p2pnet.net News:- Finland’s F-secure has upgraded worm Bagle.AY, which has a marked taste for p2p, to Level 2.

Two variants showed up on Wednesday and yesterday. This variant is polymorphic and arrives in emails with different subjects and attachments, says F-Secure.

The worm contains a backdoor that listens on TCP port 81 and is launched when unsuspecting users open an infected file in an e-mail message – or a shared folder on a p2p network.

If it finds a folder name that contains ’shar’ substring, Bagle.AY copies itself there with these names:

• 1.exe
• 2.exe
• 3.exe
• 4.exe
• 5.exe
• 6.exe
• 7.exe
• 8.exe
• 9.exe
• 10.exe
• Ahead Nero 7.exe
• Windown Longhorn Beta Leak.exe
• Opera 8 New!.exe
• XXX hardcore images.exe
• WinAmp 6 New!.exe
• WinAmp 5 Pro Keygen Crack Update.exe
• Adobe Photoshop 9 full.exe
• Matrix 3 Revolution English Subtitles.exe
• ACDSee 9.exe

Bagle.AY arrives in email as a packed executable. It can also spread with a prepended Windows Control Panel Applet (CPL) stub.

The backdoor code is encrypted with a password so the author can connect to the computer and execute arbitrary programs and, “Infected computers are reported to the worm’s author by accessing several predefined URLs,” says F-Secure.

Bagle.AY tries to download and execute a file saved as %SystemDir%re_file.exe from list of predefined URLs, says F-Secure, also listing 63 security and antivirus software processes, as well as several other applications, Bagle.AY terminates.

The worm, scheduled to ‘die’ on April 25, 2006, uses several different icons, such as a wedge of cheese, for the attachments it sends.

Something you think we should know about? tips[at]p2pnet.net

===================

See:-
taste for p2p – F-Secure Virus Descriptions : Bagle.AY, F-Secure, January 27, 2005

This entry was posted on Friday, January 28th, 2005 at 2:51 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

HOME

Viewed 2163 times