VirusW32/Bagle.A@mm
Analysis
- Virus is 32bit with a file size of 15,872 bytes
- The first PE section of the virus is named "Beagle",
a derivative of the virus name
- The virus may have been received in an email message
as an attachment with a randomly created file name
- the file has an .EXE extension
- If the virus attachment is opened or run, it will
first check the system date and if the value is later
than January 28, 2004, the virus will exit
- Otherwise, the virus instructions will continue
- the virus runs the Windows application CALC as a
diversion, while in the background it will begin searching
the hard drive for email addresses
- The virus looks into files with the extensions
.wab, .txt, .htm and .html for valid email addresses
- the virus will create an email with an infectious
attachment and send itself to each email address found
- The virus attempts to use an external SMTP email
server in order to send itself, using SMTP protocol
to connect and use the server - the virus looks up
the MX record for the domain of each email address
found in order to spoof email messages
- For instance, if the virus finds the addresses
joesmith @ company1.com and joesmith @ company2.com,
the virus will look up the MX record for "company1.com"
and attempt to connect with that server, passing to
the server the email address joesmith
- The virus will create a spoofed email containing
where the To and From fields are values of email addresses
found on the victim computer
- The MIME email message may be in this format -
From: [email address found on infected system]
To: [email address found on infected system]
Subject: Hi
Body:
Test =)
[random characters]
Test, yep
Attachment: [filename].exe
-
The virus writes itself into the undefinedWindowsundefined\System32 folder and modifies the registry to auto run at next Windows startup -
HKEY_LOCAL_MACHINE\Software\Windows\CurrentVersion\Run\
d3dupdate.exe = C:\WINNT\System32\bbeagle.exe
-
The virus may make two additional registry entries, without regard to the actual 32 bit operating system -
HKEY_CURRENT_USER\Software\windows98\
frun = 01,00,00,00
uid = (random numeric value)
-
The virus may attempt to open TCP port 6777 and await instructions from a hacker or group of hackers
-
The infected system may attempt to connect with any of the following hard-coded web sites and send information using a server-side script file named '1.php' - the virus will pass a variable string of "?p=undefinedlu&id=undefineds" where "p" is the port 6667 and undefineds is some numeric value -
o 216.98.134.247
o 216.98.136.248
o 64.176.228.13
o antol-co.ru
o bose-audio.net
o vipweb.ru
o vvcgn.de
o wh9.tu-dresden.de
o www.5x12.ru
o www.auto-hobby-essen.de
o www.bags-dostavka.mags.ru
o www.ballonfoto.com
o www.beasty-cars.de
o www.bhamidy.de
o www.bino88.de
o www.cdromca.com
o www.dmdesign.de
o www.dvd-filme.com
o www.elrasshop.de
o www.getyourfree.net
o www.grefrathpaenz.de
o www.it-msc.de
o www.kunst-in-templin.de
o www.leonzernitsky.com
o www.marder-gmbh.de
o www.medi-martin.de
o www.micronuke.net
o www.montania.de
o www.mystic-vws.de
o www.polohexe.de
o www.polozicke.de
o www.sc-erbendorf.de
o www.smeangol.com
o www.stadthagen.org
o www.sttngdata.de
o www.twr-music.de
Recommended Action
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
- Block inbound/outbound (EXT -> INT/INT ->
EXT) access to TCP port 6777
- Enable blocking of .EXE file attachments by SMTP,
POP3 and IMAP
Telemetry
Detection Availability
| FortiGate | |
|---|---|
| Extreme | |
| FortiClient | |
| Extended | |
| FortiMail | |
| Extended | |
| FortiSandbox | |
| Extended | |
| FortiWeb | |
| Extended | |
| Web Application Firewall | |
| Extended | |
| FortiIsolator | |
| Extended | |
| FortiDeceptor | |
| Extended | |
| FortiEDR |