This alert is in response to increased virus activity. There have been reports of 6 mass-spammings of new Bagle variants on the Internet today. The details below are a combination of characteristics across the variants based on the most current available information.

Virus Characteristics

These variants will arrive as an email with one of the following characteristics:

Attachment: (containing anti_troj.exe)
Edmund.zip
Elizabeth.zip
Fraunces.zip
Grace.zip
Henrie.zip
Jeames.zip


Upon execution, the Trojan drops a copy of itself to the Windows SYSTEM32 folder.

To launch itself at startup, this Trojan creates the following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"anti_troj" = "C:\WINNT\SYSTEM32\ANTI_TROJ.EXE"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"anti_troj" = "C:\WINNT\SYSTEM32\ANTI_TROJ.EXE"
HKEY_CURRENT_USER\Software\FirstRRRun
FirstRRRun = "dword:00000001"

This Trojan will attempt to execute a b.php script from numerous websites. At the time of writing, the file was not present on any of the websites targeted.


Payload

Creates files in the Windows SYSTEM32 folder.
Modifies registry to launch itself at Windows startup.
Download a file from the Internet and attempts to execute it.


Preventative Measures

Where possible, block all incoming messages that contain attachments with a ZIP extension.


Fixes Available

Network Associates:
Minimum DAT: 4656, W32/Bagle.gen!F7B43CAC only
Release Date: 12/22/2005
Minimum Engine: 4.4.00

Symantec:
No information at time of alert.

Trend:
Minimum Scan Engine: 7.000