From

Location

Message

Date Posted

Appalachian Mtns.

W32/Bagle.c@MM is a Medium Risk mass-mailing worm with a potentially dangerous remote access component that may open a backdoor on an infected computer to hackers. Unlike variant W32/Bagle.b@MM, W32/Bagle.c@MM arrives as a .ZIP attachment.

When run, the virus emails itself to addresses it steals from the infected computer, spoofing the "from: field" with one of the harvested addresses. The virus does not mass-mail itself to addresses that contain @avp., @hotmail.com, @microsoft, @msn.com, local, noreply, postmaster@, and root@.

NOTE: W32/Bagle.c@MM contains a remote access component that attempts to notify the hacker that the infected system is ready to accept commands. The functionality this backdoor provides to the hacker is currently under investigation.

Like its predecessors, this worm checks the system date. If it is March 14, 2004 or later, the worm simply exits and does not propagate. The virus also attempts to terminate the process of several security programs.

Caution: An infected email can come from addresses you recognize.


What to look for:

From: Varies. Address may be forged
Subject Varies.
Body: Message body is empty.
Attachment: Randomly named binary within a .ZIP file (~16KB).

2/28/2004 6:24:19 AM