W32/Bagle.AF@mm

Analysis

Specifics
This variant of the 32-bit Bagle family is packed with a file size in excess of 19,024 bytes - the virus may have appended garbage or random data beyond hex offset 0x4A50 (19,024 bytes). This threat contains instructions to send itself by SMTP email and also copy itself to folders with the string "shar", and to network folders.

On an infected system, these files may exist in the System or System32 folder -

sysxp.exe - 19,024+ bytes - copy of the virus
sysxp.exeopen - 19,024+ bytes - copy of the virus
sysxp.exeopenopen - 19,024+ bytes - copy of the virus

The virus may send itself as a file attachment with any of these extensions -

.exe
.scr
.com
.cpl
.vbs
.hta
.zip

The virus may on occasion send itself as either a .VBS or .HTA file attachment - if this file is opened, it will extract a copy of the virus as an encoded EXE, then run the file. The virus could also send itself as a password protected .ZIP file, with the password listed in the body text.

This variant implements use of several Mutex references in an effort to not be removed by variants of W32/Netsky family of viruses. By creating Mutex names which resemble ones already in use by variants of Netsky, this variant of Bagle practically ensures that its process will not be terminated by certain variants of Netsky, if they were to be run on the infected system. These are some of the Mutex references created -

MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
'D'r'o'p'p'e'd'S'k'y'N'e't'
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
[SkyNet.cz]SystemsMutex
AdmSkynetJklS003
____--->>>>U<<<<--____
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

Load at Windows Startup
If this virus is run, it will copy itself to the System or System32 folder as "sysxp.exe" and then it will modify the registry to auto run at next Windows startup -

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"key" = C:\WINNT\System32\sysxp.exe

Email Spreading
When this virus is run, it harvests email addresses by searching files with specific extensions. Next, the virus constructs an email message with an infected attachment and varied subject lines and body text. The file names used are also varied, and will be at least 19,024 bytes in size. The "From" address is spoofed as with other Bagle variants.

Email Formats
The virus may send itself in varied formats and configurations, based on random selection of hard-coded tables.

These are possible subject lines -

Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks :)
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
RE: Incoming Msg
RE: Message Notify
Notification
Changes..
Update
Fax Message
Protected message
RE: Protected message
Forum notify
Site changes
Re: Hi
Encrypted document

Possible body text for HTML format messages created by the virus -

Read the attach.<br><br>
Your file is attached.<br><br>
More info is in attach<br><br>
See attach.<br><br>
Please, have a look at the attached file.<br>
Your document is attached.<br><br>
Please, read the document.<br><br>
Attach tells everything.<br><br>
Attached file tells everything.<br><br>
Check attached file for details.<br><br>
Check attached file.<br><br>
Pay attention at the attach.<br><br>
See the attached file for details.<br><br>
Message is in attach<br><br>
Here is the file.<br><br>

The virus may add additional body text related to attachments that are password protected .ZIP files. If the format of the email message is standard text, the password will be visible as in these examples -

Password: undefineds
Pass - undefineds
Password - undefineds

where "undefineds" is the actual password. Otherwise, if the email message is HTML format, the virus will include a picture of the password used to encrypt the .ZIP file attachment. These are possible additional body text for HTML format messages -

<br>For security reasons attached file is password protected. The password is <img src="cid:undefineds.undefineds"><br>

<br>For security purposes the attached file is password protected. Password -- <img src="cid:undefineds.undefineds"><br>

<br>Note: Use password <img src="cid:undefineds.undefineds"> to open archive.<br>

<br>Attached file is protected with the password for security reasons. Password is <img src="cid:undefineds.undefineds"><br>

<br>In order to read the attach you have to use the following password: <img src="cid:undefineds.undefineds"><br>

<br>Archive password: <img src="cid:undefineds.undefineds"><br>

<br>Password - <img src="cid:undefineds.undefineds"><br>

<br>Password: <img src="cid:undefineds.undefineds"><br>

These are the possible file names of the attachments -

Information
Details
text_document
Updates
Readme
Document
Info
Details
MoreInfo
Message

Remote Access Capability
This virus will open a connection on TCP port 1234 to await instructions from a malicious user.

"Shar" Folder Propagation
The virus will copy itself to folders, in all fixed drives connected to the infected system, which have the string "shar" in its name. The virus will copy itself to these folders as these file names -

ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
Kaspersky Antivirus 5.0
KAV 5.0
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Opera 8 New!.exe
Porno pics arhive, xxx.exe
Porno Screensaver.scr
Porno, sex, oral, anal cool, awesome!!.exe
Serials.txt.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe

Miscellaneous
This virus appends garbage data beyond hexadecimal offset 0xEDFF (19,024 bytes) in .EXE, .SCR and .COM files, making MD5 checksum identification ineffective.

Recommended Action

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  
• Using the FortiGate manager, enable blocking of these extensions -

  .COM
  .SCR
  .EXE
  .CPL
  .VBS
  .HTA
  .ZIP

  across SMTP, POP3 and IMAP - it may require adding some of these extensions to the list
  

• Using the FortiGate manager, define a service using TCP port 1234 named "Bagle", then enable blocking of this port