Media releases are provided as is by companies and have not been edited or checked for accuracy. Any queries should be directed to the company itself.

Virus Alert: Network Associates McAfee AVERT Raises Risk Assessment to Medium on New W32/Bagle.b@MM Virus

  • 18 February, 2004 09:26

<p>McAfee AVERT Raises W32/Bagle.b@MM to Medium Based on Increased Prevalence</p>
<p>SYDNEY, Feb. 18, 2004 - Network Associates, the leading provider of intrusion prevention solutions, today announced that McAfee(R) AVERT(TM) (Anti-Virus and Vulnerability Emergency Response Team), the world-class anti-virus research division of Network Associates, raised the risk assessment to Medium on the recently discovered W32/Bagle.b@MM, also known as Bagle.b. Bagle.b is a worm with a remote access component. It was first seen by AVERT researchers earlier today, and to date AVERT has seen over a hundred samples from customers around the world.</p>
<p>Symptoms</p>
<p>The Bagle.b worm is an Internet mass mailer that harvests addresses from local .wab, .txt, .htm, and .html files. It then uses the harvested addresses in both the From field and To field and sends itself using its own SMTP engine. The next recipient is thus unable to see the true sender. The worm then proceeds into the remote access component of the virus, which listens on TCP port 8866 for remote connections. It tries to notify the virus author of its readiness to accept commands by contacting various websites and calling a script located on the remote site. Users should delete any email containing the following:</p>
<p>From: (address is spoofed)</p>
<p>Subject: ID (random string) ... thanks</p>
<p>Body: Yours ID (random string)</p>
<p>--</p>
<p>Thank</p>
<p>Pathology</p>
<p>After being executed, Bagle.b emails itself to addresses found on the infected host using a random filename. However, the virus avoids sending itself to addresses containing @hotmail.com, @msn.com, @microsoft and @avp. The worm ceases to propagate from computers with a system date of February 25, 2004 or later.</p>
<p>Cure</p>
<p>Immediate information and cure for this worm can be found online at the Network Associates McAfee AVERT site located at http://vil.nai.com/vil/content/v_101030.htm. Users of McAfee Security
anti- virus products should update their systems from that page and use the 4.2.40 or later scanning engine to stop potential damage.</p>
<p>Network Associates McAfee(R) Protection-in-Depth(TM) Strategy delivers the industry's only complete set of system and network protection solutions differentiated by intrusion prevention technology that can detect and block these types of attacks. This allows customers to protect themselves while they plan their patch deployment strategy.</p>
<p>AVERT Labs is one of the top-ranked anti-virus research organizations in the world, employing more than 90 researchers in offices on five continents. AVERT protects customers by providing cures that are developed through the combined efforts of AVERT researchers and AVERT AutoImmune technology, which applies advanced heuristics, generic detection, and ActiveDAT technology to generate cures for previously undiscovered viruses.</p>
<p>About Network Associates</p>
<p>With headquarters in Santa Clara, California, Network Associates, Inc. creates best-of-breed computer security solutions that prevent intrusions on networks and protect computer systems from the next generation of blended attacks and threats. Offering two families of products, McAfee System Protection Solutions, securing desktops and servers, and McAfee Network Protection Solutions, ensuring the protection and performance of the corporate network, Network Associates offers computer security to large enterprises, governments, small and medium sized businesses, and consumers. For more information, Network Associates can be reached at 972-963-8000 or on the Internet at http://www.networkassociates.com/ .</p>
<p>NOTE: Network Associates, McAfee and AVERT are registered trademarks or trademarks of Network Associates, Inc. and/or its affiliates in the United States and other countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners.</p>
<p>##ENDS##</p>
<p>If you wish to speak with a spokesperson, please contact:
Allan Bell, Marketing Director,
Network Associates, on</p>
<p>02 9761 4229 or 0412 411 929</p>

Most Popular

Editor's Recommendations

Solution Centres

Events

View all events Submit your own security event

Latest Videos

More videos

Blog Posts

Media Release

More media release