Bagle.BA - MEDIUM RISK by Secunia

Three new Bagle variants are circulating in-the-wild and they all are very closely related.  They are in essence the same virus repackaged with different compression algorithms to bypass AV scanners.  Avoid all attachments in email, especially suspicious ones.

http://secunia.com/virus_information/12174/beagle.ba/
http://vil.nai.com/vil/content/v_131353.htm
http://www.sarc.com/avcenter/venc/data/w32.beagle.ba@mm.html
http://www.f-secure.com/v-descs/bagle_ba.shtml

This variant is a repacked version of W32/Bagle.bk@MM variant.  It arrives in emails with variable subjects and attachments, has Peer-to-Peer spreading capabilities and contains a backdoor that listens on TCP port 81.

This is a mass-mailing worm with the following characteristics:

* contains its own SMTP engine to construct outgoing messages
* harvests email addresses from the victim machine
* the From: address of messages is spoofed
* contains a remote access component (notification is sent to hacker)
* copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)

EMAIL FORMAT BELOW:

From : (address is spoofed)

Subject :
Delivery service mail
Delivery by mail
Registration is accepted
Is delivered mail
You are made active

Body Text:
Thanks for use of our software.
Before use read the help

Attachment: (may be one of the following, with an extension of .exe, .scr, .com, or .cpl)
wsd01
viupd02
siupd02
guupd02
zupd02
upd02
Jol03