New Worm – Bagle.AM Menaces the Internet

We have received several incidences from this new virus. The first variant of Bagle worm appeared 7 months ago. Panda’s New TruPrevent Technologies, “The most intelligent technologies to combat unknown viruses and intruders”, have also detected and blocked Bagle.AM, without knowing it
Bagle.AM spreads via e-mail and sends a ZIP file which includes a hidden EXE file and a html file with the same name

It tries to download a fake JPG file from several Internet addresses. In fact, it is another EXE file which includes the rest of the Bagle.AM worm. At it execution, the new worm send itself via e-mail

In the last hours, a new virus has appeared: Bagle.AM, also known as Bagle.AQ and Bagle.AC. Belonging to the Bagle family, which appeared in January this year, this new variant has begun to spread and to infect several users. Due the high number of incidences, Panda Software has declared Orange Alert level for this new threat.

Panda Software’s customers which already has the new TruPrevent Technologies has been protected in a preventive way, as they were capable of detect and block this new virus without knowing it beforehand (more information about the new TruPrevent Technologies is available at www.pandasoftware.com/truprevent).

Luis Corrons, PandaLabs Director, says: “Bagle.AM is following a large family of worms which begun 7 months ago. It is using the social engineering also, as it tries to cheat users sending a file with a content referring to prices or passwords. It combines different infection methods. The number of incidences can grow up in the following hours, and this situation is more dangerous as there are a large number of users in different countries with free time to enjoy the Internet”.

Bagle.AM spreads via e-mail and sends a ZIP files of 6 Kbytes in size which includes a hidden EXE file and an HTML file with the same name. If a user executes the HTML file, it will launch the EXE file.

This EXE file copy itself in the system and create the following registry keys:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run win_upd2.exe =
%systemdir%\WINdirect.exe

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run win_upd2.exe =
%systemdir%\WINdirect.exe

On the other hand, Bagle.AM creates and executes a 11,776 bytes in size DLL library in %systemdir%\_dll.exe which will stops all the process with the following names:

FIREWALL.EXE
ATUPDATER.EXE
winxp.exe
sys_xp.exe
sysxp.exe
LUALL.EXE
DRWEBUPW.EXE
AUTODOWN.EXE
NUPGRADE.EXE
OUTPOST.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ESCANH95.EXE
AVXQUAR.EXE
ESCANHNT.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
AVWUPD32.EXE
AVPUPD.EXE
CFIAUDIT.EXE
UPDATE.EXE
NUPGRADE.EXE
MCUPDATE.EXE

In addition, it will try to download a fake JPG file from several URLs. Actually it is another EXE file which includes the rest of the Bagle.AM worm, that, once executed will spread via e-mail.

To prevent incidents involving Bagle.AM, Panda Software advises users to take precautions and update their antivirus software. Panda Software has made the corresponding updates available to its clients to detect and disinfect this new malicious code.