Email-Worm.Win32.Bagle.e

tag:E-mail Worms

0 0

This worm spreads via the Internet as a file attached to infected emails. The worm itself is a PE EXE file of approximately 17KB, packed using PEX. The unpacked file is approximately 27KB in size.

Infected messages have the following characteristics:

Message header (chosen from the list below):

Accounts department
Ahtung!
Camila
Daily activity report
Ello!
Flayers among us
Freedom for everyone
From Hair-cutter
From me
Greet the day
Hardware devices price-list
Hello my friend
Hi!
Jenny
Jessica
Looking for the report
Maria
Melissa
Monthly incomings summary
New Price-list
Price
Price list
Pricelist
Price-list
Proclivity to servitude
Registration confirmation
The account
The employee
The summary
USA government abolishes the capital punishment  Weekly activity report  Well...
You are dismissed
You really love me? he he

Message body (chosen from the list below):

Cya
Empty
Everything inside the attach
Look it through
Request
Response
Subj

Attachment:

The attachment is a zip file which a name consisting of a random combination of a, b, and c (e.g. cdda.zip). Inside the .zip file is an .exe file with a random name, containing a text file icon.

Installation

Following installation, the worm copies itself and its components to the Windows system directory, under the names "i1ru74n4.exe", "godo.exe", "ii455nj4.exe", and "i1ru74n4.exeopen". It registers "i1ru74n4.exe" in the system registry auto-run key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "rate.exe" = "%system%\i1ru74n4.exe"

The worm also creates the registry key:

[HKCU\SOFTWARE\DateTime4]

and saves its variables in the key.

The worm attempts to connect to several sites and save information about the infected victim computer on these sites.

The worm also creates a mutex imain_mutex to flag its presence in memory.

Propagation

The worm searches for files with the following extentions:

adb
asp
cfg
dbx
eml
htm
html
mdx
mmf
nch
ods
php
pl
sht
txt
wab

harvests email addresses, and then sends itself to all addresses found. To send messages, the worm uses its own SMTP server.

Remote administration

The worm opens port 2745 and tracks port activity. The backdoor function makes it possible to remotely execute commands and download files to the victim machine.

Other

The worm attempts to counteract antivirus programs by terminating the following processes:

ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVLTMAIN.EXE
AVPUPD.EXE
AVWUPD32.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
DRWEBUPW.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
MCUPDATE.EXE
NUPGRADE.EXE
OUTPOST.EXE
UPDATE.EXE

The worm is programmed to cease propagation after 25th March 2004.

previous:Email-Worm.Win32.Bagle.t
previous:Email-Worm.Win32.Bagle.d

Virus Source from:

New articles

WORM_KELIHOS.SMhis worm may be downloaded from the following remote sites: http://{BLOCKED}.240.36/flash2.exe It may be downloaded from remote site(s) by the follow...Email-Worm.Win32.3DStars This is an Internet worm that spreads via e-mail as an attached EXE file. The worm itself is a Win32 executable file about 70Kb in length, and written in Visua...Email-Worm.Win32.Abotus This is the worm virus spreading via the Internet being attached to infected emails. The worm itself is Windows PE EXE file about 18Kb of length, written in De...Email-Worm.Win32.Aliz This is a virus-worm that spreads via the Internet, attached to infected e-mails. The worm itself is a Windows PE EXE file about 4Kb in length and written in A...Email-Worm.Win32.Bagle.ef This Bagle variant is unable to replicate independently. However, all other functionality indicated that this worm is a member of the Bagle family. It was mass...

Hot Articles