01-20-2004, 07:32 AM
|
#1 (permalink)
|
Right Now
|
Worm Alert: Bagle
The latest worm to exploit Microsoft's mass mailing features. Note that it uses the IRC port 6667 to "own" your computer.
Link
Quote:
Virus Characteristics:
This is a mass-mailing worm with a remote access component. The worm arrives in an email message with the following characteristics:
From: (address may be forged)
Subject: Hi
Body:
Test =)
(random characters)
--
Test, yep.
Attachment: (random filename) 15,872 bytes
example:
frjujs.exe
When the attachment is run, the virus checks the system date. If the date is January 28, 2004 or later, the virus simply exits and does not propagate. Otherwise, the virus executes the standard Windows calculator program CALC.EXE. Meanwhile, the virus copies itself to the WINDOWS SYSTEM directory (%SysDir%) as bbeagle.exe , and creates a registry key to load itself at system startup:
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "d3dupdate.exe" = C:\WINNT\System32\bbeagle.exe
Two additional keys are created:
* HKEY_CURRENT_USER\Software\Windows98 "frun"
* HKEY_CURRENT_USER\Software\Windows98 "uid"
Mass-mailing Component
The worm harvests addresses from the following files and mails itself to those recipients, using its own SMTP engine.
* .wab
* .txt
* .htm
* .html
The virus spoofs the sender address by using a harvested address in the FROM field. The first message sent by the virus uses the same harvested address in the TO and FROM fields. The second message is sent to a different address, while the FROM field remains the same. The third message is sent to a third address, and the FROM field contains the second address and so on.
The virus does not mass-mail itself to addresses that contain one of the following strings:
* @hotmail.com
* @msn.com
* @microsoft
* @avp.
Remote Access Component
The virus listens on TCP port 6777 for remote connections. It attempts to notify the author that the infected system is ready to accept commands, by contacting various websites, calling a PHP script on the remote sites. At the time of this writing this script does not exist on any of these sites.
* www.elrasshop.de
* www.it-msc.de
* www.getyourfree.net
* www.dmdesign.de
* 64.176.228.13
* www.leonzernitsky.com
* 216.98.136.248
* 216.98.134.247
* www.cdromca.com
* www.kunst-in-templin.de
* vipweb.ru
* antol-co.ru
* www.bags-dostavka.mags.ru
* www.5x12.ru
* bose-audio.net
* www.sttngdata.de
* wh9.tu-dresden.de
* www.micronuke.net
* www.stadthagen.org
* www.beasty-cars.de
* www.polohexe.de
* www.bino88.de
* www.grefrathpaenz.de
* www.bhamidy.de
* www.mystic-vws.de
* www.auto-hobby-essen.de
* www.polozicke.de
* www.twr-music.de
* www.sc-erbendorf.de
* www.montania.de
* www.medi-martin.de
* vvcgn.de
* www.ballonfoto.com
* www.marder-gmbh.de
* www.dvd-filme.com
* www.smeangol.com
Top of Page
Symptoms
# System listening on TCP port 6777
# Presence of the file bbeagle.exe in the WINDOWS SYSTEM directory
Top of Page
Method Of Infection
Manually executing an infected email attachment infects the local system, which is then used to email the virus to others.
Top of Page
Removal Instructions
All Users :
Use current engine and DAT files for detection and removal.
Alternatively, the following EXTRA.DAT packages are available.
EXTRA.DAT
SUPER EXTRA.DAT
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Stand-alone Remover
Stinger has been updated to include detection and removal for this threat.
Manual Removal Instructions
To remove this virus "by hand", follow these steps:
1. - Win9x/ME - Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
- WinNT/2K/XP - Terminate the process BBEAGLE.EXE
2. Delete the file BBEAGLE.EXE from your WINDOWS SYSTEM directory (typically c:\windows\system32 or c:\winnt\system32)
3. Edit the registry
* Delete the "d3dupdate.exe" value from
o HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Additional Windows ME/XP removal considerations
Top of Page
Variants
Name Type Sub Type Differences
Top of Page
Aliases
Name
I-Worm.Bagle (AVP)
W32.Beagle.A@mm (Symantec)
W32/Bagle-A (Sophos)
W32/Bagle.A@mm (F-Secure)
WORM_BAGLE.A (Trend)
|
|
|
|