Security Alert: Bagle.X Worm Seeding in Progress

eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Editors Note: A security alert is presented daily to eWEEK.com readers by iDefense Inc., a security research company based in Reston, Va. /zimages/5/72206.gif

Severity: High

Analysis: There is an apparent seeding of a new Bagle worm variant, Bagle.X, currently in progress. While this seeding appears to be progressing at a slow rate, previous versions of the Bagle worms have been seeded in a similar manner and have witnessed great success.

Bagle.X is 7824 bytes, is packed with FSG and has an MD5 value of 0252d4a699c7de3a0d7cae1d50ef365c. Bagle.X drops a file named window.exe in the Windows System32 directory. Bagle.X also opens a backdoor on a random TCP port.

Bagle.X attempts to contact the following three websites:

• bohema.amillo.net
• abc517.net
• www.abc986.net

A computer infected by Bagle.X can serve as a mail relay. Port data, ID and process ID number for Bagle.X is stored under the following registry key:

HKCUSoftwareTimer

The Trojan might have been spammed in e-mail messages that had the following text:

We agree with your terms. The deal is acceptable.
For more information please read attached document.
Thank you.
Lisa Marlow.

This is yet another variant of the Bagle worm that is being seeded in the wild at this time. The seeding rate is consistent with previous Bagle versions that have witnessed great success after the intial seeding.

Detection: Remove all files and the Windows registry key modifications associated with this malicious code threat. Restore corrupted or damaged files with clean back-up copies. Use a firewall to monitor and manage all communications to ensure mitigation of all malicious code potentially installed by a remote attacker. Change all passwords, and harden the computer against attack. Validate functionality of all anti-virus and security-related software.

Workaround: Carefully manage all new files, scanning them with updated anti-virus software using heuristics prior to use. Use a firewall to monitor and manage all communications.

Vendor Fix: Anti-virus vendors will likely release updated signature files to protect against this malicious code in the near future. Some anti-virus applications may detect this malicious code heuristically.

iDefense provides security intelligence to governments and Fortune 1000 organizations, and provides this daily threat alert to eWEEK.com

/zimages/5/28571.gifCheck out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis. Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: /zimages/5/19420.gif http://us.i1.yimg.com/us.yimg.com/i/us/my/addtomyyahoo2.gif