Email-Worm.Win32.Bagle.bn
20 Apr 2005 15:24:00 +0300
Kaspersky Lab virus analysts have detected a new version of Bagle, Email-Worm.Win32.Bagle.bn. Another version of this malicious program, packed with a different utility, is also spreading actively. The repacked version is detected by Kaspersky Anti-Virus as Bagle.pac.
Bagle.bn arrives as an attachment to infected messages, but is unable to self-replicate. The attachment is a ZIP file, which contains an executable file. The executable file is packed using PEX. The attachment name is randomly generated.
In the case of Bagle.bn, the ZIP file is 19398 bytes in size. The ZIP file attached to Bagle.pac is 19404 bytes in size. The EXE file inside the ZIP file is 37888 bytes in size.
The executable file inside the ZIP file is called "19_04_2005.exe", although this name may vary.
The worm will terminate processes related to antivirus and firewall applications. This means that machines infected by Bagle may be vulnerable to other malicious code.
Detection for Bagle.bn and Bagle.pac is included in Kaspersky Anti-Virus databases.
A full description is now available in the Kaspersky Virus Encyclopaedia.