Virus:Worm/Bagle.FR
Date discovered:01/03/2006
Type:Worm
In the wild:Yes
Reported Infections:Medium
Distribution Potential:Medium
Damage Potential:Low
Static file:No
File size:~ 21.000 Bytes
VDF version:6.33.01.40

 General Method of propagation:
   • Email


Aliases:
   •  Symantec: W32.Beagle.DW@mm
   •  Mcafee: W32/Bagle.gen!Sality
   •  Kaspersky: Email-Worm.Win32.Bagle.fr
   •  TrendMicro: WORM_BAGLE.DF
   •  Sophos: W32/Bagle-DM


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Downloads a malicious file
   • Uses its own Email engine
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\windll32lib.exe



It copies itself to the following locations. Those files have random bytes appended so they may differ from the original one:
   • %SYSDIR%\windll32lib.exeopen
   • %SYSDIR%\windll32lib.exeopenopen



The following file is created:

– Non malicious file:
   • %WINDIR%\vcremoval.dll




It tries to download a file:

– The locations are the following:
   • http://www.amanit.ru/**********
   • http://www.anthonyflanagan.com/**********
   • http://www.approved1stmortgage.com/**********
   • http://www.argument.h12.ru/**********
   • http://www.arkebek.de/**********
   • http://www.artek.org/**********
   • http://www.asianfestival.nl/**********
   • http://www.astergut.at/**********
   • http://www.aviation-center.de/**********
   • http://www.bbsh.org/**********
   • http://www.besino.com/**********
   • http://www.bestbuy.de/**********
   • http://www.beta.mtw.ru/**********
   • http://www.bga-gsm.ru/**********
   • http://www.blessino.com/**********
   • http://www.blueeyeinc.com/**********
   • http://www.breaklight.be/**********
   • http://www.brzesko.net.pl/**********
   • http://www.catsystem.com.kg/**********
   • http://www.cdnpartner.com.pl/**********
   • http://www.ceskyhosting.cz/**********
   • http://www.channeland.com/**********
   • http://www.compsolutionstore.com/**********
   • http://www.concept.kg/**********
   • http://www.corpsite.com/**********
   • http://www.couponcapital.net/**********
   • http://www.DarrkSydebaby.com/**********
   • http://www.dehut-westerhoven.nl/**********
   • http://www.dhl.kg/**********
   • http://www.dierollendedisco.de/**********
   • http://www.discobaradventure.be/**********
   • http://www.e-nfo.com/**********
   • http://www.e-power.com.cn/**********
   • http://www.ecobank.kg/**********
   • http://www.elenalazar.com/**********
   • http://www.epicbiz.com/**********
   • http://www.europa.kg/**********
   • http://www.everett.wednet.edu/**********
   • http://www.externet.hu/**********
   • http://www.forester.kg/**********
   • http://www.fotocliparts.de/**********
   • http://www.fotonw.org/**********
   • http://www.freesites.com.br/**********
   • http://www.funbunker.de/**********
   • http://www.funworld.tv/**********
   • http://www.gameser.com@share.gameser.com/**********
   • http://www.gci-bln.de/**********
   • http://www.gcnet.ru/**********
   • http://www.giantrevenue.com/**********
   • http://www.himpsi.org/**********
   • http://www.i3dvr.com/**********
   • http://www.ibigmart.net/**********
   • http://www.idb-group.net/**********
   • http://www.illusionoflife.net/**********
   • http://www.infocuspromo.com/**********
   • http://www.irinaswelt.de/**********
   • http://www.jansenboiler.com/**********
   • http://www.jasnet.pl/**********
   • http://www.jcribeiro.com/**********
   • http://www.jewelleryamberproducts.com/**********
   • http://www.jimvann.com/**********
   • http://www.jldr.ca/**********
   • http://www.jordanramey.net/**********
   • http://www.joy-musik-sound.de/**********
   • http://www.justrepublicans.com/**********
   • http://www.katel.kg/**********
   • http://www.knicks.nl/**********
   • http://www.koebers.pl/**********
   • http://www.kogaionon.com/**********
   • http://www.kplus.kg/**********
   • http://www.kradtraining.de/**********
   • http://www.kranenberg.de/**********
   • http://www.kranenberg.de:113547@/**********
   • http://www.kstrus.com.pl/**********
   • http://www.ktsonline.de/**********
   • http://www.lahelaino.com/**********
   • http://www.lawform.com.au/**********
   • http://www.leetexgroup.com/**********
   • http://www.leshrak.de/**********
   • http://www.leshrak.de:prophets@/**********
   • http://www.logoseiten.de/**********
   • http://www.magicbottle.com.tw/**********
   • http://www.mcuserver.cz/**********
   • http://www.mega-spass.com/**********
   • http://www.mega.kg/**********
   • http://www.mepbisu.de/**********
   • http://www.mepmh.de/**********
   • http://www.mtfdesign.com/**********
   • http://www.mtransit.kg/**********
   • http://www.neotech.kg/**********
   • http://www.nikonfotoshare.com/**********
   • http://www.novosti.kg/**********
   • http://www.ok.kg/**********
   • http://www.onepositiveplace.org/**********
   • http://www.online.kg/**********
   • http://www.orangesuburban.5u.com/**********
   • http://www.otv.ch/**********
   • http://www.pageantpage.com/**********
   • http://www.pankration.com/**********
   • http://www.para-agility.com/**********
   • http://www.pdxracing.net/**********
   • http://www.pfadfinder-leobersdorf.com/**********
   • http://www.pipni.cz/**********
   • http://www.pjwstk.edu.pl/**********
   • http://www.polizeimotorrad.de/**********
   • http://www.proway-consulting.com/**********
   • http://www.pugetsoundyc.org/**********
   • http://www.pyrlandia-boogie.pl/**********
   • http://www.qphoto.co.za/**********
   • http://www.raecoinc.com/**********
   • http://www.realgps.com/**********
   • http://www.realty.kg/**********
   • http://www.redlightpictures.com/**********
   • http://www.reliance-yachts.com/**********
   • http://www.relocationflorida.com/**********
   • http://www.rentalstation.com/**********
   • http://www.rieraquadros.com.br/**********
   • http://www.roaming.kg/**********
   • http://www.sacohalle.be/**********
   • http://www.scanex-medical.fi/**********
   • http://www.scoping4success.com/**********
   • http://www.sert.ru/**********
   • http://www.sigi.lu/**********
   • http://www.spadochron.pl/**********
   • http://www.ssc.kg/**********
   • http://www.ssmifc.ca/**********
   • http://www.stadtmeyers.de/**********
   • http://www.stadtmeyers.de:R2D2c3po@/**********
   • http://www.sterlingirb.com/**********
   • http://www.sunassetholdings.com/**********
   • http://www.szantomierz.art.pl/**********
   • http://www.szosa.pl/**********
   • http://www.tambourenvereine.ch/**********
   • http://www.tarnow.opoka.org.pl/**********
   • http://www.tc-muraene.com/**********
   • http://www.tc-muraene.com:hunter@/**********
   • http://www.theroyalregistry.com/**********
   • http://www.transportation.gov.bh/**********
   • http://www.tumar.kg/**********
   • http://www.tunguska.hu/**********
   • http://www.turkeyhomes.com/**********
   • http://www.turkeyhomes.com@/**********
   • http://www.ulpiano.org/**********
   • http://www.unicity.pl/**********
   • http://www.vbw.info/**********
   • http://www.velezcourtesymanagement.com/**********
   • http://www.vorrix.com/**********
   • http://www.webpark.pl/**********
   • http://www.wecompete.com/**********
   • http://www.wp.pl/**********
   • http://www.wwwebad.com/**********
   • http://www.xpager321.wz.cz/**********
   • http://www.yamdiamonds.com/**********
   • http://www.zander-yachting.com/**********

 Registry One of the following values is added in order to run the process after reboot:

–  HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "winshell"="%SYSDIR%\windll32lib.exe"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.


To:
– Email addresses found in specific files on the system.


Subject:
One of the following:
   • Phshing is illigal
   • Where did you learn to scam?
   • You are a criminal and will be busted!
   • You steal from innocent people



Body:
– Contains HTML code.
The body of the email is one of the following:

   •
     Dude,
I found your email from whois info of a web page that was used in spam and illigal activity,
please do something or you will be sued and busted.
Was very dumb to leave your email, asshole!

P.S Attached file is self-exatracting archive with information about your criminal activity.
     

     

   •
     Hey pal. Do you know, that your webpage paypalll.comprovides a phishing attack?
Open attached file for a proof
hmmmm it's quite nice, but I think that cops would be interested in it.
So my friend. take the page away and put a Appologize on it.
Or the Police will hear from me.
Cya my friend
     


   •
     Hi!
Just to inform you that your email is used by a spamer who intends
to steal bank account information thru a fake site.
If you are not involded, I can bring you additionnal information. Check attached file for a proof.
If you are, you're a little son of a bitch.
     

     


Attachment:
The filename of the attachment is one of the following:
   • your_info.exe
   • whois_info.exe
   • myscreenshot.exe
   • scam.exe
   • proof.exe

 Mailing Search addresses:
It searches the following files for email addresses:
   • .wab; .txt; .msg; .htm; .shtm; .stm; .xml; .dbx; .mbx; .mdx; .eml;
      .nch; .mmf; .ods; .cfg; .asp; .php; .pl; .wsh; .adb; .tbb; .sht; .xls;
      .oft; .uin; .cgi; .mht; .dhtm; .jsp

 P2P    It searches for directories that contain the following substring:
   • share

   If successful, the following files are created:
   • anna benson sex video.exe; kate beckinsale nude pictures.exe; jenna
      elfman sex anal deepthroat.exe; miss america Porno, sex, oral, anal
      cool, awesome!!.exe; Porno Screensaver.scr; Serials.txt.exe; barrett
      jackson nude photos, movies, porn video.exe; Britney Spears sex
      photos.exe; paris hilton Porno pics arhive, xxx.exe; Windows
      Sourcecode update.doc.exe; Ahead Nero 10.exe; Windown Vista Beta
      Leak.exe; IE beta 7.exe; Serials 2005 database.exe; XXX hardcore
      images.exe; Adobe Photoshop 9 full.exe;


Description inserted by Alexander Vukcevic on Wednesday, March 1, 2006
Description updated by Alexander Vukcevic on Monday, March 6, 2006

Back . . . .
 
 
 
 

© 2013 Avira Operations GmbH & Co. KG. All rights reserved.

My Account

https:// This window is encrypted for your security.