|
|||||
 |
|||||
Service Centre | Message Board | POP Numbers | Virus Alerts | FAQ's | Setup Procedures | Mail Us | back to supportLINK |
|||||
|
Bagle.AS Oct 6, 2004
| |
Aliases: | I-Worm.Bagle.as, W32.Beagle.AR@mm, W32/Bagle.az@MM, WORM_BAGLE.AM |
Type:
| Worm |
Description:
| Bagle.AS has been distributed largely. It arrives in emails with a Price or Joke-related attachment and exe, cpl, scr or com extensions. The worm contains a backdoor that listens on TCP port 81 and a UDP port. Bagle.AS spreads also via peer-to-peer. |
Solution: | Bagle.AS arrives as an email attachment with one of the following subject lines: Re: Re: Hello Re: Thank you! Re: Thanks :) Re: Hi The attachment is composed from: Price price Joke and has one of the following extensions: .exe .scr .com .cpl When executed, Bagle.AS creates a mutex and drops the following files: %windir%\cjector.exe %windir%\system32\bawindo.exe %windir%\system32\bawindo.exeopen %windir%\system32\bawindo.exeopenopen It then creates a registry entry under the HKCU\Software\Microsoft\Windows\CurrentVersion\Run\bawindo and sets its value to %windir%\system32\bawindo.exe. The following registry entries (if present) will be deleted by Bagle.AS from either "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" or "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" My AV Zone Labs Client EX 9XHtProtect Antivirus Special Firewall Service service Tiny AV ICQNet HtProtect NetDy Jammer2nd FirewallSvr MyInfo SysMonXP EasyAV PandaAVEngine NortonAntivirus AV KasperskyAVEng SkynetsRevenge ICQ Net Bagle.AS harvests email addresses from the local disk from files with extensions .wab .txt .msg .htm .shtm .stm .xml .dbx .mbx .mdx .eml .nch .mmf .ods .cfg .asp .php .pl .wsh .adb .tbb .sht .xls .oft .uin .cgi .mht .dhtm .jsp It then uses own SMTP engine to send out infections. The messages sent out have spoofed sender address. While constructing the spoofed sender's address Bagle.AS ignores addresses which contain the following strings: @hotmail @msn @microsoft rating@ f-secur news update anyone@ bugs@ contract@ feste gold-certs@ help@ info@ nobody@ noone@ kaspadmin icrosoft support ntivi unix bsd linux listserv certific sopho @foo @iana.free-av @messagelab winzip google winrar samples abuse panda cafee spam pgp @avp Peer-to-peer propagation Bagle.AS locates folders containing "shar" and copies itself using the following names ACDSee 9.exe Adobe Photoshop 9 full.exe Ahead Nero 7.exe Kaspersky Antivirus 5.0 KAV 5.0 Matrix 3 Revolution English Subtitles.exe Microsoft Office 2003 Crack, Working!.exe Microsoft Office XP working Crack, Keygen.exe Microsoft Windows XP, WinXP Crack, working Keygen.exe Opera 8 New!.exe Porno pics arhive, xxx.exe Porno Screensaver.scr Porno, sex, oral, anal cool, awesome!!.exe Serials.txt.exe WinAmp 5 Pro Keygen Crack Update.exe WinAmp 6 New!.exe Windown Longhorn Beta Leak.exe Windows Sourcecode update.doc.exe XXX hardcore images.exe Termination of security applications mcagent.exe mcvsshld.exe mcshield.exe mcvsescn.exe mcvsrte.exe DefWatch.exe Rtvscan.exe ccEvtMgr.exe NISUM.EXE ccPxySvc.exe navapsvc.exe NPROTECT.EXE nopdb.exe ccApp.exe Avsynmgr.exe VsStat.exe Vshwin32.exe alogserv.exe RuLaunch.exe Avconsol.exe PavFires.exe FIREWALL.EXE ATUPDATER.EXE LUALL.EXE DRWEBUPW.EXE AUTODOWN.EXE NUPGRADE.EXE OUTPOST.EXE ICSSUPPNT.EXE ICSUPP95.EXE ESCANH95.EXE AVXQUAR.EXE ESCANHNT.EXE ATUPDATER.EXE AUPDATE.EXE AUTOTRACE.EXE AUTOUPDATE.EXE AVXQUAR.EXE AVWUPD32.EXE AVPUPD.EXE CFIAUDIT.EXE UPDATE.EXE NUPGRADE.EXE MCUPDATE.EXE pavsrv50.exe AVENGINE.EXE APVXDWIN.EXE pavProxy.exe navapw32.exe navapsvc.exe ccProxy.exe navapsvc.exe NPROTECT.EXE SAVScan.exe SNDSrvc.exe symlcsvc.exe LUCOMS~1.EXE blackd.exe FrameworkService.exe VsTskMgr.exe SHSTAT.EXE UpdaterUI.exe Additionally, Bagle.AS listens on TCP port 81 and a UDP port. Taken from f-secure.com |