The following has been derived from information provided by F-Secure, Trend Micro and Symantec.


Virus Characteristics

There have been numerous reports of mass-spamming of multiple new Bagle variants on the Internet. These variants were mass-spammed as a ZIP file containing the executable 1.exe. The SPAM messages will arrive with one of the following attachments:

Anthonye.zip
susanna.zip
George.zip
Joane.zip
Edmond.zip
cybil.zip

Upon execution, the worm will create a file named ANTI_TROJ.EXE in the Windows\SYSTEM folder.

It will create the following registry keys to launch itself at Windows startup:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"anti_troj" = "%System%\anti_troj.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"anti_troj" = "%System%\anti_troj.exe"

HKEY_CURRENT_USER\Software\FirstRRRun
"FirstRRRun" = "dword:00000001"

This worm will create a folder name 'exefld' in C:\.

Attempts to download a file named 'z.php' from several websites and execute it, but at the time of writing, this file was not available.


Payload

Creates files in the Windows SYSTEM folder and a folder in C:\.
Modifies registry to launch itself at Windows startup.
Downloads a file from the Internet and attempts to execute it.


Preventative Measures

Where possible, block all incoming messages that contain attachments with a ZIP extension.
Modify HTTP content filter rules to block files named z.php.


Fixes Available

Network Associates:
Minimum DAT: 4635
Release Date: 11/23/2005
Minimum Engine: 4.4.00

Symantec:
Virus Definitions (Intelligent Updater): November 23, 2005
Virus Definitions (LiveUpdate): November 30, 2005

Trend:
Minimum Scan Engine: 7.000