Bagle Worm BC Appears

– The new TruPrevent Technologies, “The most intelligent technologies to combat unknown viruses and intruders,” have effectively detected and blocked this new variant of the Bagle worm, without needing to be able to identify it first.

– Bagle.BC spreads rapidly via email in a message with extremely variable characteristics, which can have the subject: Re:, Re:Hello, Re:Hi, Re:Thank you! or Re:Thanks 🙂

– In just a few minutes, numerous reports of this new virus have been received. It is possible that the number of incidents involving this worm will increase significantly over the next few hours

PandaLabs has detected the appearance of the BC variant of the Bagle worm. This new malicious code has started spreading rapidly, causing numerous incidents in users’ computers around the globe. For this reason, Panda Software has declared an amber alert. Panda Software clients that have already installed the new TruPrevent Technologies have preventive protection against this worm, as they were able to detect and block this new virus without needing to be able to identify it first (more information about the new TruPrevent Technologies at ).

Panda Software has made the corresponding updates available to its clients to detect and disinfect this new malicious code.

Bagle.BC spreads rapidly via email. The messages carrying this worm have the following characteristics:

Subject: (any of the following):
Re:
Re:Hello
Re:Hi
Re:Thank you!
Re:Thanks 🙂

Message: 🙂 ?? :))

Attachments (any of the following):
Joke
Price
price

The extension of these files can be: com, cpl, exe or scr.

What’s more, Bagle.BC spoofs the address of the sender of the email message that causes the infection.

If the user runs the attachment, Bagle.BC looks for email addresses to send itself out to in the files with certain extensions stored on the affected computer. To do this, and to spread even wider, Bagle.BC copies itself to all the directories whose name contains the text string ‘shar’, which are usually shared folders. By doing this, it can easily spread across networks and P2P applications. To achieve this aim, it uses a large number of attractive names to entice users, such as ACDSee 9.exe, Adobe Photoshop 9 full.exe or Ahead Nero 7.exe, and many others.

Bagle.BC also ends the processes of many antivirus and security programs, leaving the computer vulnerable to attack from other malicious code, making Bagle.BC an even more dangerous worm. However, Bagle.BC cannot deactivate the TruPrevent Technologies, and therefore, computers with this protection installed are perfectly safe from this worm.

Another dangerous effect of Bagle.BC is that it opens the TCP communications port 81, allowing a hacker to carry out remote attacks. It also tries to download a file called G.JPG from certain Internet addresses.

In order to ensure that it is always present on computers, Bagle.BC creates three copies of itself called wingo.exe, wingo.exeopen and wingo.exeopenopen, and inserts an entry in the Windows Registry to ensure it is run whenever the computer is started up.

According to Luis Corrons, head of PandaLabs, “Bagle.BC is here to pick up the cyberwar that started a few months ago between several groups of virus creators. This time, it is a malicious code that uses social engineering and can spread extremely rapidly. These two characteristics make Bagle.BC a particularly dangerous worm, as users have a high probability of receiving an email message carrying this malicious code.”

To prevent incidents involving Bagle.BC, Panda Software advises users to take precautions and update their antivirus software.

Panda Software’s clients can already access the updates for installing the new TruPrevent Technologies along with their antivirus protection, providing a preventive layer of protection against this and other new malicious code. For users with a different antivirus program installed, Panda TruPrevent Personal is the perfect solution, as it is both compatible with and complements these products, providing a second layer of preventive protection that acts while the new virus is still being studied and the corresponding update is incorporated into traditional antivirus programs, decreasing the risk of infection. More information about TruPrevent Technologies at .