Here's a recent one:
RAV Virus Alert
-----------------
VIRUS ALERT! Win32/Bagle.A@mm
January 19, 2004 - RAV AntiVirus Team is alerting all computer users
that a dangerous Internet worm, called Win32/Bagle.A@mm, is reported
to have a high infection level in the last 24 hours. This worm is
classified as "Potentially destructive" by RAV Team and its
spreading process has been carefully followed in the last 24 hours.
The signature of Win32/Bagle.A@mm is included in the database of RAV
Engine starting with January 18, 2004. All RAV AntiVirus products
using daily updates after this date are able to detect and clean the
worm.
A short description of the worm is available below.
1. Description
2. How to recognize the worm
3. How to disinfect your computer
4. Evilness
5. More info
1. Description
This is a new internet worm reported in the wild. It arrives in a
system as an executable attachment randomly named, having around
15Kb.
Bagle starts by checking if the current date is January 28, 2004 or
later. If it is so, it will attempt to delete itself using a
temporary batch file. This means that if the worm is executed only on
or after that specific date it will try to stop its spreading.
If the registry key HKCU\Software\Windows98 exists, a randomly
generated 9 digit number will be stored for later use.
Then, an unnamed mutex will be created to avoid multiple instances of
the worm running in the same time. A copy of itself, named
bbeagle.exe will be dropped inside the %SYSTEM% directory and a
registry key value named "d3dupdate.exe" will be added to
the HKLM\Software\Microsoft\Windows\CurrentVersion\Run, pointing to
bbeagle.exe - this way, the worm will be executed each time a user
logs on.
Another registry value will be set inside
HKCU\Software\Windows98\Ffrun will be set to TRUE.
If the worm is not running from the %SYSTEM% directory and the
"-upd" parameter was not specified (when the attachment is
executed) the worm will spawn a copy of "calc.exe" - most
likely, to seem less suspicious.
Then, a backdoor component will be spawned to local port 6777 and the
author will be notified - by posting data to the following remote web
sites (a remote script named 1.php will be invoked with parameters
containing information about the local IP and the local port used by
the backdoor, helping the author to track the infected computers and
connect to the backdoor).
For a complete description of the worm, please read http://www.ravantivirus.com/virus/showvirus.php?v=204
2. How to recognize the worm
It will arrive in your email in the following format:
From: might be spoofed
Subject: Hi
Body:
Test =)
[Random Characters][Random Characters]
--
Test, yep
3. How to disinfect your computer
a. click Start>Run and type "regedit";
b. browse to
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
and delete the following registry key:
"d3update.exe" = "%system%\bbeagle.exe"
c. update your RAV AntiVirus software;
d. scan and delete all files reported by your RAV AntiVirus product
as infected with Win32/Bagle.A@mm.
e. restart your computer.
Note1: Incorrect changes to the registry could result in permanent
data loss or corrupted files. We strongly recommend that you back up
your system registry before making any change.
Note2: If you are using Windows Millennium Edition (ME) or Windows
XP, you should disable the System Restore feature before scanning the
system with RAV AntiVirus and re-enable it afterwards. Please contact
your system administrator for information on how to disable this
feature.
4. Evilness
Potentially destructive (corrupts data while replicating).
5. More info
The latest details about Win32/Bagle.A@mm and a complete description
can be found on our website:
http://www.ravantivirus.com/virus/showvirus.php?v=204
RAV Virus Alert
-----------------
VIRUS ALERT! Win32/Bagle.A@mm
January 19, 2004 - RAV AntiVirus Team is alerting all computer users
that a dangerous Internet worm, called Win32/Bagle.A@mm, is reported
to have a high infection level in the last 24 hours. This worm is
classified as "Potentially destructive" by RAV Team and its
spreading process has been carefully followed in the last 24 hours.
The signature of Win32/Bagle.A@mm is included in the database of RAV
Engine starting with January 18, 2004. All RAV AntiVirus products
using daily updates after this date are able to detect and clean the
worm.
A short description of the worm is available below.
1. Description
2. How to recognize the worm
3. How to disinfect your computer
4. Evilness
5. More info
1. Description
This is a new internet worm reported in the wild. It arrives in a
system as an executable attachment randomly named, having around
15Kb.
Bagle starts by checking if the current date is January 28, 2004 or
later. If it is so, it will attempt to delete itself using a
temporary batch file. This means that if the worm is executed only on
or after that specific date it will try to stop its spreading.
If the registry key HKCU\Software\Windows98 exists, a randomly
generated 9 digit number will be stored for later use.
Then, an unnamed mutex will be created to avoid multiple instances of
the worm running in the same time. A copy of itself, named
bbeagle.exe will be dropped inside the %SYSTEM% directory and a
registry key value named "d3dupdate.exe" will be added to
the HKLM\Software\Microsoft\Windows\CurrentVersion\Run, pointing to
bbeagle.exe - this way, the worm will be executed each time a user
logs on.
Another registry value will be set inside
HKCU\Software\Windows98\Ffrun will be set to TRUE.
If the worm is not running from the %SYSTEM% directory and the
"-upd" parameter was not specified (when the attachment is
executed) the worm will spawn a copy of "calc.exe" - most
likely, to seem less suspicious.
Then, a backdoor component will be spawned to local port 6777 and the
author will be notified - by posting data to the following remote web
sites (a remote script named 1.php will be invoked with parameters
containing information about the local IP and the local port used by
the backdoor, helping the author to track the infected computers and
connect to the backdoor).
For a complete description of the worm, please read http://www.ravantivirus.com/virus/showvirus.php?v=204
2. How to recognize the worm
It will arrive in your email in the following format:
From: might be spoofed
Subject: Hi
Body:
Test =)
[Random Characters][Random Characters]
--
Test, yep
3. How to disinfect your computer
a. click Start>Run and type "regedit";
b. browse to
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
and delete the following registry key:
"d3update.exe" = "%system%\bbeagle.exe"
c. update your RAV AntiVirus software;
d. scan and delete all files reported by your RAV AntiVirus product
as infected with Win32/Bagle.A@mm.
e. restart your computer.
Note1: Incorrect changes to the registry could result in permanent
data loss or corrupted files. We strongly recommend that you back up
your system registry before making any change.
Note2: If you are using Windows Millennium Edition (ME) or Windows
XP, you should disable the System Restore feature before scanning the
system with RAV AntiVirus and re-enable it afterwards. Please contact
your system administrator for information on how to disable this
feature.
4. Evilness
Potentially destructive (corrupts data while replicating).
5. More info
The latest details about Win32/Bagle.A@mm and a complete description
can be found on our website:
http://www.ravantivirus.com/virus/showvirus.php?v=204
