A new variant of Bagle - Bagle.V was found spreading in the
morning on March 29th, 2004. It is a very simple worm variant, it
sends itself in messages with an empty subject and attachment
name game.exe.
The attachment has an icon which resembles a syringe:
F-Secure provides the special disinfection utility to eliminate
Bagle.V worm infection. You can download this utility from our
ftp site:
ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.exe
ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.zip
Disinfection instructions can be found here:
ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.txt
System administrators who are using F-Secure Policy Manager,
can distribute the tool as a JAR package automatically to all
workstations.
System administrators can download the JAR version from:
http://www.europe.f-secure.com/tools/f-bagle.jar
ftp://ftp.europe.f-secure.com/anti-virus/tools/f-bagle.jar
The worm's file is a PE executable 8208 bytes in long, packed
with FSG file compressor.
When the worm's file is run, it copies itself to Windows
System folder as SYSINFO.EXE and creates a startup key for this
file in System Registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"sysinfo.exe" = "%winsysdir%\sysinfo.exe"
where %winsysdir% represents Windows System folder name.
Email spreading
The attachment name will always be game.exe
The rest of the details are identical to the previous variant Bagle.U:
http://www.f-secure.com/v-descs/bagle_u.shtml
F-Secure Anti-Virus detects Bagle.V worm in the following update:
[FSAV_Database_Version]
Version=2004-03-29_01
Technical Details:
Ero Carrera, March 26th, 2004;
Description Updated:
Alexey Podrezov, April 1st, 2004;
F-Secure Corporation
