Need help? Ask the community or hire an expert.
Go to Avira Answers
Nume:Worm/Bagle.DM
Descoperit pe data de:13/12/2012
Tip:Vierme
ITW:Nu
Numar infectii raportate:Scazut
Potential de raspandire:Mediu spre ridicat
Potential de distrugere:Scazut spre mediu
Fisier static:Da
Marime:21.232 Bytes
MD5:43e014ce23862dbc0efcbcccd05d6ac6
Versiune VDF:7.11.53.216

 General Metode de raspandire:
   • Email
   • Peer to Peer


Alias:
   •  Symantec: w32.bEAGLE.cl@MM
   •  Kaspersky: eMAIL-wORM.wIN32.bAGLE.DX
   •  TrendMicro: worm_bagle.bt
   •  Bitdefender: wIN32.bAGLE.an@MM


Sistem de operare:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Efecte secundare:
   • Descarca fisiere
   • Utilizeaza propriul motor de email
   • Reduce setarile de securitate
   • Modificari in registri

 Fisiere Se copiaza in urmatoarea locatie:
   • %SYSDIR%\winhost.exe




Incearca sa descarce cateva fisiere:

– Adresa este urmatoarea:
   • http://www.**********goods.com/img/3.exe
Fisierul este stocat pe hard disc la: %WINDIR%\test.exe In plus, acest fisier este executat dupa ce este descarcat de pe Internet. La momentul realizarii descrierii, acest fisier nu era disponibil pentru o analiza ulterioara.

– Adresa este urmatoarea:
   • http://64.**********.145/ip.txt
Fisierul este stocat pe hard disc la: %WINDIR%\ip.txt La momentul realizarii descrierii, acest fisier nu era disponibil pentru o analiza ulterioara.

 Registrii sistemului Urmatoarea cheie este adaugata in registri pentru a rula procesul la repornirea sistemului:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "winhost.exe"="%SYSDIR%\winhost.exe"



Urmatoarele chei sunt adaugate in registrii sistemului:

– [HKCU\Software\Timeout]
   • "uid"="%cateva cifre aleatoare%"
   • "port"=dword:0000234b
   • "pid"=dword:%numar hexazecimal%

 Email Are un motor SMTP integrat. Va fi facuta o conexiune directa cu serverul destinatar. Iata caracteristicile lui:


De la:
Adresa este falsificata.


Catre:
– Adrese de email gasite pe sistem.


Subiect:
Unul din urmatoarele:
   • Changes..; Encrypted document; Fax Message; Forum notify; Incoming
      message; Notification; Protected message; Re:; Re: Document; Re:
      Hello; Re: Hi; Re: Incoming Message; RE: Incoming Msg; RE: Message
      Notify; Re: Msg reply; RE: Protected message; RE: Text message; Re:
      Thank you!; Re: Thanks :); Re: Yahoo!; Site changes; Update



Corpul email-ului:
Corpul email-ului este unul din textele:

   • Attach tells everything.
     Attached file tells everything.
     Check attached file for details.
     Check attached file.
     Here is the file.
     Message is in attach
     More info is in attach
     Pay attention at the attach.
     Please, have a look at the attached file.
     Please, read the document.
     Read the attach.
     See attach.
     See the attached file for details.
     Try this.
     Your document is attached.
     Your file is attached.


In continuare:

   • Archive password: %imagine care contine parola%
     Attached file is protected with the password for security reasons. Password is %imagine care contine parola%
     For security purposes the attached file is password protected. Password -- %imagine care contine parola%
     For security reasons attached file is password protected. The password is %imagine care contine parola%In order to read the attach you have to use the following password: %imagine care contine parola%
     Note: Use password %imagine care contine parola% to open archive.
     Password - %imagine care contine parola%
     Password: %imagine care contine parola%


Atasament:
Numele fisierului atasat este unul din urmatoarele:
   • Information.exe
   • Details.exe
   • text_document.exe
   • Updates.exe
   • Readme.exe
   • Document.exe
   • Info.exe
   • Details.exe
   • MoreInfo.exe
   • Message.exe
   • Sources.exe

Atasamentul este o copie malware.

 Email Cautare adrese:
Cauta adrese de email in urmatoarele fisiere:
   • .adb; .asp; .cfg; .dbx; .dhtm; .eml; .htm; .html; .jsp; .mbx; .mdx;
      .mht; .mmf; .msg; .nch; .ods; .oft; .php; .sht; .shtm; .shtml; .stm;
      .tbb; .txt; .uin; .wab; .wsh; .xls; .xml


Adrese evitate:
Nu trimite email-uri la adrese care contin unul din urmatoarele siruri de caractere:
   • @avp.; @foo; @hotmail.com; @iana; @messagelab; @microsoft; @msn.com;
      abuse; admin; anyone@; bsd; bugs@; cafee; certific; contract@; feste;
      free-av; f-secur; gold-certs@; google; help@; icrosoft; info@; kasp;
      linux; listserv; local; news; nobody@; noone@; noreply; ntivi; panda;
      pgp; postmaster@; rating@; root@; samples; sopho; spam; support; unix;
      update; winrar; winzip

 P2P  Pentru a infecta alte sisteme din retele Peer-to-Peer, efectueaza urmatarele operatii:   Cauta directoarele care au in numele lor textul:
   • shar

   Daca reuseste, sunt create urmatoarele fisiere:
   • 12 year old Katia ********** young whore school lolita.avi
       .exe; Adobe Photoshop 9 full.exe; Ahead Nero 7.exe; Doom3_nocd.exe;
      HalfLife2_noCD.exe; Kaspersky Antivirus 5.0; KAV 5.0; Lolita porn.avi
       .exe; Matrix 3 Revolution English
      Subtitles.exe; Microsoft Office 2003 Crack, Working!.exe; Microsoft
      Office XP working Crack, Keygen.exe; Microsoft Windows XP, WinXP
      Crack, working Keygen.exe; Norton Antivirus, working Keygen.exe; nude
      lolita.jpg .exe; Opera 8 New!.exe;
      Porno pics arhive, xxx.exe; Porno Screensaver.scr; Porno, **********cool, awesome!!.exe; Serials.txt.exe; WinAmp 5 Pro
      Keygen Crack Update.exe; WinAmp 6 New!.exe; Windown Longhorn Beta
      Leak.exe; Windows Sourcecode update.doc.exe; XXX hardcore images.exe

   Aceste fişiere sunt copii ale malware-ului.

 Terminarea proceselor Lista cu procesele oprite:
   • AGENTSVR.EXE; ANTI-TROJAN.EXE; ANTIVIRUS.EXE; ANTS.EXE;
      APIMONITOR.EXE; APLICA32.EXE; APVXDWIN.EXE; ATCON.EXE; ATGUARD.EXE;
      ATRO55EN.EXE; ATUPDATER.EXE; ATWATCH.EXE; AUPDATE.EXE; AUTODOWN.EXE;
      AUTOTRACE.EXE; AUTOUPDATE.EXE; AVCONSOL.EXE; AVGSERV9.EXE;
      AVLTMAIN.EXE; AVprotect9x.exe; AVPUPD.EXE; AVSYNMGR.EXE; AVWUPD32.EXE;
      AVXQUAR.EXE; BD_PROFESSIONAL.EXE; BIDEF.EXE; BIDSERVER.EXE; BIPCP.EXE;
      BIPCPEVALSETUP.EXE; BISP.EXE; BLACKD.EXE; BLACKICE.EXE; BOOTWARN.EXE;
      BORG2.EXE; BS120.EXE; ccApp.exe; ccEvtMgr.exe; CDP.EXE; CFGWIZ.EXE;
      CFIADMIN.EXE; CFIAUDIT.EXE; CFIAUDIT.EXE; CFIAUDIT.EXE; CFINET.EXE;
      CFINET.EXE; CFINET32.EXE; CLEAN.EXE; CLEANER.EXE; CLEANER3.EXE;
      CLEANPC.EXE; CLEANPC.EXE; CMGRDIAN.EXE; CMGRDIAN.EXE; CMON016.EXE;
      CMON016.EXE; CPD.EXE; CPF9X206.EXE; CPFNT206.EXE; CV.EXE; CWNB181.EXE;
      CWNTDWMO.EXE; DEFWATCH.EXE; DEPUTY.EXE; DPF.EXE; DPFSETUP.EXE;
      DRWATSON.EXE; DRWEBUPW.EXE; ENT.EXE; ESCANH95.EXE; ESCANHNT.EXE;
      ESCANV95.EXE; EXANTIVIRUS-CNET.EXE; FAST.EXE; FIREWALL.EXE;
      FLOWPROTECTOR.EXE; FP-WIN_TRIAL.EXE; FRW.EXE; FSAV.EXE;
      FSAV530STBYB.EXE; FSAV530WTBYB.EXE; FSAV95.EXE; GBMENU.EXE;
      GBPOLL.EXE; GUARD.EXE; GUARDDOG.EXE; HACKTRACERSETUP.EXE; HTLOG.EXE;
      HWPE.EXE; IAMAPP.EXE; IAMAPP.EXE; IAMSERV.EXE; ICLOAD95.EXE;
      ICLOADNT.EXE; ICMON.EXE; ICSSUPPNT.EXE; ICSUPP95.EXE; ICSUPPNT.EXE;
      IFW2000.EXE; IPARMOR.EXE; IRIS.EXE; JAMMER.EXE; KAVLITE40ENG.EXE;
      KAVPERS40ENG.EXE; KERIO-PF-213-EN-WIN.EXE; KERIO-WRL-421-EN-WIN.EXE;
      KERIO-WRP-421-EN-WIN.EXE; KILLPROCESSSETUP161.EXE; LDPRO.EXE;
      LOCALNET.EXE; LOCKDOWN.EXE; LOCKDOWN2000.EXE; LSETUP.EXE; LUALL.EXE;
      LUCOMSERVER.EXE; LUINIT.EXE; MCAGENT.EXE; MCUPDATE.EXE; MCUPDATE.EXE;
      MFW2EN.EXE; MFWENG3.02D30.EXE; MGUI.EXE; MINILOG.EXE; MOOLIVE.EXE;
      MRFLUX.EXE; MSCONFIG.EXE; MSINFO32.EXE; MSSMMC32.EXE; MU0311AD.EXE;
      NAV80TRY.EXE; navapsvc.exe; NAVAPW32.EXE; NAVDX.EXE; NavShExt.dll;
      NAVSTUB.EXE; NAVW32.EXE; NC2000.EXE; NCINST4.EXE; NDD32.EXE;
      NEOMONITOR.EXE; NETARMOR.EXE; NETINFO.EXE; NETMON.EXE; NETSCANPRO.EXE;
      NETSPYHUNTER-1.2.EXE; NETSTAT.EXE; NISSERV.EXE; NMAIN.EXE;
      NORTON_INTERNET_SECU_3.0_407.EXE; NPF40_TW_98_NT_ME_2K.EXE;
      NPFMESSENGER.EXE; NPROTECT.EXE; NPROTECT.EXE; NSCHED32.EXE; NTVDM.EXE;
      NUPGRADE.EXE; NVARCH16.EXE; NWINST4.EXE; NWTOOL16.EXE; OSTRONET.EXE;
      OUTPOST.EXE; OUTPOSTINSTALL.EXE; OUTPOSTPROINSTALL.EXE; PADMIN.EXE;
      PANIXK.EXE; PAVPROXY.EXE; PCC2002S902.EXE; PCC2K_76_1436.EXE;
      PCCIOMON.EXE; PCDSETUP.EXE; PCFWALLICON.EXE; PCFWALLICON.EXE;
      PCIP10117_0.EXE; PDSETUP.EXE; PERISCOPE.EXE; PERSFW.EXE; PF2.EXE;
      PFWADMIN.EXE; PINGSCAN.EXE; PLATIN.EXE; POPROXY.EXE; POPSCAN.EXE;
      PORTDETECTIVE.EXE; PPINUPDT.EXE; PPTBC.EXE; PPVSTOP.EXE;
      PROCEXPLORERV1.0.EXE; PROPORT.EXE; PROTECTX.EXE; PSPF.EXE;
      QCONSOLE.EXE; QSERVER.EXE; REGEDIT.EXE; REGEDT32.EXE; RESCUE.EXE;
      RESCUE32.EXE; RRGUARD.EXE; RSHELL.EXE; RULAUNCH.EXE; SAFEWEB.EXE;
      SAVSCAN.EXE; SBSERV.EXE; SD.EXE; SETUP_FLOWPROTECTOR_US.EXE;
      SETUPVAMEEVAL.EXE; SFC.EXE; SGSSFW32.EXE; SH.EXE; SHELLSPYINSTALL.EXE;
      SymWSC.exe; SYSEDIT.EXE; TAUMON.EXE; TAUSCAN.EXE; TRACERT.EXE;
      TRJSCAN.EXE; TRJSETUP.EXE; TROJANTRAP3.EXE; UNDOBOOT.EXE; UPDATE.EXE;
      VBCMSERV.EXE; VBCONS.EXE; VBUST.EXE; VIRUSMDPERSONALFIREWALL.EXE;
      W32DSM89.EXE; WATCHDOG.EXE; WEBSCANX.EXE; WHOSWATCHINGME.EXE;
      WINRECON.EXE; WNT.EXE; WRADMIN.EXE; WRCTRL.EXE; WSBGATE.EXE;
      WYVERNWORKSFIREWALL.EXE; XPF202EN.EXE; ZONALM2601.EXE; ZONEALARM.EXE


 Backdoor Deschide portul

– winhost.exe pe portul TCP 9035


Servere contactate:
Unul dintre:
   • http://64.12.**********/in.php
   • http://64.246.**********/init.php
   • http://68.24.**********/in.php
   • http://biiig.**********/init.php
   • http://blockism.**********/img/ini.php
   • http://motivethree.**********/img/in.php
   • http://nine-one**********/images/in.php
   • http://paromy.**********/_old_img/in.php
   • http://**********.com/init.php
   • http://**********forum.ru/init.php
   • http://**********2k.com/img/ini.php
   • http://**********phops.com
   • http://**********arisi.net/init.php
   • http://www.card**********.com/img/ini.php
   • http://www.evo**********.com/img/in.php
   • http://www.lady**********.com/in.php
   • http://za**********.net/init.php


 Detaliile fisierului Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit urmatorul program de arhivare:
   • FSG 1.33

Description inserted by Iulia Diaconescu on Monday, October 10, 2005
Description updated by Iulia Diaconescu on Monday, October 17, 2005

Back . . . .