W32/Bagle.AF@mm
Analysis
Specifics
This variant of the 32-bit Bagle family is packed with
a file size in excess of 19,024 bytes - the virus may
have appended garbage or random data beyond hex offset
0x4A50 (19,024 bytes). This threat contains instructions
to send itself by SMTP email and also copy itself to
folders with the string "shar", and to network
folders.
On an infected system, these files may exist in the System or System32 folder -
sysxp.exe - 19,024+ bytes - copy of the virus
sysxp.exeopen - 19,024+ bytes - copy of the virus
sysxp.exeopenopen - 19,024+ bytes - copy of the virus
The virus may send itself as a file attachment with any of these extensions -
.exe
.scr
.com
.cpl
.vbs
.hta
.zip
The virus may on occasion send itself as either a .VBS or .HTA file attachment - if this file is opened, it will extract a copy of the virus as an encoded EXE, then run the file. The virus could also send itself as a password protected .ZIP file, with the password listed in the body text.
This variant implements use of several Mutex references in an effort to not be removed by variants of W32/Netsky family of viruses. By creating Mutex names which resemble ones already in use by variants of Netsky, this variant of Bagle practically ensures that its process will not be terminated by certain variants of Netsky, if they were to be run on the infected system. These are some of the Mutex references created -
MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
'D'r'o'p'p'e'd'S'k'y'N'e't'
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
[SkyNet.cz]SystemsMutex
AdmSkynetJklS003
____--->>>>U<<<<--____
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
Load at Windows Startup
If this virus is run, it will copy itself to the System
or System32 folder as "sysxp.exe" and then
it will modify the registry to auto run at next Windows
startup -
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"key" = C:\WINNT\System32\sysxp.exe
Email Spreading
When this virus is run, it harvests email addresses
by searching files with specific extensions. Next, the
virus constructs an email message with an infected attachment
and varied subject lines and body text. The file names
used are also varied, and will be at least 19,024 bytes
in size. The "From" address is spoofed as
with other Bagle variants.
Email Formats
The virus may send itself in varied formats and configurations,
based on random selection of hard-coded tables.
These are possible subject lines -
Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks :)
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
RE: Incoming Msg
RE: Message Notify
Notification
Changes..
Update
Fax Message
Protected message
RE: Protected message
Forum notify
Site changes
Re: Hi
Encrypted document
Possible body text for HTML format messages created by the virus -
Read the attach.<br><br>
Your file is attached.<br><br>
More info is in attach<br><br>
See attach.<br><br>
Please, have a look at the attached file.<br>
Your document is attached.<br><br>
Please, read the document.<br><br>
Attach tells everything.<br><br>
Attached file tells everything.<br><br>
Check attached file for details.<br><br>
Check attached file.<br><br>
Pay attention at the attach.<br><br>
See the attached file for details.<br><br>
Message is in attach<br><br>
Here is the file.<br><br>
The virus may add additional body text related to attachments that are password protected .ZIP files. If the format of the email message is standard text, the password will be visible as in these examples -
Password: undefineds
Pass - undefineds
Password - undefineds
where "undefineds" is the actual password. Otherwise, if the email message is HTML format, the virus will include a picture of the password used to encrypt the .ZIP file attachment. These are possible additional body text for HTML format messages -
<br>For security reasons attached file is password protected. The password is <img src="cid:undefineds.undefineds"><br>
<br>For security purposes the attached file is password protected. Password -- <img src="cid:undefineds.undefineds"><br>
<br>Note: Use password <img src="cid:undefineds.undefineds"> to open archive.<br>
<br>Attached file is protected with the password for security reasons. Password is <img src="cid:undefineds.undefineds"><br>
<br>In order to read the attach you have to use the following password: <img src="cid:undefineds.undefineds"><br>
<br>Archive password: <img src="cid:undefineds.undefineds"><br>
<br>Password - <img src="cid:undefineds.undefineds"><br>
<br>Password: <img src="cid:undefineds.undefineds"><br>
These are the possible file names of the attachments -
Information
Details
text_document
Updates
Readme
Document
Info
Details
MoreInfo
Message
Remote Access Capability
This virus will open a connection on TCP port 1234 to
await instructions from a malicious user.
"Shar" Folder Propagation
The virus will copy itself to folders, in all fixed
drives connected to the infected system, which have
the string "shar" in its name. The virus will
copy itself to these folders as these file names -
ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
Kaspersky Antivirus 5.0
KAV 5.0
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Opera 8 New!.exe
Porno pics arhive, xxx.exe
Porno Screensaver.scr
Porno, sex, oral, anal cool, awesome!!.exe
Serials.txt.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe
Miscellaneous
This virus appends garbage data beyond hexadecimal offset
0xEDFF (19,024 bytes) in .EXE, .SCR and .COM files,
making MD5 checksum identification ineffective.
Recommended Action
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option
- Using the FortiGate manager, enable blocking of
these extensions -
.COM
.SCR
.EXE
.CPL
.VBS
.HTA
.ZIPacross SMTP, POP3 and IMAP - it may require adding some of these extensions to the list
-
Using the FortiGate manager, define a service using TCP port 1234 named "Bagle", then enable blocking of this port
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |
Version Updates
Date | Version | Detail |
---|---|---|
2021-06-01 | 86.00601 | |
2021-05-18 | 86.00265 | |
2021-03-23 | 84.00920 | |
2021-03-03 | 84.00446 | |
2021-02-09 | 83.91300 | Sig Updated |
2021-01-19 | 83.40900 | Sig Updated |
2021-01-04 | 83.05300 | Sig Updated |
2021-01-04 | 83.05000 | Sig Updated |
2021-01-03 | 83.02600 | Sig Updated |
2020-11-21 | 81.99800 | Sig Updated |