Detailed Analysis
Specifics
This variant of the 32-bit Bagle arrives as a file of size in excess of 21,465 bytes - the virus may
have appended garbage or random data appended to the end. This threat contains instructions
to send itself by SMTP email and also copy itself to
folders with the string "shar", and to network
folders.
On an infected system, these files may exist in the
System or System32 folder -
winxp.exe -21,465+ bytes - copy of the virus
winxp.exeopen - 21,465+ bytes - copy of the virus
winxp.exeopenopen - 21,465+ bytes - copy of the virus
The virus may send itself as a file attachment with
any of these extensions -
.exe
.scr
.com
.cpl
.vbs
.hta
.zip
The virus may on occasion send itself as either a .VBS
or .HTA file attachment - if this file is opened, it
will extract a copy of the virus as an encoded EXE,
then run the file. The virus could also send itself
as a password protected .ZIP file, with the password
listed in the body text.
This variant implements use of several Mutex references
in an effort to not be removed by variants of W32/Netsky
family of viruses. By creating Mutex names which resemble
ones already in use by variants of Netsky, this variant
of Bagle practically ensures that its process will not
be terminated by certain variants of Netsky, if they
were to be run on the infected system. These are some
of the Mutex references created -
'D'r'o'p'p'e'd'S'k'y'N'e't'
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
[SkyNet.cz]SystemsMutex
AdmSkynetJklS003
____--->>>>U<<<<--____
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
Load at Windows Startup
If this virus is run, it will copy itself to the System
or System32 folder as "sysxp.exe" and then
it will modify the registry to auto run at next Windows
startup -
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"key" = C:\WINNT\System32\winxp.exe
Email Spreading
When this virus is run, it harvests email addresses
by searching files with specific extensions. Next, the
virus constructs an email message with an infected attachment
and varied subject lines and body text. The file names
used are also varied, and will be at least 21,465 bytes
in size. The "From" address is spoofed as
with other Bagle variants.
Email Formats
The virus may send itself in varied formats and configurations,
based on random selection of hard-coded tables. The body content of email this virus sends is also random, based on a table of hard-coded values.
Remote Access Capability
"Shar" Folder Propagation
The virus will copy itself to folders, in all fixed
drives connected to the infected system, which have
the string "shar" in its name. The virus will
copy itself to these folders as these file names -
C:\Program Files\Common Files\Microsoft Shared\Microsoft Office 2003 Crack, Working!.exe
C:\Program Files\Common Files\Microsoft Shared\Microsoft Windows XP, WinXP Crack, working Keygen.exe
\Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
\Kaspersky Antivirus 5.0
\Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe | 
