The AY, AW and AV variants of Bagle have been sent on a massive scale, via email, in a message with the subject: ‘foto’ and included in a zip file called either FOTO.ZIP or FOTO1.ZIP. This file contains an HTML file, along with a hidden EXE. When users open the HTML file, the EXE file is also executed.
Bagle.AY, Bagle.AW and Bagle.AV carry out a series of actions on the computers they infect including:
– Terminating processes if they are active in memory. The processes they terminate include those related to antivirus programs, preventing these applications from protecting against new viruses.
– They try to download a false JPG file from various websites, which is actually an executable (EXE) file. Once it is downloaded, these three variants of Bagle begin to spread.
CodeBase.gen on the other hand is a code included in the body of an email message or web page with the aim of exploiting the following security problems:
– Browser Cache Script Execution in My Computer Zone and Object Tag, detected in version 4.0 or later of Internet Explorer, and which also affects applications that use this browser (such as Outlook and Outlook Express). Both security problems could allow an attacker to run arbitrary code without permission when the user visits a malicious web page or opens a specially crafted HTML mail.
– Critical vulnerability in versions 5.04 and earlier of the Winamp multimedia player, which allows code to be run when a skin file is installed