Media releases are provided as is by companies and have not been edited or checked for accuracy. Any queries should be directed to the company itself.

Threat Advisory" McAfee AVERT Raises Risk Assessment to Medium on New W32/Bagle.DLDR

  • 02 March, 2005 13:03

<p>McAfee AVERT Raises Risk Assessment Based on Prevalence</p>
<p>SYDNEY, March 2, 2005—McAfee, Inc., the pioneer and worldwide leader of intrusion prevention solutions, today announced that McAfee AVERT (Anti-virus and Vulnerability Emergency Response Team), the world-class research division of McAfee, Inc., raised the risk assessment to Medium on the W32/Bagle.dldr Trojan, also known as Bagle.dldr. New variants were reported to McAfee AVERT researchers this morning and to date, McAfee AVERT has received more than 100 distinct reports of these variants in the wild.</p>
<p>Threat Overview
Bagle.dldr is not a mass mailing threat by itself, but a downloader that tries to access files from the Internet and attempts to disable a range of anti-virus and security tools. The Trojan has been used by other bagle variants, including Bagle.bb, Bagle.bc and Bagle.bd.</p>
<p>Threat Pathology</p>
<p>After being executed, Bagle.dldr copies itself into the Windows System directory and adds the following registry hooks:</p>
<p>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
DownloadManager</p>
<p>HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "winshost.exe" = %WinDir% \system32\winshost.exe</p>
<p>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "winshost.exe" = %WinDir% \system32\winshost.exe</p>
<p>Bagle.dldr proceeds to drop a file named wiwshost.exe and tries to download a file zo2.jpg from various Web sites. It also terminates security services and in some cases renames the main security program executable. Bagle.dldr modifies the file %WinDir% \system32\drivers\etc\hosts to prevent the user and any running software from contacting certain security Websites. The Trojan also disables any configured HTTP proxy.</p>
<p>When outgoing TCP connections to port 80 (HTTP) are established, Bagle.dldr tries to download files from a very large list of sites—many of these sites may be decoys as they have not been found to host the file being requested.</p>
<p>System Protection and Cure</p>
<p>More information on Bagle.dldr and cure for this downloader Trojan can be found online at the McAfee AVERT site located at http://vil.nai.com/vil/content/v_129512.htm. McAfee AVERT is advising its customers to update to the 4404 DATs to stay protected from these variants of the threat.</p>
<p>McAfee AVERT Labs is one of the top-ranked anti-virus and vulnerability research organizations in the world, employing researchers in fourteen countries on five continents. McAfee AVERT combines world-class malicious code and anti-virus research with intrusion prevention and vulnerability research expertise from the McAfee IntruShield and McAfee Entercept organisations, two research arms that were acquired through IntruVert Networks and Entercept Security. McAfee AVERT protects customers by providing cures that are developed through the combined efforts of McAfee AVERT researchers and McAfee AVERT AutoImmune technology, which applies advanced heuristics, generic detection, and ActiveDAT technology to generate cures for previously undiscovered viruses.</p>
<p>About McAfee, Inc.</p>
<p>McAfee, Inc., headquartered in Santa Clara, Calif., a worldwide leader in Intrusion Prevention and Risk Management solutions, delivers proven security products and services to help customers effectively balance the competing priorities between business needs and security requirements. McAfee applies profound security expertise toward helping companies, government agencies and consumers block attacks, prevent disruptions, and continuously track and improve the security of their systems and networks. For More information, McAfee, Inc. can be reached at + 61 2 972-963-8000 or www.mcafee.com.</p>
<p># # #</p>
<p>NOTE: McAfee, AVERT, IntruShield, Entercept and Foundstone are either registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the United States and/or other countries. The colour Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. ©2005 McAfee, Inc. All Rights Reserved.</p>
<p>For media enquiries, please contact:</p>
<p>Natalie Connor</p>
<p>Tel: +61 (0)2 9956 5733</p>
<p>E-mail: natalie.connor@text100.com.au</p>

Most Popular

Brand Post

Most Popular Reviews

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?