NetXactics, local distributor for Sophos, a world leader in protecting businesses against spam and viruses, is warning of a new worm called Bagle-B (also known as Tanx-A). Sophos has received several reports of this worm spreading in the wild.
The Bagle-B worm spreads via e-mail and arrives with the subject line `ID` followed by various random characters and the message text `Yours ID`. An attached .exe file has a randomly generated filename. If run, a remote access component allows hackers to gain remote access to infected computers.
The worm harvests e-mail addresses from infected PCs and, when forwarding itself to other computer users, spoofs the "From:" field using addresses found on the computer`s hard drive.
"Bagle-B tries to deceive computer users by spoofing the sender`s address, but the worm is easy to spot because of its distinctive subject line," said Brett Myroff, CEO of NetXactics. "The message is simple - don`t open unsolicited e-mails and don`t automatically trust e-mails that appear to come from a known contact. Practising safe computing and blocking executable files at the e-mail gateway will prevent infection from this worm."
Like its predecessor, Bagle-A, this worm has a built in `dead date` and has been designed to fall dormant on 25 February 2004.
W32/Tanx-A is a worm that uses e-mail to spread.
Analysis
The worm arrives in a message with the following characteristics: Subject line: ID <random characters>... thanks Message text: Yours ID <random characters>
Thank Attached file: <random_file_name>.exe The address of the sender is spoofed.
When the attached infected file is run, W32/Tanx-A copies itself into the Windows system folder as au.exe and changes creates the following registry entry so that the worm file is run during the Windows start-up: HKCUSoftwareMicrosoftWindowsCurrentVersionRunau.exe = <windows system folder>au.exe
If the filename of the launched file is not au.exe, the worm attempts to launch the Windows sound recorder application sndrec32.exe.
W32/Tanx-A searches all fixed drives recursively for files with the extension WAB, TXT, HTM and HTML. These files are searched for e-mail addresses that are later used to fill in the sender and recipient fields of the e-mail message.
W32/Tanx-A opens a TCP port 8866 and listens for connections. The backdoor may be used to update the worm file.
W32/Tanx-A will connect to the following Web sites and submit information about the listening port and the randomly generated infection ID: www.47df.de www.strato.de and intern.games-ring.de
W32/Tanx-A uses the registry key HKCUSoftwareWindows2000 to store some other data values (like the randomly created infection ID). The registry values used are gid and frn.
Share
Editorial contacts