Security Alert: Bagle.X Worm Seeding in Progress | eWeek

Security Alert: Bagle.X Worm Seeding in Progress

Écrit par
eWEEK EDITORS
eWEEK EDITORS
Apr 8, 2004
2 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

Editors Note: A security alert is presented daily to eWEEK.com readers by iDefense Inc., a security research company based in Reston, Va./zimages/5/72206.gif

Severity: High

Analysis: There is an apparent seeding of a new Bagle worm variant, Bagle.X, currently in progress. While this seeding appears to be progressing at a slow rate, previous versions of the Bagle worms have been seeded in a similar manner and have witnessed great success.

Bagle.X is 7824 bytes, is packed with FSG and has an MD5 value of 0252d4a699c7de3a0d7cae1d50ef365c. Bagle.X drops a file named window.exe in the Windows System32 directory. Bagle.X also opens a backdoor on a random TCP port.

Bagle.X attempts to contact the following three websites:

  • bohema.amillo.net
  • abc517.net
  • www.abc986.net

A computer infected by Bagle.X can serve as a mail relay. Port data, ID and process ID number for Bagle.X is stored under the following registry key:

HKCUSoftwareTimer

The Trojan might have been spammed in e-mail messages that had the following text:

We agree with your terms. The deal is acceptable.
For more information please read attached document.
Thank you.
Lisa Marlow.

This is yet another variant of the Bagle worm that is being seeded in the wild at this time. The seeding rate is consistent with previous Bagle versions that have witnessed great success after the intial seeding.

Detection: Remove all files and the Windows registry key modifications associated with this malicious code threat. Restore corrupted or damaged files with clean back-up copies. Use a firewall to monitor and manage all communications to ensure mitigation of all malicious code potentially installed by a remote attacker. Change all passwords, and harden the computer against attack. Validate functionality of all anti-virus and security-related software.

Workaround: Carefully manage all new files, scanning them with updated anti-virus software using heuristics prior to use. Use a firewall to monitor and manage all communications.

Vendor Fix: Anti-virus vendors will likely release updated signature files to protect against this malicious code in the near future. Some anti-virus applications may detect this malicious code heuristically.

iDefense provides security intelligence to governments and Fortune 1000 organizations, and provides this daily threat alert to eWEEK.com

/zimages/5/28571.gifCheck outeWEEK.coms Security Centerat http://security.eweek.com for security news, views and analysis. Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:/zimages/5/19420.gifhttp://us.i1.yimg.com/us.yimg.com/i/us/my/addtomyyahoo2.gif

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.