F-Secure Virus Descriptions : Bagle.AS
[Summary] | [Detailed Description] | [Detection]
|
|
THIS VIRUS IS RANKED AS LEVEL 2 ALERT UNDER
F-SECURE RADAR.
Radar Alert LEVEL 2
|
| NAME: | Bagle.AS |
| ALIAS: | I-Worm.Bagle.as, W32.Beagle.AR@mm, W32/Bagle.az@MM, WORM_BAGLE.AM |
Bagle.AS has been distributed largely. It arrives in emails with a Price or Joke-related attachment and exe, cpl, scr or com extensions. The worm contains a backdoor that listens on TCP port 81 and a UDP port. Bagle.AS spreads also via peer-to-peer.
Bagle.AS arrives as an email attachment with one of the following
subject lines:
Re:
Re: Hello
Re: Thank you!
Re: Thanks :)
Re: Hi
The attachment is composed from:
Price
price
Joke
and has one of the following extensions:
.exe
.scr
.com
.cpl
When executed, Bagle.AS creates a mutex and drops the following files:
%windir%\cjector.exe
%windir%\system32\bawindo.exe
%windir%\system32\bawindo.exeopen
%windir%\system32\bawindo.exeopenopen
It then creates a registry entry under the
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\bawindo
and sets its value to %windir%\system32\bawindo.exe.
The following registry entries (if present) will be deleted by Bagle.AS
from either "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" or
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run"
My AV
Zone Labs Client EX
9XHtProtect
Antivirus
Special Firewall Service
service
Tiny AV
ICQNet
HtProtect
NetDy
Jammer2nd
FirewallSvr
MyInfo
SysMonXP
EasyAV
PandaAVEngine
NortonAntivirus AV
KasperskyAVEng
SkynetsRevenge
ICQ Net
Bagle.AS harvests email addresses from the local disk from files
with extensions
.wab
.txt
.msg
.htm
.shtm
.stm
.xml
.dbx
.mbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.pl
.wsh
.adb
.tbb
.sht
.xls
.oft
.uin
.cgi
.mht
.dhtm
.jsp
It then uses own SMTP engine to send out infections. The messages
sent out have spoofed sender address. While constructing the spoofed
sender's address Bagle.AS ignores addresses which contain the following
strings:
@hotmail
@msn
@microsoft
rating@
f-secur
news
update
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kaspadmin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
sopho
@foo
@iana.free-av
@messagelab
winzip
google
winrar
samples
abuse
panda
cafee
spam
pgp
@avp
Peer-to-peer propagation
Bagle.AS locates folders containing "shar" and copies itself
using the following names
ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
Kaspersky Antivirus 5.0
KAV 5.0
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Opera 8 New!.exe
Porno pics arhive, xxx.exe
Porno Screensaver.scr
Porno, sex, oral, anal cool, awesome!!.exe
Serials.txt.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe
Termination of security applications
mcagent.exe
mcvsshld.exe
mcshield.exe
mcvsescn.exe
mcvsrte.exe
DefWatch.exe
Rtvscan.exe
ccEvtMgr.exe
NISUM.EXE
ccPxySvc.exe
navapsvc.exe
NPROTECT.EXE
nopdb.exe
ccApp.exe
Avsynmgr.exe
VsStat.exe
Vshwin32.exe
alogserv.exe
RuLaunch.exe
Avconsol.exe
PavFires.exe
FIREWALL.EXE
ATUPDATER.EXE
LUALL.EXE
DRWEBUPW.EXE
AUTODOWN.EXE
NUPGRADE.EXE
OUTPOST.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ESCANH95.EXE
AVXQUAR.EXE
ESCANHNT.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
AVWUPD32.EXE
AVPUPD.EXE
CFIAUDIT.EXE
UPDATE.EXE
NUPGRADE.EXE
MCUPDATE.EXE
pavsrv50.exe
AVENGINE.EXE
APVXDWIN.EXE
pavProxy.exe
navapw32.exe
navapsvc.exe
ccProxy.exe
navapsvc.exe
NPROTECT.EXE
SAVScan.exe
SNDSrvc.exe
symlcsvc.exe
LUCOMS~1.EXE
blackd.exe
FrameworkService.exe
VsTskMgr.exe
SHSTAT.EXE
UpdaterUI.exe
Additionally, Bagle.AS listens on TCP port 81 and a UDP port.
Detection for Bagle.AS was published early on September 29st,
2004 in the following F-Secure Anti-Virus update:
[FSAV_Database_Version]
Version=2004-09-29_01
Description:
Mikko Hypponen, Katrin Tocheva and Tzvetan Chaliavski, September 28-29th, 2004;
F-Secure Corporation
|
