NUEVO VIRUS BAGLE.X!PROXY CONTROLADO POR MCAFEE DATS 4349

Cerrado
Avatar de Usuario
msc hotline sat
Mensajes: 93500
Registrado: 09 Mar 2004, 20:39
Ubicación: BARCELONA (ESPAÑA)
Contactar:

NUEVO VIRUS BAGLE.X!PROXY CONTROLADO POR MCAFEE DATS 4349

Mensaje por msc hotline sat » 07 Abr 2004, 18:38

Un nuevo virus acaba de ser notificado por McAfee como BAGLE.X!PROXY, y se controlará desde DATS 4349 de mañana :



Trojan Name Risk Assessment

W32/Bagle.x!proxy Corporate User : Low

Home User : Low







Trojan Information

Discovery Date: 04/08/2004

Origin: Unknown

Length: 7,824 bytes (FSG packed)

Type: Trojan

SubType: Win32

Minimum DAT:

Release Date: 4349

04/07/2004

Minimum Engine: 4.2.40

Description Added: 04/07/2004

Description Modified: 04/07/2004 8:46 AM (PT)

Description Menu

Trojan Characteristics

Symptoms

Method Of Infection

Removal Instructions

Variants / Aliases

Rate This page

Print This Page

Email This Page

Legend







Trojan Characteristics:

This detection is for a new variant of W32/Bagle. Unlike the majority of its predecessors, this variant does not mass-mail itself. It simply serves as a proxy trojan on the victim machine (akin to W32/Bagle.l!proxy ).



When run on the victim machine, it installs itself as WINDOW.EXE in the Windows system directory:



%SysDir%\WINDOW.EXE

The following Registry key is added to hook system startup:



HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion

\Run "window.exe" = %SysDir%\WINDOW.EXE

A HTTP request is sent to one of a few servers to notify the hacker of its installation. The port number and id number are passed to a remote script. Users should block HTTP access to the following domains:



http://(remove this)bohema.amillo.net

http://(remove this)abc517.net

http://(remove this)www.abc986.net

A port is opened on the victim machine, and the malware serves as a mail relay.



Various data (port, id, and process id number) is stored within the following Registry key, which is added:



HKEY_CURRENT_USER\Software\Timeout

This variant does not terminate the processes related to security products on the victim machine.



Top of Page



Symptoms

Unexpected port (TCP) open on the victim machine (eg. 14247)

Existence of the files and Registry keys detailed above



Top of Page



Method Of Infection

This variant serves as a proxy trojan on the victim machine. Once running it could be used as a mail relay.



Top of Page



Removal Instructions

All Users:

Use specified engine and DAT files for detection.



Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.



__________________________________________



http://vil.nai.com/vil/content/v_101166.htm



Actualizarse siempre con las últimas versiones y mucho cuidado!!!



saludos



ms, 07-04-2004

Cerrado

Volver a “ALERTAS VIRICAS y utilidades de eliminacion”