AV-disabling Bagle variant may take off
A new variant of the Bagle worm that turns off antivirus and personal firewalls is likely to spread rapidly, warn antivirus experts. Organizations blocking the .exe, .scr, .com and .cpl extensions significantly reduce their risk of infection to this worm, as well as many others. W32/Bagle-AS@mm spreads via e-mail and peer-to-peer networks, and has a spoofed address and variable subject lines. The worm is also called Bagle-AZ (McAfee), Beagle-AR [sic] (Symantec), Worm_Bagle-AM (Trend Micro)
“Similar to previous variants, it harvests addresses from local files and then uses the harvested addresses in the from field to send itself. It contains a remote access component and copies itself to folders that have the phrase ‘shar’ in the name, such as common peer-to-peer applications, including KaZaA, Bearshare and Limewire,” according to the McAfee advisory. The advisory also said that when the .exe file is run, the worm copies itself into the Windows System directory as Bawindo.exe.”
No comments:
Post a Comment