Bagle worm mutates

We begin this report with variants C, D, E, F, G, H, I, J and K of the Bagle worm which have emerged recently. All of these variants are very similar to the original worm; the only differences being the size of the file carrying the virus or the date on which they are programmed to automatically run.

The new Bagle variants spread effectively through P2P file sharing programs and via e-mail in messages with variable characteristics. Similarly, they open a backdoor through TCP port 2745.

However, it is important to highlight that some of these new Bagle variants can reach computers in a password-protected ZIP file. As these files are encrypted, antivirus programs cannot scan their content to check if they contain malware before they are decompressed, which could give users a false sense of security. In order to resolve this, Panda Software has incorporated a specific detection routine for these types of files in its antivirus protection, and therefore, its clients are protected.

Another family of worms that has wreaked havoc this week is Netsky, whose variants D, E, F, G and H have been detected this week. In fact, Netsky.D is the malicious code that has caused the most incidents worldwide this week and over the last few days, it has held on to pole position in the ranking of the viruses most frequently detected by Panda ActiveScan.

All these worms are very similar; the main differences being the date they are designed to emit a strange sound through the internal speakers and the format in which they are packed.

These worms have the capacity to spread rapidly via e-mail in messages with variable characteristics. They also spread very effectively by opening several execution threads in order to send themselves out. Netsky.D, for example, can open up to eight different processes.

The third contender in this cyber war is the Mydoom family, whose variants G and H have also been detected this week, by PandaLabs. These two variants are very similar, as they both spread by sending themselves out via e-mail and have been programmed to launch a denial of service attack against the website of an antivirus manufacturer.

We conclude this weeks report with Nachi.E. This new variant of the worm can spread directly via the Internet and exploits known vulnerabilities, such as the Buffer Overrun in RPC Interface, WebDAV and Workstation Service Buffer Overrun.

Nachi.E is also capable of uninstalling the Mydoom.A, Mydoom.B, Doomjuice.A and Doomjuice.B worms, by ending their processes and deleting their files.

For further information about these and other computer threats, visit Panda Software's Virus Encyclopedia at: http://www.pandasoftware.co.uk
Additional information
Vulnerability: Flaws or security holes in a program or IT system, and often used by viruses as a means of infection.

Encryption/Self-encryption: This is a technique used by some viruses to disguise themselves and therefore avoid detection by antivirus applications.

About Panda Software's Virus Laboratory

On receiving a possibly infected file, Panda Software's technical staff get straight down to work. The file is analysed and depending on the type, the action taken may include: disassembly, macro scanning, code analysis etc. If the file does in fact contain a new virus, the disinfection and detection routines are prepared and quickly distributed to users.