McAfee today announced that the company’s Antivirus and Vulnerability Emergency Response Team (Avert) raised the risk assessment to medium on the recently discovered W32/Bagle.aq@MM, also known as the Bagle.aq worm.
This new variant is a mass-mailing worm that comes in the form of a .zip file. To date, Avert has received more than 150 reports of the virus since its discovery, being stopped or infecting users from the field — with most of the reports arriving from Brazil, Canada, France, the Netherlands, Taiwan and the United States.
Threat Overview
Bagle.aq is a mass-mailing threat that contains its own mail engine to construct outgoing e-mail messages. It harvests addresses from local files and then uses the harvested addresses in the “From” field to send itself.
This produces a message with a spoofed From address. It contains a remote access component and copies itself to folders that have the phrase “shar” in the name, such as the directories used by common peer-to-peer applications such as KaZaa, Bearshare and Limewire.
The worm sends out a .zip file that contains an HTML and .exe file. The HTML file contains exploit code that, on vulnerable systems, will automatically run the .exe file, which is a downloader Trojan.
Threat Pathology
The downloader Trojan then contacts a large number of remote Web sites to retrieve the virus itself. There is indication in the file that it might also try to password-protect some .zip files.
When the .exe file is run — either manually or automatically by the HTML file — it will copy itself to the Windows System directory as windirect.exe.
Once the virus executable is downloaded and run by the downloader Trojan, the virus copies itself into the Windows System directory as windll.exe.