarue.it/g.jpg
http://www.gcnet.ru/g.jpg
http://www.aimcenter.net/g.jpg
http://www.vandermost.de/g.jpg
http://www.vandermost.de/g.jpg
http://www.szantomierz.art.pl/g.jpg
http://www.immonaut.sk/g.jpg
http://www.eurostavba.sk/g.jpg
http://www.spadochron.pl/g.jpg
http://www.pyrlandia-boogie.pl/g.jpg
http://www.kps4parents.com/g.jpg
http://www.pipni.cz/g.jpg
http://www.selu.edu/g.jpg
http://www.travelchronic.de/g.jpg
http://www.fleigutaetscher.ch/g.jpg
http://www.irakli.org/g.jpg
http://www.oboe-online.com/g.jpg
http://www.oboe-online.com/g.jpg
http://www.pe-sh.com/g.jpg
http://www.idb-group.net/g.jpg
http://www.ceskyhosting.cz/g.jpg
http://www.ceskyhosting.cz/g.jpg
http://www.hartacorporation.com/g.jpg
http://www.glass.la/g.jpg
http://www.glass.la/g.jpg
http://www.24-7-transportation.com/g.jpg
http://www.fepese.ufsc.br/g.jpg
http://www.ellarouge.com.au/g.jpg
http://www.bbsh.org/g.jpg
http://www.boneheadmusic.com/g.jpg
http://www.sljinc.com/g.jpg
http://www.tivogoddess.com/g.jpg
http://www.fcpages.com/g.jpg
http://www.szantomierz.art.pl/g.jpg
http://www.elenalazar.com/g.jpg
http://www.ssmifc.ca/g.jpg
http://www.reliance-yachts.com/g.jpg
http://www.worest.com.ar/g.jpg
http://www.kps4parents.com/g.jpg
http://www.coolfreepages.com/g.jpg
http://www.scanex-medical.fi/g.jpg
http://www.jimvann.com/g.jpg
http://www.orari.net/g.jpg
http://www.himpsi.org/g.jpg
http://www.mtfdesign.com/g.jpg
http://www.jldr.ca/g.jpg
http://www.relocationflorida.com/g.jpg
http://www.rentalstation.com/g.jpg
http://www.approved1stmortgage.com/g.jpg
http://www.velezcourtesymanagement.com/g.jpg
http://www.sunassetholdings.com/g.jpg
http://www.compsolutionstore.com/g.jpg
http://www.uhcc.com/g.jpg
http://www.justrepublicans.com/g.jpg
http://www.pfadfinder-leobersdorf.com/g.jpg
http://www.featech.com/g.jpg
http://www.vinirforge.com/g.jpg
http://www.magicbottle.com.tw/g.jpg
http://www.giantrevenue.com/g.jpg
http://www.couponcapital.net/g.jpg
http://www.crystalrose.ca/g.jpg
http://www.crystalrose.ca/g.jpg
http://www.crystalrose.ca/g.jpg
http://www.crystalrose.ca/g.jpg This file will be saved to the System folder of the operating system under the name re_file.exe. The virus will then execute this re_file.exe file.

Delete the following boot keys of the antivirus and firewall programs:

My AV
Zone Labs Client Ex
9XHtProtect
Antivirus
Special Firewall Service
service
Tiny AV
ICQNet
HtProtect
NetDy
Jammer2nd
FirewallSvr
MsInfo
SysMonXP
EasyAV
PandaAVEngine
Norton Antivirus AV
KasperskyAVEng
SkynetsRevenge
ICQ Net in the key HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun

. Execute mail to addressable addresses, except for addresses containing the following strings:

@hotmail
@msn
@microsoft
rating @
f-secur
news
update
anyone @
bugs @
contract @
feste
gold-certs @
help @
info @
nobody @
noone @
Casp
admin
icrosoft
support
tv
unix
bsd
linux
listserv
certific
sopho
@foo
@iana
free-av
@messagelab
winzip
google
winrar
samples
abuse
panda
cafee
spam
pgp
@avp.
noreply
local
root @
postmaster @ The letters will have the following characteristics: Title:

Re:
Re: Hello
Re: Hi
Re: Thank you!
Re: Thanks :)

Content:

Attachments

Price
price
Joke with the tail is .com .cpl .exe or .cr

Download BKAV: Download Bkav2002 (Version 561) 315kb (According to BKAV)