Visible Symptoms
- Possible firewall alert that the files "lmovie.exe"
or "vcualts32.exe"
is attempting to connect to the Internet and possibly
use TCP port 80 and 6667
- Creation of these files on the infected system [note,
the System32 folder may be in a different path depending
on the version of Windows and user preferences] -
C:\WINNT\vcualts32.exe
C:\WINNT\system32\lmovie.exe
C:\WINNT\system32\lmovie.exeopen
C:\WINNT\system32\lmovie.exeopenopen
- When opening an email attachment, a fake error
messages resembling this one is displayed -
- Numerous files are created in "shared"
folders, or folders that have the string "shar"
-
anna benson
sex video.exe
kate beckinsale nude pictures.exe
jenna elfman sex anal deepthroat
miss america Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
barrett jackson nude photos, movies, porn video.exe
Britney Spears sex photos.exe
paris hilton Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 10.exe
Windown Vista Beta Leak.exe
IE beta 7.exe
Serials 2005 database.exe
XXX hardcore images.exe
Adobe Photoshop 9 full.exe
Detailed AnalysisThis variant of Bagle is different from other variants
in the sense that it uses an icon resembling a heart,
which is fitting being the discovery of this variant
is in the month of "love" - February. The
file icon resembles this -
This variant is received in an HTML format email message,
constructed to appear as a love letter with heart images
as a background, and versions of poems as the body text.
This virus carries its own SMTP engine (as with previous
variants) but also drops a second piece, a file named
"vcualts32.exe" that connects with web counters,
probably an effort by the virus writer to track how
many infections have occurred.
Loading at Windows startup
If the threat is run manually, it will copy itself to
the local system in several places -
C:\WINNT\vcualts32.exe
C:\WINNT\system32\lmovie.exe
C:\WINNT\system32\lmovie.exeopen
C:\WINNT\system32\lmovie.exeopenopen
The virus has a file size in excess of 27,136 bytes
and is UPX packed. The virus will register itself to
load at Windows startup -
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"MovieM" = C:\WINNT\system32\lmovie.exe
SMTP mass-mailing routine
The virus has instructions to send a copy of itself
to contacts found in files of certain extensions. Email
addresses are sampled from files having these extensions
-
- adb
- asp
- dbx
- htm
- php
- sht
- tbb
- wab
The captured addresses are used as targets for the
mailing routine. This virus uses an exclusion list of
strings to cross-reference found addresses. Any address
found having these strings will be skipped -
- @hotmail
- @msn
- @microsoft
- rating@
- f-secur
- news
- update
- anyone@
- bugs@
- contract@
- feste
- gold-certs@
- help@
- info@
- nobody@
- noone@
- kasp
- admin
- icrosoft
- support
- ntivi
- unix
- bsd
- linux
- listserv
- certific
- sopho
- @foo
- @iana
- free-av
- @messagelab
- winzip
- google
- winrar
- samples
- abuse
- panda
- cafee
- spam
- pgp
- @avp.
- noreply
- local
- root@
- postmaster@
The virus will construct an email in HTML format with
the intention of using a background image to send a
message of love to the targeted victim. This is one
of the expected formats of the messages -
| Subject: |
See you tonight! |
| Body: |
Click to attachment
to load a movie
|
Love
at the lips was touch
As sweet as I could bear;
And once that seemed too much;
I lived on air
That crossed me from sweet things,
The flow of - was it musk
From hidden grapevine springs
Down hill at dusk?
I had the swirl and ache
From sprays of honeysuckle
That when they re gathered shake
Dew on the knuckle.
I craved strong sweets, but those
Seemed strong when I was young;
The petal of the rose
It was that stung.
Now no joy but lacks salt
That is not dashed with pain
And weariness and fault;
I crave the stain
Of tears, the aftermark
Of almost too much love,
The sweet of bitter bark
And burning clove.
When stiff and sore and scarred
I take away my hand
From leaning on it hard
In grass and sand
The hurt is not enough:
I long for weight and strength
To feel the earth as rough
To all my length. |
| Attachment: |
mplay.exe |
The possible file attachment names are -
love_me.exe
mplay.exe
love_me_now.exe
Description.exe
Backdoor functionality
The virus will create a thread that functions as a backdoor,
using TCP port 6777.
Additional Component
The virus writes another component into the Windows
folder named 'vcualts32.exe'. This file is coded to
contact several sites and log the infected computer
using server side scripts. The Trojan connects to these
sites -
dook.zoo.by
debut.zoo.com
bit.korzo.com
ijj.t1035.com
200.81.16.147
Some of the URLs referenced are counters.
Miscellaneous
The virus carries the following text which is never
displayed -
In a difficult world
In a nameless time
I want to survive
So, you will be mine!!
-- Bagle Author, 29.04.04, Germany.
While in memory, the virus uses the following Mutex
name references -
| 'D'r'o'p'p'e'd'S'k'y'N'e't' |
| _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_ |
| [SkyNet.cz]SystemsMutex |
| AdmSkynetJklS003 |
| _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_ |
The Trojan carries this unencrypted string in its
body but is not displayed -
bagla_magla_super_downloader_1000
|