Description:


As of March 15, 2004 3:55 AM PST, TrendLabs has declared a YELLOW ALERT to control the spread of PE_BAGLE.P. Several infection reports have been received from Korea and Japan.

This new BAGLE variant is very similar to PE_BAGLE.N but bigger in actual size. It propagates via email with varying subjects, message bodies, and attachment file names. It also spreads by dropping several files in folders that have the text string shar.

This virus searches for files with certain extension names, from which it gathers target recipients. Using its own SMTP (Simple Mail Transfer Protocol) engine, it sends out email messages with spoofed return addresses and itself as attachment.

It also spreads by dropping files in folders that have the text string "shar", for example, C:\Program Files\Kazaa\My Shared Folder.

At every execution, this virus infects Win32 executable files (.EXE) in randomly selected folders in all fixed drives. It does this by attaching its malicious code, adding another section at the end of the file.

It opens TCP port 2556 and waits for incoming commands from a remote user, who must send specially?crafted data or packets to be able to command this virus.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_BAGLE.P