Email-Worm.Win32.Bagle.n

tag:E-mail Worms

0 0

This file is a polymorphic dropper, which sends infected messages and infected files. The encryption algorithm used means that the size of the file varies.

Characteristics of infected messages:

Sender's address (chosen at random from the list below):

 management
 administration
 staff
 noreply
 support

The domain of the recipient of the infected message will be used as the sender's domain.

Message header (chosen at random from the list below):

 Account notify
 E-mail account disabling warning. 
 E-mail account security warning. 
 E-mail technical support message. 
 E-mail technical support warning. 
 E-mail warning
 Email account utilization warning. 
 Email report
 Encrypted document
 Fax Message Received
 Forum notify
 Hidden message
 Important notify
 Important notify about your e-mail account. 
 Incoming message
 Notify about using the e-mail account. 
 Notify about your e-mail account utilization. 
 Notify from e-mail technical support. 
 Protected message
 RE: Protected message
 RE: Text message
 Re: Document
 Re: Hello
 Re: Hi
 Re: Incoming Fax
 Re: Incoming Message
 Re: Msg reply
 Re: Thank you! 
 Re: Thanks :)
 Re: Yahoo! 
 Request response
 Site changes

Message body (in several parts, chosen at random from the list below):

Part 1:

Dear user of ,
Dear user of gateway e-mail server gateway,  
Dear user of e-mail server,  
Hello user of e-mail server,  
Dear user of mailing system,  
Dear user, the management of mailing system wants to let you know that,

Part 2:

Your e-mail account has been temporary disabled because of unauthorized access.

Our main mailing server will be temporary unavaible for next two days,to continue receiving mail in these days you have to configure our free auto-forwarding service.

Your e-mail account will be disabled because of improper using in next three days, if you are still wishing to use it, please, resign your account information.

We warn you about some attacks on your e-mail account. Your computer may contain viruses, in order to keep your computer and e-mail account safe, please, follow the instructions.

Our antivirus software has detected a large ammount of viruses outgoing from your email account, you may use our free anti-virus tool to clean up your computer software.

Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to keep your computer safe, follow the instructions.

Part 3:

 For more information see the attached file. 
 Further details can be obtained from attached file. 
 Advanced details can be found in attached file. 
 For details see the attach. 
 For details see the attached file. 
 For further details see the attach. 
 Please, read the attach for further details. 
 Pay attention on attached file.Read the attach. 
 Your file is attached. 
 More info in attach
 See attach. 
 Follow the wabbit. 
 Find the white rabbit. 
 Please, have a look at the attached file. 
 See the attached file for details. 
 Message is in attach
 Here is the file.

Part 4:

The team                        http:/ /www.recipient's domain
name

Part 5:

 The Management,
 Sincerely,
 Best wishes,
 Have a good day,
 Cheers,
 Kind regards,

Attachment name:

 Attach
 Details
 Document
 Encrypted
 Gift
 Info
 Information
 Message
 MoreInfo
 Readme
 Text
 TextDocument
 details
 first_part
 pub_document
 text_document 
 random name with the extension EXE or PIF
 random name with the extension ZIP or RAR

The attached archived may be password protected. In such cases, the worm inserts a BMP, GIF, or JPG format picture which includes a graphical representation of the password into the message body. Such messages contain additional text (chosen at random from the list below):

 For security reasons attached file is password protected. The
password is

 For security purposes the attached file is password protected. Password --
Note: Use password to open archive.

 Attached file is protected with the password for security reasons. Password
is

 In order to read the attach you have to use the following password:

 Archive password:

 Password - 

 Password:

Installation

Once launched, the worm copies itself and its components to the Windows system directory under the following names:

 winupd.exe
 winupd.exeopen
 winupd.exeopenopen (a copy of the worm in a password protected archive)
 winupd.exeopenopenopen (BMP,GIF or JPG file containing the archive password)

and registers winupd.exe in the system registry auto-run key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   winupd.exe=%System%\winupd.exe

The worm searches the system registry for several keys installed by other worms, such as Netsky, and deletes them.

 9XHtProtect
 Antivirus
 HtProtect
 ICQ Net
 ICQNet
 My AV
 Special Firewall Service
 Tiny AV
 Zone Labs Client Ex
 service

Propagation

The worm searches for files with the following extensions:

 adb
 asp
 cfg
 cgi
 dbx
 dhtm
 eml
 htm
 jsp
 mbx
 mdx
 mht
 mmf
 msg
 nch
 ods
 oft
 php
 pl
 sht
 shtm
 stm
 tbb
 txt
 uin
 wab
 wsh
 xls
 xml

and sends copies of itself to all email addresses harvested from these folders. The worm uses its own SMTP server to send messages.

The worm does not send itself to addresses containing the following text:

 @avp. 
 @foo
 @hotmail.com
 @iana
 @messagelab
 @microsoft
 @msn
 abuse
 admin
 anyone@
 bsd
 bugs@
 cafee
 certific
 contract@
  f-secur
 feste
 free-av
 gold-certs@
 google
 help@
 icrosoft
 info@
 kasp
 linux
 listserv
 local
 nobody@
 noone@
 noreply
 ntivi
 panda
 pgp
 postmaster@
 rating@
 root@
 samples
 sopho
 spam
 support
 unix
 winrar
 winzip

Propagation via P2P

The worm searches for folders containing the word 'shar' and copies itself several times to all folders found under the following names:

ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
Matrix 3 Revolution English Subtitles.exe  
Microsoft Office 2003 Crack, Working!.exe  
Microsoft Office XP working Crack, 
Keygen.exe  
Microsoft Windows XP, WinXP Crack, working Keygen.exe  
Opera 8 New!.exe  
Porno Screensaver.scr  
Porno pics arhive, xxx.exe  
Porno, sex, oral, anal cool, awesome!!.exe  
Serials.txt.exe  
WinAmp 5 Pro Keygen Crack Update.exe  
WinAmp 6 New!.exe  
Windown Longhorn Beta Leak.exe  
Windows Sourcecode update.doc.exe  
XXX hardcore images.exe

Infection of files

The worm searches all accessible disks for files with an .exe extension and infects them by writing its polymorphic code to the end of the file.

Remote administration

The worm opens and tracks activity on port 2556. The backdoor functions makes it possible to remotely execute commands and download files on the victim machine.

Other

The worm attempts to terminate antivirus software and firewalls by terminating the following processes in memory:

 AGENTSVR.EXE
 ANTI-TROJAN.EXE
 ANTIVIRUS.EXE
 ANTS.EXE
 APIMONITOR.EXE
 APLICA32.EXE
 APVXDWIN.EXE
 ATCON.EXE
 ATGUARD.EXE
 ATRO55EN.EXE
 ATUPDATER.EXE
 ATWATCH.EXE
 AUPDATE.EXE
 AUTODOWN.EXE
 AUTOTRACE.EXE
 AUTOUPDATE.EXE
 AVCONSOL.EXE
 AVGSERV9.EXE
 AVLTMAIN.EXE
 AVPUPD.EXE
 AVSYNMGR.EXE
 AVWUPD32.EXE
 AVXQUAR.EXE
 AVprotect9x.exe
 Au.exe
 BD_PROFESSIONAL.EXE
 BIDEF.EXE
 BIDSERVER.EXE
 BIPCP.EXE
 BIPCPEVALSETUP.EXE
 BISP.EXE
 BLACKD.EXE
 BLACKICE.EXE
 BOOTWARN.EXE
 BORG2.EXE
 BS120.EXE
 CDP.EXE
 CFGWIZ.EXE
 CFIADMIN.EXE
 CFIAUDIT.EXE
 CFINET.EXE
 CFINET32.EXE
 CLEAN.EXE
 CLEANER.EXE
 CLEANER3.EXE
 CLEANPC.EXE
 CMGRDIAN.EXE
 CMON016.EXE
 CPD.EXE
 CPF9X206.EXE
 CPFNT206.EXE
 CV.EXE
 CWNB181.EXE
 CWNTDWMO.EXE
 D3dupdate.exe
 DEFWATCH.EXE
 DEPUTY.EXE
 DPF.EXE
 DPFSETUP.EXE
 DRWATSON.EXE
 DRWEBUPW.EXE
 ENT.EXE
 ESCANH95.EXE
 ESCANHNT.EXE
 ESCANV95.EXE
 EXANTIVIRUS-CNET.EXE
 FAST.EXE
 FIREWALL.EXE
 FLOWPROTECTOR.EXE
 FP-WIN_TRIAL.EXE
 FRW.EXE
 FSAV.EXE
 FSAV530STBYB.EXE
 FSAV530WTBYB.EXE
 FSAV95.EXE
 GBMENU.EXE
 GBPOLL.EXE
 GUARD.EXE
 HACKTRACERSETUP.EXE
 HTLOG.EXE
 HWPE.EXE
 IAMAPP.EXE
 IAMSERV.EXE
 ICLOAD95.EXE
 ICLOADNT.EXE
 ICMON.EXE
 ICSSUPPNT.EXE
 ICSUPP95.EXE
 ICSUPPNT.EXE
 IFW2000.EXE
 IPARMOR.EXE
 IRIS.EXE
 JAMMER.EXE
 KAVLITE40ENG.EXE
 KAVPERS40ENG.EXE
 KERIO-PF-213-EN-WIN.EXE
 KERIO-WRL-421-EN-WIN.EXE
 KERIO-WRP-421-EN-WIN.EXE
 KILLPROCESSSETUP161.EXE
 LDPRO.EXE
 LOCALNET.EXE
 LOCKDOWN.EXE
 LOCKDOWN2000.EXE
 LSETUP.EXE
 LUALL.EXE
 LUCOMSERVER.EXE
 LUINIT.EXE
 MCAGENT.EXE
 MCUPDATE.EXE
 MFW2EN.EXE
 MFWENG3.02D30.EXE
 MGUI.EXE
 MINILOG.EXE
 MOOLIVE.EXE
 MRFLUX.EXE
 MSCONFIG.EXE
 MSINFO32.EXE
 MSSMMC32.EXE
 MU0311AD.EXE
 NAV80TRY.EXE
 NAVAPW32.EXE
 NAVDX.EXE
 NAVSTUB.EXE
 NAVW32.EXE
 NC2000.EXE
 NCINST4.EXE
 NDD32.EXE
 NEOMONITOR.EXE
 NETARMOR.EXE
 NETINFO.EXE
 NETMON.EXE
 NETSCANPRO.EXE
 NETSPYHUNTER-1.2.EXE
 NETSTAT.EXE
 NISSERV.EXE
 NISUM.EXE
 NMAIN.EXE
 NORTON_INTERNET_SECU_3.0_407.EXE
 NPF40_TW_98_NT_ME_2K.EXE
 NPFMESSENGER.EXE
 NPROTECT.EXE
 NSCHED32.EXE
 NTVDM.EXE
 NUPGRADE.EXE
 NVARCH16.EXE
 NWINST4.EXE
 NWTOOL16.EXE
 OSTRONET.EXE
 OUTPOST.EXE
 OUTPOSTINSTALL.EXE
 OUTPOSTPROINSTALL.EXE
 PADMIN.EXE
 PANIXK.EXE
 PAVPROXY.EXE
 PCC2002S902.EXE
 PCC2K_76_1436.EXE
 PCCIOMON.EXE
 PCDSETUP.EXE
 PCFWALLICON.EXE
 PCIP10117_0.EXE
 PDSETUP.EXE
 PERISCOPE.EXE
 PERSFW.EXE
 PF2.EXE
 PFWADMIN.EXE
 PINGSCAN.EXE
 PLATIN.EXE
 POPROXY.EXE
 POPSCAN.EXE
 PORTDETECTIVE.EXE
 PPINUPDT.EXE
 PPTBC.EXE
 PPVSTOP.EXE
 PROCEXPLORERV1.0.EXE
 PROPORT.EXE
 PROTECTX.EXE
 PSPF.EXE
 PURGE.EXE
 PVIEW95.EXE
 QCONSOLE.EXE
 QSERVER.EXE
 RAV8WIN32ENG.EXE
 REGEDIT.EXE
 REGEDT32.EXE
 RESCUE.EXE
 RESCUE32.EXE
 RRGUARD.EXE
 RSHELL.EXE
 RTVSCN95.EXE
 RULAUNCH.EXE
 SAFEWEB.EXE
 SBSERV.EXE
 SD.EXE
 SETUPVAMEEVAL.EXE
 SETUP_FLOWPROTECTOR_US.EXE
 SFC.EXE
 SGSSFW32.EXE
 SH.EXE
 SHELLSPYINSTALL.EXE
 SHN.EXE
 SMC.EXE
 SOFI.EXE
 SPF.EXE
 SPHINX.EXE
 SPYXX.EXE
 SS3EDIT.EXE
 ST2.EXE
 SUPFTRL.EXE
 SUPPORTER5.EXE
 SYMPROXYSVC.EXE
 SYSEDIT.EXE
 TASKMON.EXE
 TAUMON.EXE
 TAUSCAN.EXE
 TC.EXE
 TCA.EXE
 TCM.EXE
 TDS-3.EXE
 TDS2-98.EXE
 TDS2-NT.EXE
 TFAK5.EXE
 TGBOB.EXE
 TITANIN.EXE
 TITANINXP.EXE
 TRACERT.EXE
 TRJSCAN.EXE
 TRJSETUP.EXE
 TROJANTRAP3.EXE
 UNDOBOOT.EXE
 UPDATE.EXE
 VBCMSERV.EXE
 VBCONS.EXE
 VBUST.EXE
 VBWIN9X.EXE
 VBWINNTW.EXE
 VCSETUP.EXE
 VFSETUP.EXE
 VIRUSMDPERSONALFIREWALL.EXE
 VNLAN300.EXE
 VNPC3000.EXE
 VPC42.EXE
 VPFW30S.EXE
 VPTRAY.EXE
 VSCENU6.02D30.EXE
 VSECOMR.EXE
 VSHWIN32.EXE
 VSISETUP.EXE
 VSMAIN.EXE
 VSMON.EXE
 VSSTAT.EXE
 VSWIN9XE.EXE
 VSWINNTSE.EXE
 VSWINPERSE.EXE
 W32DSM89.EXE
 W9X.EXE
 WATCHDOG.EXE
 WEBSCANX.EXE
 WGFE95.EXE
 WHOSWATCHINGME.EXE
 WINRECON.EXE
 WNT.EXE
 WRADMIN.EXE
 WRCTRL.EXE
 WSBGATE.EXE
 WYVERNWORKSFIREWALL.EXE
 XPF202EN.EXE
 ZAPRO.EXE
 ZAPSETUP3001.EXE
 ZATUTOR.EXE
 ZAUINST.EXE
 ZONALM2601.EXE
 ZONEALARM.EXE

previous:Email-Worm.Win32.Bagle.p
previous:Email-Worm.Win32.Bagle.m

Virus Source from:

New articles

WORM_KELIHOS.SMhis worm may be downloaded from the following remote sites: http://{BLOCKED}.240.36/flash2.exe It may be downloaded from remote site(s) by the follow...Email-Worm.Win32.3DStars This is an Internet worm that spreads via e-mail as an attached EXE file. The worm itself is a Win32 executable file about 70Kb in length, and written in Visua...Email-Worm.Win32.Abotus This is the worm virus spreading via the Internet being attached to infected emails. The worm itself is Windows PE EXE file about 18Kb of length, written in De...Email-Worm.Win32.Aliz This is a virus-worm that spreads via the Internet, attached to infected e-mails. The worm itself is a Windows PE EXE file about 4Kb in length and written in A...Email-Worm.Win32.Bagle.ef This Bagle variant is unable to replicate independently. However, all other functionality indicated that this worm is a member of the Bagle family. It was mass...

Hot Articles