Email-Worm.Win32.Bagle.y

tag:E-mail Worms

0 0

This worm spreads via the Internet as an attachment to infected messages. The worm itself is a PE EXE file of approximately 38KB, packed using UPX. The unpacked file is approximately 70KB in size.

Characteristics of infected messages

Sender's address (chosen at random from the following):

annie
ann
christina
christy
jessie
lizie
secretGurl

Message header (chosen at random from the following):

Encrypted document
Fax Message Received
Forum notify
Hello!
Hey!
Hidden message
I just need a friend
I like you
I'm a sad girl...
I'm bored with this life
Incoming message
Let's socialize, my friend!
Let's talk, my friend!
Notify from a known person ;-)
Protected message
Re: Document
Re: Hello
Re: Hi
Re: Incoming Fax
Re: Incoming Message
Re: Msg reply
RE: Protected message
RE: Text message
Re: Thank you!
Re: Thanks :)
Re: Yahoo!
Request response
Site changes

Message body:

There is a wide range of possible message texts.

The message may contain a VBS script; if this is launched by the user, it exploits a Microsoft Internet Explorer vulnerability (defined in Microsoft Security Bulletin MS03-040) which makes it possible to download the executable worm file via the Internet from several dozen infected web sites.

Attachment name:

Random, with one of the following extensions: .exe .com .scr .cpl. hta .vbs .zip

Installation

Once launched, the worm copies itself to the Windows system directory under the name "drvsys.exe", and registers this file in the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "drvsys.exe" = "%system%\drvsys.exe"

and creates the following files in the Windows system directory

drvsys.exeopen
drvsys.exeopenopen

When starting, the worm displays the message shown below:

The worm searches the system register for keys created by other worms (e.g. Netsky) and deletes them:

9XHtProtect
Antivirus
EasyAV
FirewallSvr
HtProtect
ICQ Net
ICQNet
Jammer2nd
KasperskyAVEng
MsInfo
My AV
NetDy
Norton Antivirus AV
PandaAVEngine
service
Special Firewall Service
SysMonXP
Tiny AV
Zone Labs Client Ex

The worm also attempts to connect to a range of remote sites, and to save information about the victim computer on these sites.

Propagation

The worm searches the computer for files with the following extensions:

adb
asp
cfg
cgi
dbx
dhtm
eml
htm
jsp
mdx

mbx
mht
mmf
msg
nch
ods
oft
php
pl
sht

shtm
stm
tbb
txt
uin
wab
wsh
xls
xml

previous:Email-Worm.Win32.Bagle.d
previous:Email-Worm.Win32.Bagle.aa

Virus Source from:

New articles

WORM_KELIHOS.SMhis worm may be downloaded from the following remote sites: http://{BLOCKED}.240.36/flash2.exe It may be downloaded from remote site(s) by the follow...Email-Worm.Win32.3DStars This is an Internet worm that spreads via e-mail as an attached EXE file. The worm itself is a Win32 executable file about 70Kb in length, and written in Visua...Email-Worm.Win32.Abotus This is the worm virus spreading via the Internet being attached to infected emails. The worm itself is Windows PE EXE file about 18Kb of length, written in De...Email-Worm.Win32.Aliz This is a virus-worm that spreads via the Internet, attached to infected e-mails. The worm itself is a Windows PE EXE file about 4Kb in length and written in A...Email-Worm.Win32.Bagle.ef This Bagle variant is unable to replicate independently. However, all other functionality indicated that this worm is a member of the Bagle family. It was mass...

Hot Articles