|
Friday, 05 August 2005 |
Malware type: Worm
Aliases: No Alias Found
In the wild: Yes
Destructive: No
Language: English
Platform: Windows 95, 98, ME, NT, 2000, XP
Encrypted: No
Characteristics: Propagates via email, Propagates via network shares
Description:
This BAGLE variant arrives on a system as a dropped file of TROJ_DROPPER.IT. It spreads by sending an email message that appears as follows:
The URLs that belong to an online greeting cards/postcards company, and are legitimate. However, once affected users click any of the URLs in the said email, they are immediately redirected to a spoofed Web site that contains the aforementioned Trojan.
As of this writing, the spoofed URLs are inaccessible.
Apart from the email propagation described, this worm also attempts to propagate via network shares by dropping copies of itself in folders that contain the string shar in their names. It assumes that these folders are shared in local networks or in peer-to-peer networks.
Like earlier BAGLE variants, this worm also tries to remove instances of NETSKY worms from the infected system. It does this by creating mutexes that are associated with earlier NETSKY variants.
(Note: Mutexes are exclusion objects that prevent processes from sharing the same resources. This worm uses the mutexes to prevent the NETSKY variants from running on infected systems.) |
