Alias/es

Detection Availability

Visible Symptoms

• Creation of files into the System32 folder -
  
  windll.exe
  windll.exeopen
  windll.exeopenopen
  
  
• Numerous files are created in folders containing the string "shar" on the infected system -
  
  Microsoft Office 2003 Crack, Working!.exe
  Microsoft Windows XP, WinXP Crack, working Keygen.exe
  Microsoft Office XP working Crack, Keygen.exe
  Porno, sex, oral, anal cool, awesome!!.exe
  Porno Screensaver.scr
  Serials.txt.exe
  KAV 5.0
  Kaspersky Antivirus 5.0
  Porno pics arhive, xxx.exe
  Windows Sourcecode update.doc.exe
  Ahead Nero 7.exe
  Windown Longhorn Beta Leak.exe
  Opera 8 New!.exe
  XXX hardcore images.exe
  WinAmp 6 New!.exe
  WinAmp 5 Pro Keygen Crack Update.exe
  Adobe Photoshop 9 full.exe
  Matrix 3 Revolution English Subtitles.exe
  ACDSee 9.exe

Detailed Analysis

This variant of Bagle contains code to do the following:

• install itself to the compromised system
  
• send itself to harvested email addresses
  
• infect files
  
• copy itself to folders likely to be shared across a network or P2P application
  
• opens TCP port 80, allowing access to malicious users

Email Routine
This virus collects addresses to send to others by scanning files in memory and on the hard drive for what is considered a valid email address. The virus parses the generated list, avoiding addresses containing strings that match an 'avoid' list.

Possible file attachment file names:

new__price.zip new_price.zip newprice.zip price.zip price2.zip price_new.zip

Within the .ZIP file is an HTML file named "price.html" and "price.exe" - extracting the contents of the zip and opening PRICE.HTML launches the binary, probably named PRICE.EXE.

Miscellaneous
While in memory, the virus tries to set up blocks to prevent variants of W32/Netsky from executing - the plan by Bagle was to establish base named objects (Win32 Mutex names) occupying handles for known variants of Netsky. By using a known mutex, Bagle then prevents Netsky from running since one of the checks by Netsky is to verify if it's already running by comparing the Mutex names in use. Below are the names Bagle creates to try and block Netsky -

MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D

'D'r'o'p'p'e'd'S'k'y'N'e't'

_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_

[SkyNet.cz]SystemsMutex

AdmSkynetJklS003

____--->>>>U<<<<--____

_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

Additionally, Bagle may delete startup registry keys associated with known variants of Netsky. Bagle will delete the following keys that may exist -

My AV
Zone Labs Client Ex
9XHtProtect
Antivirus
Special Firewall Service
service
Tiny AV
ICQNet
HtProtect
NetDy
Jammer2nd
FirewallSvr
MsInfo
SysMonXP
EasyAV
PandaAVEngine
Norton Antivirus AV
KasperskyAVEng
SkynetsRevenge
ICQ Net

Recommended Action