Alias/esW32.Beagle.AR@mm [NAV], W32/Bagle.AM@mm [FP], W32/Bagle.AZ-net, W32/Bagle.AZ-tr, W32/Bagle.az@MM [McAfee], WORM_BAGLE.AM [Trend] | ||||||||||||
Detection Availability
| ||||||||||||
Visible Symptoms
| ||||||||||||
Detailed AnalysisThis variant of the 32-bit Bagle family is packed with a packed file size of at least 25,064 bytes - the virus may have appended garbage or random data beyond hex offset 0X61E8 (25,064 bytes). This threat contains instructions to send itself by SMTP email and copy itself to folders with the string "shar", and to network folders.On an infected system, these files may exist in the System or System32 folder - bawindo.exe - 25,064+ bytes - copy of the virus bawindo.exeopen - 18,690+ bytes - copy of the virus bawindo.exeopenopen - 18,690+ bytes - copy of the virus The virus may send itself as a file attachment with any of these extensions - .exe .scr .com .cpl This variant implements use of several Mutex references in an effort to not be removed by variants of W32/Netsky family of viruses. By creating Mutex names that resemble ones already in use by variants of Netsky, this variant of Bagle practically ensures that its threads will not be terminated by certain variants of Netsky, if they were to be run on the infected system. These are the Mutex references created - MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D 'D'r'o'p'p'e'd'S'k'y'N'e't' _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_ [SkyNet.cz]SystemsMutex AdmSkynetJklS003 ____--->>>>U<<<<--____ _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_ Load at Windows Startup If this virus is run, it will copy itself to the System or System32 folder as "bawindo.exe" and then it will modify the registry to auto run at next Windows startup - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "bawindo" = C:\WINNT\System32\bawindo.exe Email Spreading When this virus is run, it harvests email addresses by searching files with specific extensions. Next, the virus constructs an email message with an infected attachment and varied subject lines and body text. The file names used are varied, and are at least 25,064 bytes in size. The "From" address is spoofed as with other Bagle variants. Email Formats The virus may send itself in varied formats and configurations, based on random selection of hard-coded tables. Remote Access Capability This virus will open a connection on TCP port 81 and possibly allow functionality as an SMTP email proxy server. Port 81 is also used by secure HTTP protocol (HTTPS). "Shar" Folder Propagation The virus will copy itself to folders, in all fixed drives connected to the infected system, which have the string "shar" in its name. The virus will copy itself to these folders as these file names - ACDSee 9.exe Adobe Photoshop 9 full.exe Ahead Nero 7.exe KAV 5.0 Kaspersky Antivirus 5.0 Matrix 3 Revolution English Subtitles.exe Microsoft Office 2003 Crack, Working!.exe Microsoft Windows XP, WinXP Crack, working Keygen.exe Microsoft Office XP working Crack, Keygen.exe Opera 8 New!.exe Porno, sex, oral, anal cool, awesome!!.exe Porno pics arhive, xxx.exe Porno Screensaver.scr Serials.txt.exe WinAmp 6 New!.exe WinAmp 5 Pro Keygen Crack Update.exe Windows Sourcecode update.doc.exe Windown Longhorn Beta Leak.exe XXX hardcore images.exe | ||||||||||||
Recommended Action
|
