Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    New Bagle Threat Spreading Quickly, Quietly

    Written by

    Jay Munro
    Published August 31, 2004
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      Like Bagle.AQ infected messages of two weeks ago, a flood of infected e-mails started hitting users mailboxes Tuesday bearing the subject line “foto”, and an unencrypted zip file “foto.zip”. However, it doesnt seem to be able to get much farther than the initial spam.

      The zip file contains an HTML file that when executed drops downloader component on the victims machine, which attempts to connect to one of many web sites to download the worm portion The new virus, first identified by Trend Micro Inc. as Worm_Bagle.AI appeared to have been seeded, or spammed to many users, but due to problems with the web sites that carry the propagation code, it hasnt spread further.

      How to prevent it: Do not open attachments, especially foto.zip. Get the latest updates from your antivirus company.

      Bagle.AI was first discovered on August 31st, and the attack slipped in under the radar of our own corporate antivirus. The virus arrives by an e-mail with the subject “foto”, and a spoofed “from” address. The attachment is an un-encrypted Zip file named “foto.zip”

      The zip file contains two files, foto.html and foto1.exe. When a user clicks on the HTML file, it executes the foto1.exe file. The HTML file contains JavaScript that is detected as JS/IllWill. The foto1.exe initially drops a file named DORIOT.EXE (note, it has the creation date of 9/1/04, which was a day ahead of the start of the outbreak) into the Window system folder, along with a companion file GDQFW.EXE. It creates the following value:

      Wersds.exe = “%system%doriot.exe

      In the following registry keys:

      HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
      HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

      (%system% is the Windows System folder and is usually C:WindowsSystem on Windows 9x/ME, C:WINNTSystem32 on Windows NT/2000, or C:WindowsSystem32 on Windows XP.)

      According to Symantec, the gdqfw.exe file is injected into Explorer.exe and runs as a thread that stops the service “Shared Access” and then sets the startup type to disabled. It then attempts to stop security software processes.

      The gdqfw.exe is also the downloader, which attempts to contact one of over 130 web sites to download the actual worm propagation code. For the full list, see Symantecs analysis.

      The files are saved as “_re_file.exe” in the Windows installation folder and then executed. However, at this time, all the sites appear to be inoperable, leaving the victims machine with only a few installed files and registry entries. If the web sites do become active, Bagle.AI may spread quickly.

      In PCMag.coms tests, we noticed that the firewall recognized Explorer.exe trying to get to the web. Since this is a normal occurrence, detection by a firewall (as Bagle.AQ was detectable), may not be possible.

      To read the full PCMag.com story and how to remove the worm,

      click here.

      Jay Munro
      Jay Munro

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×