Bagle.bb prevention and cure
By Robert Vamosi
This version appears as an e-mail message with a smiley face : ))
(October 29, 2004)
More of an irritant than a real threat, another variation of the Bagle virus is loose. Bagle.bb (w32.bagle.bb@mm, also known as Bagle.q (Norman, Computer Associates), Bagle.at (F-Secure, Trend Micro), Bagle.au (Sophos), and Bagle.av (Symantec)) harvests e-mail addresses from infected computers, terminates security apps processes, and deletes registry e...
Bagle.bb prevention and cure
By Robert Vamosi
This version appears as an e-mail message with a smiley face : ))
(October 29, 2004)
More of an irritant than a real threat, another variation of the Bagle virus is loose. Bagle.bb (w32.bagle.bb@mm, also known as Bagle.q (Norman, Computer Associates), Bagle.at (F-Secure, Trend Micro), Bagle.au (Sophos), and Bagle.av (Symantec)) harvests e-mail addresses from infected computers, terminates security apps processes, and deletes registry entries associated with security apps and other worms. Bagle.bb opens a backdoor on port 81 on infected machines to allow remote access. The Bagle virus infects only Windows machines; users of Linux, Mac OS, and Unix are not affected. Because Bagle.bb spreads via e-mail and shared network files, this worm rates a 6 on the CNET/ZDNet Virus Meter.
How it works
Bagle.bb arrives as e-mail with a subject line of Re:, Hello, Thank You, Thanks : ), or Hi and a body that contains no text but a smiley face: : )). The attached file may be called Price or Joke with an extension of .com, .exe, .scr, or .cpl. The virus can also spread via shared network files.
If the attached file is opened, Bagle.bb, then adds the file Wingo.exe to Windows System folder and may also make multiple copies of itself, appending the word open to each new copy: Wingo.exeopen, Wingo.exeopenopen.
The following registry keys are also added:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ Run "wingo" = C:\WINNT\SYSTEM32\WINGO.EXE
HKEY_CURRENT_USER\Software\Params
Bagle.bb opens port 81 to listen for remote commands from the virus author.
Prevention
Variations of the Bagle worm do not rely on a specific Microsoft vulnerability but on simple social engineering. Remember to never open attached e-mail files without first saving them to the hard drive and scanning them for known viruses. The latest signature file from your antivirus vendor should protect you against these Bagle variations. Additionally, the use of a personal firewall will prevent the backdoor Trojan horse from communicating with the virus author.
Removal
A few antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Computer Associates, F-Secure, McAfee, Norman, Panda, Sophos, Symantec, and Trend Micro.
Ke arah memantapkan 'Aqeedah Tauhid...
http://www30.brinkster.com/meowhidayah/
p/s: kalo takleh bukak, refresh byk kali...
Ke arah memantapkan 'Aqeedah Tauhid...
http://www30.brinkster.com/meowhidayah/
p/s: kalo takleh bukak, refresh byk kali...