Media releases are provided as is by companies and have not been edited or checked for accuracy. Any queries should be directed to the company itself.

Threat Advisory" McAfee AVERT Raises Risk Assessment to Medium on New W32/Bagle.DLDR

  • 02 March, 2005 13:03

<p>McAfee AVERT Raises Risk Assessment Based on Prevalence</p>
<p>SYDNEY, March 2, 2005—McAfee, Inc., the pioneer and worldwide leader of intrusion prevention solutions, today announced that McAfee AVERT (Anti-virus and Vulnerability Emergency Response Team), the world-class research division of McAfee, Inc., raised the risk assessment to Medium on the W32/Bagle.dldr Trojan, also known as Bagle.dldr. New variants were reported to McAfee AVERT researchers this morning and to date, McAfee AVERT has received more than 100 distinct reports of these variants in the wild.</p>
<p>Threat Overview
Bagle.dldr is not a mass mailing threat by itself, but a downloader that tries to access files from the Internet and attempts to disable a range of anti-virus and security tools. The Trojan has been used by other bagle variants, including Bagle.bb, Bagle.bc and Bagle.bd.</p>
<p>Threat Pathology</p>
<p>After being executed, Bagle.dldr copies itself into the Windows System directory and adds the following registry hooks:</p>
<p>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
DownloadManager</p>
<p>HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "winshost.exe" = %WinDir% \system32\winshost.exe</p>
<p>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "winshost.exe" = %WinDir% \system32\winshost.exe</p>
<p>Bagle.dldr proceeds to drop a file named wiwshost.exe and tries to download a file zo2.jpg from various Web sites. It also terminates security services and in some cases renames the main security program executable. Bagle.dldr modifies the file %WinDir% \system32\drivers\etc\hosts to prevent the user and any running software from contacting certain security Websites. The Trojan also disables any configured HTTP proxy.</p>
<p>When outgoing TCP connections to port 80 (HTTP) are established, Bagle.dldr tries to download files from a very large list of sites—many of these sites may be decoys as they have not been found to host the file being requested.</p>
<p>System Protection and Cure</p>
<p>More information on Bagle.dldr and cure for this downloader Trojan can be found online at the McAfee AVERT site located at http://vil.nai.com/vil/content/v_129512.htm. McAfee AVERT is advising its customers to update to the 4404 DATs to stay protected from these variants of the threat.</p>
<p>McAfee AVERT Labs is one of the top-ranked anti-virus and vulnerability research organizations in the world, employing researchers in fourteen countries on five continents. McAfee AVERT combines world-class malicious code and anti-virus research with intrusion prevention and vulnerability research expertise from the McAfee IntruShield and McAfee Entercept organisations, two research arms that were acquired through IntruVert Networks and Entercept Security. McAfee AVERT protects customers by providing cures that are developed through the combined efforts of McAfee AVERT researchers and McAfee AVERT AutoImmune technology, which applies advanced heuristics, generic detection, and ActiveDAT technology to generate cures for previously undiscovered viruses.</p>
<p>About McAfee, Inc.</p>
<p>McAfee, Inc., headquartered in Santa Clara, Calif., a worldwide leader in Intrusion Prevention and Risk Management solutions, delivers proven security products and services to help customers effectively balance the competing priorities between business needs and security requirements. McAfee applies profound security expertise toward helping companies, government agencies and consumers block attacks, prevent disruptions, and continuously track and improve the security of their systems and networks. For More information, McAfee, Inc. can be reached at + 61 2 972-963-8000 or www.mcafee.com.</p>
<p># # #</p>
<p>NOTE: McAfee, AVERT, IntruShield, Entercept and Foundstone are either registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the United States and/or other countries. The colour Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. ©2005 McAfee, Inc. All Rights Reserved.</p>
<p>For media enquiries, please contact:</p>
<p>Natalie Connor</p>
<p>Tel: +61 (0)2 9956 5733</p>
<p>E-mail: natalie.connor@text100.com.au</p>

Most Popular

Most Popular Reviews

Join the newsletter!

Error: Please check your email address.

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?