| VID |
24070 |
| Severity |
40 |
| Port |
6777 |
| Protocol |
TCP |
| Class |
BackDoor |
| Detailed Description |
The Windows system appears to be infected by the 'W32.Bagle' worm. This scanner attempts to remove it by connecting to TCP port 6777 of target host and use the built-in removal command of this worm to clean up the infected host.
'W32.Bagle' is a mass-mailing worm that accesses remote Web sites and sends email to any addresses it finds using its own SMTP engine. Once the worm is installed, it launches calc.exe and adds on the string value ("d3dupdate.exe" = "%system%\bbeagle.exe") to the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
The worm also has a backdoor Trojan capability. It installs itself as a server and allows unauthorized access to an infected host using the TCP port 6777. An attacker can do the following using this Backdoor:
- Execute commands on the local system as if the attacker was the current user
- Download executables onto the local system
- Terminate and delete the worm program
* References:
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.a@mm.html
http://info.ahnlab.com/smart2u/virus_detail_1297.html
* Platforms Affected:
Microsoft Windows Any version |
| Recommendation |
The worm may have been removed by the scanner, however you should make sure that the worm was indeed properly removed.
Check it from the infected computer by using a anti-virus program (vaccine program). If you do not have an anti-virus program installed, download and install one of these virus scanners:
Norton AntiVirus: http://www.symantec.com/downloads/
McAfee VirusScan: http://download.mcafee.com/default.asp
Trend Micro PC-Cillin: http://www.antivirus.com/pc-cillin/ |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
