Email-Worm.Win32.Bagle.i
| Alert Level : | Medium |
| Discovered: | Mar 10 2004 |
| Tag: | E-mail Worms |
| Discoverer and Source: | http://www.kaspersky.com/ |
Malware Behavior and Technical Description
Bagle.i is 12288 bytes in size, packed using UPX. The unpacked file is 49152 bytes in size.
Like previous versions of Bagle, Bagle.i sometimes sends copies of itself in password protected ZIP format. In this case, the password is included in the body of the message. The zipped file is about 12KB in size.
Infected messages have the following characteristics:
Message header (chosen from the list below):
E-mail account disabling warning. E-mail account security warning. Email account utilization warning. Important notify about your e-mail account. Notify about using the e-mail account. Notify about your e-mail account utilization. Warning about your e-mail account.
Salutation (chosen from the list below):
Dear user of "<name>" mailing system,
Dear user of <name> gateway e-mail server,
Dear user of <name>,
Dear user of e-mail server "<name>",
Dear user, the management of <name> mailing system wants to let you know that,
Hello user of <name> e-mail server,
Message body (chosen from the list below)
Our antivirus software has detected a large ammount of viruses outgoing from your email account, you may use our free anti-virus tool to clean up your computer software.Our main mailing server will be temporary unavaible for next two days, to continue receiving mail in these days you have to configure our free auto-forwarding service.
Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to keep your computer safe, follow the instructions.
We warn you about some attacks on your e-mail account. Your computer may contain viruses, in order to keep your computer and e-mail account safe, please, follow the instructions.
Your e-mail account has been temporary disabled because of unauthorized access.
Your e-mail account will be disabled because of improper using in next three days, if you are still wishing to use it, please, resign your account information.
Conclusion (chosen from the list below):
Advanced details can be found in attached file. For details see the attach. For details see the attached file. For further details see the attach. For more information see the attached file. Further details can be obtained from attached file. Pay attention on attached file. Please, read the attach for further details.If a copy of the virus is in zip format, one of the following sentences will be included at the end of the message:
Attached file protected with the password for security reasons. Password is <password>.For security reasons attached file is password protected. The password is "<password>".
For security purposes the attached file is password protected. Password is "<password>".
In order to read the attach you have to use the following password:<password>.
Signature:
Best wishes, Cheers, Have a good day, Kind regards, Sincerely, The Management,followed by:
The <name> team http://www.<name>When sending messages, the viruses places the domain name of the recipient's mail server in the <name> fields.
Attachment name (chosen from the list below):
Attach Document Info Information Message MoreInfo Readme TextDocument TextFile
Attachment extensions (chosen from the list below):
exe pif zip
Installation
Once launched, the worm copies itself to the Windows system directory under the name irun4.exe and registers this file in the system registry auto-run key:[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ssate.exe" = "%system%\irun4.exeIt also creates a key in the registry:
[HKCU\SOFTWARE\DateTime] "<RANDOM value>"="1"The worm attempts to connect to a number of remote sites and to save information about the infected computer on these sites.
Propagation
The worm searches for files with the following extensions:adb asp cfg cgi dbx eml htm mdx mmf msg nch ods php pl sht tbb txt uin wab xmlharvests email addresses, and then sends itself to all addresses found. The worm uses its own SMTP server to send messages. It does not send messages to the following addresses:
@avp. @hotmail.com @microsoft @msn.com local noreply postmaster@ root@
Propagation via P2P
The worm searches for directories where the name contains the word shar and copies itself several times, to all files found, under the following names:ACDSee 9.exe Adobe Photoshop 9 full.exe Ahead Nero 7.exe Matrix 3 Revolution English Subtitles.exe Microsoft Office 2003 Crack, Working!.exe Microsoft Office XP working Crack, Keygen.exe Microsoft Windows XP, WinXP Crack, working Keygen.exe Opera 8 New!.exe Porno pics arhive, xxx.exe Porno Screensaver.scr Porno, sex, oral, anal cool, awesome!!.exe Serials.txt.exe WinAmp 5 Pro Keygen Crack Update.exe WinAmp 6 New!.exe Windown Longhorn Beta Leak.exe Windows Sourcecode update.doc.exe XXX hardcore images.exe
Remote administration
The worm opens port 2745 and tracks port activity. The backdoor function enables the remote execution of commands and the downloading of files to the victim machine.Other
The worm attempts to counteract the updating of antivirus programs by terminating the following processes:ATUPDATER.EXE AUPDATE.EXE AUTODOWN.EXE AUTOTRACE.EXE AUTOUPDATE.EXE AVLTMAIN.EXE AVPUPD.EXE AVWUPD32.EXE AVXQUAR.EXE CFIAUDIT.EXE DRWEBUPW.EXE ICSSUPPNT.EXE ICSUPP95.EXE LUALL.EXE MCUPDATE.EXE NUPGRADE.EXE OUTPOST.EXE UPDATE.EXEThe worm is programmed to cease propagation on 26th April 2005.
0
Removal Email-Worm.Win32.Bagle.i instructions:
0
Need help? Live computer support via remote at SupportSpace |
