 |
Severity: Medium |
New Win32.Bagle Worm Variants
Overview: In recent days, several new variants of the Bagle worm have been spreading over the Internet. Users should be aware of these new variants and take appropriate steps to protect their systems. Zone Labs commercial firewall products protect against this attack.
Date Published: January 19, 2004
Last Update:July 21, 2004
Impact: Unprotected users may become infected and propagate this worm to their friends and colleagues. Infected systems could possibly have a Trojan horse program installed, potentially leading to the compromise of data or allowing an attacker to impersonate the user of the infected system.
Description: Win32.Bagle is a worm that is usually received as a email attachment with an extension of .exe, .scr, .com, .zip, .vbs, .hta, or .cpl. When a user executes the attachment, the worm installs itself on the system as "loader_name.exe," "sysxp.exe," "sys_xp.exe." or "winxp.exe" depending on the variant. It then configures the system such that the worm is executed upon system boot-up. To propagate, Bagle searches for email addresses in files and sends itself to those addresses and also copies itself to peer-to-peer file sharing directories. Bagle also has backdoor functionality and will accept incoming connections on ports 1234 or 1080 depending on the variant.
Zone Labs Products
ZoneAlarm® security products
ZoneAlarm Pro, ZoneAlarm® Plus, ZoneAlarm® Antivirus, and ZoneAlarm® Internet Security Suite version 3.0 or later with Inbound MailSafe Protection enabled will protect systems from receiving the Bagle worm from POP3 or IMAP mail servers. Additionally, Outbound MailSafe Protection as well as Program Control will prevent the worm from propagating or connecting to other systems.
ZoneAlarm Antivirus and ZoneAlarm Internet Security Suite users are protected from the latest Bagle variants with On-Access Antivirus Scanning enabled.
Because new Bagle variants are polymorphic, administrators of Integrity 4.5 and earlier should configure the default policy to "disallow" to block this threat.
Related Resources:
- Zone Labs Virus Information Center – Win32.Bagle.AC
- Zone Labs Virus Information Center – Win32.Bagle.AE
Contact: Zone Labs customers who are concerned about these vulnerabilities or have additional technical questions may reach our Technical Support group at: http://www.zonelabs.com/store/content/support/support.jsp. To report security issues with Zone Labs products contact security@zonelabs.com.
Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. Zone Labs and Zone Labs products, are registered trademarks of Zone Labs Incorporated. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.
Copyright: ©2004 Zone Labs LLC All rights reserved. Zone Labs, TrueVector, ZoneAlarm, and Cooperative Enforcement are registered trademarks of Zone Labs LLC The Zone Labs logo, Check Point Integrity and IMsecure are trademarks of Zone Labs LLC Check Point Integrity protected under U.S. Patent No. 5,987,611. Reg. U.S. Pat. & TM Off. Cooperative Enforcement is a service mark of Zone Labs LLC All other trademarks are the property of their respective owners.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Zone Labs. Reprinting the whole or part of this alert in any medium other than electronically requires permission from Zone Labs.
|
