Preemptive Protection against WORM_BAGLE.AV/AT (a new variant of the Bagle worm)
| Attack ID: | CPAI-2004-50 |
 |
|
| Publish Date: | |
|
|
| Last Update: | |
|
|
| Category: | Worms and Viruses |
|
|
| Vulnerable Systems: | Windows 2000 Windows 95 Windows 98 Windows Me Windows NT Windows Server 2003 Windows XP |
|
|
| Source: | Zone Labs Virus Information Center |
|
|
| Description: | A new variant of the Bagle worm is currently propagating across the Internet, infecting users using Windows operating systems. Bagle.AV/AT is a mass-mailing worm that spreads through email and shared folders. The worm will open a backdoor on TCP port 81 through which a remote attacker may gain remote control over other affected systems. |
|
|
| Severity: | |
| Details: | Using its own SMTP engine, Bagle.AV/AT spreads using different subjects, email bodies and attachments. The attachment is an executable file with one the following extensions: .EXE .SCR .COM .CPL. |
|
|
| Attack Detection: | Users of VPN-1 NG FP-3 and above: refer to CPSA-2004-05 for logging information. Users of InterSpect 2.0 will receive the following logging information:
|
|
|
| Solution: | Users of VPN-1 NG FP-3 and above who have applied the solution outlined in CPSA-2004-05 are already protected against the propagation of this worm. For detailed configuration instructions, refer to CPSA-2004-05. Users of InterSpect 2.0 should enable the SmartDefense External Mail Protection: 1. On the SmartDefense navigation tree, select Application Intelligence > Mail and select External Mail Protection.
Note: Users of InterSpect 2.0 will have to identify their internal mail servers before applying this protection.
|
|
|
| Industry Reference: | |
|
|
| Additional Information: | MessageLabs |
