Analysis: There is an apparent seeding of a new Bagle worm variant, Bagle.X, currently in progress. While this seeding appears to be progressing at a slow rate, previous versions of the Bagle worms have been seeded in a similar manner and have witnessed great success.
Bagle.X is 7824 bytes, is packed with FSG and has an MD5 value of 0252d4a699c7de3a0d7cae1d50ef365c. Bagle.X drops a file named window.exe in the Windows System32 directory. Bagle.X also opens a backdoor on a random TCP port.
Bagle.X attempts to contact the following three websites:
A computer infected by Bagle.X can serve as a mail relay. Port data, ID and process ID number for Bagle.X is stored under the following registry key:
The Trojan might have been spammed in e-mail messages that had the following text:
For more information please read attached document.
This is yet another variant of the Bagle worm that is being seeded in the wild at this time. The seeding rate is consistent with previous Bagle versions that have witnessed great success after the intial seeding.
Detection: Remove all files and the Windows registry key modifications associated with this malicious code threat. Restore corrupted or damaged files with clean back-up copies. Use a firewall to monitor and manage all communications to ensure mitigation of all malicious code potentially installed by a remote attacker. Change all passwords, and harden the computer against attack. Validate functionality of all anti-virus and security-related software.
Workaround: Carefully manage all new files, scanning them with updated anti-virus software using heuristics prior to use. Use a firewall to monitor and manage all communications.
Vendor Fix: Anti-virus vendors will likely release updated signature files to protect against this malicious code in the near future. Some anti-virus applications may detect this malicious code heuristically.
iDefense provides security intelligence to governments and Fortune 1000 organizations, and provides this daily threat alert to eWEEK.com