Descripción completa

Nume:	Worm/Bagle.AI
Descoperit pe data de:	07/07/2005
Tip:	Vierme
ITW:	Da
Numar infectii raportate:	Scazut
Potential de raspandire:	Mediu spre ridicat
Potential de distrugere:	Mediu
Fisier static:	Nu
Versiune VDF:	6.31.00.168

General Metode de raspandire:
   • Email
   • Peer to Peer

Alias:
   • Symantec: W32.Beagle.AG@mm
   • Kaspersky: Email-Worm.Win32.Bagle.ai
   • TrendMicro: WORM_BAGLE.AH
   • Grisoft: I-Worm/Bagle.AI
   • VirusBuster: I-Worm.Bagle.AK
   • Bitdefender: Win32.Bagle.AJ@mm

Sistem de operare:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Efecte secundare:
   • Inchide aplicatiile de securitate
   • Utilizeaza propriul motor de email
   • Reduce setarile de securitate
   • Modificari in registri
   • Posibilitatea accesului neautorizat la computer

Fisiere Se copiaza in urmatoarea locatie:
   • %SYSDIR%\winxp.exe

Se copiaza in urmatoarea locatie (fisierul are atasate la sfarsit caractere aleatorii si se diferentiaza astfel de original):
   • %SYSDIR%\winxp.exeopen

Arhivare:

Fisierele procesate sunt:
   • %SYSDIR%\winxp.exeopen
   • %SYSDIR%\winxp.exeopenopenopenopen

Numele arhivei este:
   • %SYSDIR%\winxp.exeopenopen

Sunt create fisierele:

– Fisiere inofensive:
   • %SYSDIR%\winxp.exeopenopenopen
   • %SYSDIR%\winxp.exeopenopenopenopen

Incearca sa descarce un fisier:

– Adresele sunt urmatoarele:
   • http://www.bmgs.bund.de/**********
   • http://www.gtz.de/**********
   • http://www.dwelle.de/**********
   • http://www.monster.de/**********
   • http://www.regtp.de/**********
   • http://www.stufenlos-regelbar.de/**********
   • http://www.rapz-records.de/**********
   • http://abtacha.wirebrain.de/**********
   • http://die-cliquee.de/**********
   • http://www.gantke-net.de/**********
   • http://www.dar-fantasy.de/**********
   • http://www.mdirk.de/**********
   • http://www.calistyler.de/**********
   • http://tripod.de/**********
   • http://sgi1.rz.rwth-aachen.de/**********
   • http://www.sysserver1.de/**********
   • http://www.vwschubert.de/**********
   • http://ronnyackermann.de/**********
   • http://www.destatis.de/**********
   • http://www.berlinonline.de/**********
   • http://www.meinestadt.de/**********
   • http://obechmann.de/**********
   • http://www.stepstone.de/**********
   • http://www.degruyter.de/**********
   • http://www.lufthansa.de/**********
   • http://www.duden.de/**********
   • http://www.pcwelt.de/**********
   • http://www.astronomie.de/**********
   • http://www.abacho.de/**********
   • http://www.bundesliga.de/**********
   • http://www.expo2000.de/**********
   • http://knecht.cs.uni-magdeburg.de/**********
   • http://www.murczak.de/**********
   • http://www.murczak.de/**********
   • http://www.lupo18t.de/**********
   • http://www.hosteurope.de/**********
   • http://login.rz.fh-augsburg.de/**********
   • http://www.hannobunz.de/**********
   • http://dfk-crew.clanintern.de/**********
   • http://www.empire-show.de/**********
   • http://www.atlantis-show.de/**********
   • http://www.superstar-nord.de/**********
   • http://www.lords-of-havoc.de/**********
   • http://deepiceman.de/**********
   • http://www.atlas-hannover.de/**********
   • http://begros.de/**********
   • http://www.h-p-i.de/**********
   • http://www.szakos.de/**********
   • http://www.king-alp.de/**********
   • http://people-ftp.freenet.de/**********
   • http://www.stuttgart.de/**********
   • http://www.eumetsat.de/**********
   • http://www.gutenberg2000.de/**********
   • http://www.heidelberg.de/**********
   • http://www.tu-muenchen.de/**********
   • http://www.studentenwerke.de/**********
   • http://www.stellenmarkt.de/**********
   • http://zille.cs.uni-magdeburg.de/**********
   • http://www.mupad.de/**********
   • http://www.gelbeseiten.de/**********
   • http://www.klug-suchen.de/**********
   • http://www.niedersachsen.de/**********
   • http://www.frankfurter-buchmesse.de/**********
   • http://www.freiburg.de/**********
   • http://www.messe-duesseldorf.de/**********
   • http://www.beck.de/**********
   • http://zeus05.de/**********
   • http://www.europarl.de/**********
   • http://www.onlinereviewguide.com/**********
   • http://www.krebsinformation.de/**********
   • http://www.brigitte.de/**********
   • http://www.webhits.de/**********
   • http://www.kabel1.de/**********
   • http://www.saarland.de/**********
   • http://www.renewables2004.de/**********
   • http://www.awi-bremerhaven.de/**********
   • http://www.uni-tuebingen.de/**********
   • http://www.frankfurt-airport.de/**********
   • http://people-ftp.freenet.de/**********
   • http://people-ftp.freenet.de/**********
   • http://www.szakos.de/**********
   • http://www.king-alp.de/**********
   • http://niematec.de/**********
   • http://symbit.de/**********
   • http://pe-data.de/**********
   • http://web154.essen082.server4free.de/**********
   • http://web216.berlin240.server4free.de/**********
   • http://edwinf.surfplanet.de/**********
   • http://www.stricker-doerpen.de/**********
   • http://www.helmholtz.de/**********
   • http://www.staedtetag.de/**********
   • http://www.tu-dresden.de/**********
   • http://www.immobilienscout24.de/**********
   • http://www.karlsruhe.de/**********
   • http://www.citypopulation.de/**********
   • http://www.schulen-ans-netz.de/**********
   • http://www.fernuni-hagen.de/**********
   • http://www.stifterverband.de/**********
   • http://www.wissenschaft-online.de/**********
   • http://www.nuernbergmesse.de/**********
   • http://www.dortmund.de/**********
   • http://www.uni-marburg.de/**********
   • http://www.anwaltverein.de/**********
   • http://www.math-net.de/**********
   • http://www.finanznachrichten.de/**********
   • http://www.uni-bremen.de/**********
   • http://www.tu-darmstadt.de/**********
   • http://www.aachen.de/**********
   • http://www.dasding.de/**********
   • http://www.messe-muenchen.de/**********
   • http://www.uni-duisburg-essen.de/**********
   • http://www.photokina.de/**********
   • http://www.umweltbundesamt.de/**********
   • http://www.jugendherberge.de/**********
   • http://www.bitburger.de/**********
   • http://www.munich-airport.de/**********
   • http://www.uni-mannheim.de/**********
   • http://www.uni-frankfurt.de/**********
   • http://www.ruhr-uni-bochum.de/**********
   • http://www.medicine-worldwide.de/**********
   • http://www.firstgate.de/**********
   • http://www.kompetenznetze.de/**********
   • http://www.uni-jena.de/**********
   • http://www.testdaf.de/**********
   • http://www.kalenderblatt.de/**********
   • http://www.baden-wuerttemberg.de/**********
   • http://www.saarbruecken.de/**********
   • http://www.kompetenzz.de/**********
   • http://www.aquarius.geomar.de/**********
   • http://www.uni-duesseldorf.de/**********
   • http://www.urlaubstage.de/**********
   • http://www.wiley-vch.de/**********
   • http://www.mohr.de/**********
   • http://www.bessy.de/**********
   • http://www.bayerninfo.de/**********
   • http://www.uni-osnabrueck.de/**********
   • http://www.stuttgarter-zeitung.de/**********
   • http://www.mathguide.de/**********
   • http://www.blk-bonn.de/**********
   • http://www.slowfood.de/**********
   • http://www.schaubuehne.de/**********
   • http://www.unibw-muenchen.de/**********
Fisierul este stocat pe hard disc la: %SYSDIR%\re_file.exe La momentul realizarii descrierii, acest fisier nu era disponibil pentru o analiza ulterioara.

Registrii sistemului Urmatoarea cheie este adaugata in registri pentru a rula procesul la repornirea sistemului:

– [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • key = %SYSDIR%\winxp.exe

Valorile urmatoarelor chei sunt sterse din registrii sistemului:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • ICQ Net
   • SkynetsRevenge
   • KasperskyAVEng
   • Norton Antivirus AV
   • PandaAVEngine
   • EasyAV
   • SysMonXP
   • MsInfo
   • FirewallSvr
   • Jammer2nd
   • NetDy
   • HtProtect
   • ICQNet
   • Tiny AV
   • service
   • Special Firewall Service
   • Antivirus
   • 9XHtProtect
   • Zone Labs Client Ex
   • My AV

– [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • ICQ Net
   • SkynetsRevenge
   • KasperskyAVEng
   • Norton Antivirus AV
   • PandaAVEngine
   • EasyAV
   • SysMonXP
   • MsInfo
   • FirewallSvr
   • Jammer2nd
   • NetDy
   • HtProtect
   • ICQNet
   • Tiny AV
   • service
   • Special Firewall Service
   • Antivirus
   • 9XHtProtect
   • Zone Labs Client Ex
   • My AV

Email Are un motor SMTP integrat. Va fi facuta o conexiune directa cu serverul destinatar. Iata caracteristicile lui:

De la:
Adresa este falsificata.

Catre:
– Adrese de email gasite pe sistem.

Subiect:
Urmatorul:
   • Re:

Corpul email-ului:
– Contine cod HTML.

Corpul email-ului este unul din textele:

   • >foto3 and MP3
     >fotogalary and Music
     >fotoinfo
     >Lovely animals
     >Animals
     >Predators
     >The snake
     >Screen and Music

Uneori continuand cu una din urmatoarele:

   • :)%imagine care contine parola%
     Password: %imagine care contine parola%

Atasament:
Numele fisierelor atasate este alcatuit dupa cum urmeaza:

– Incepe cu unul din urmatoarele:
   • MP3
   • Music_MP3
   • New_MP3_Player
   • Cool_MP3
   • Doll
   • Garry
   • Cat
   • Dog
   • Fish

    Extensia fisierului este una din urmatoarele:
   • .exe
   • .scr
   • .com
   • .zip
   • .cpl

Email-ul poate arata ca unul din urmatoarele:

Email Cauta adrese de email in urmatoarele fisiere:
   • .wab; .txt; .msg; .htm; .shtm; .stm; .xml; .dbx; .mbx; .mdx; .eml;
      .nch; .mmf; .ods; .cfg; .asp; .php; .pl; .wsh; .adb; .tbb; .sht; .xls;
      .oft; .uin; .cgi; .mht; .dhtm; .jsp

Adrese evitate:
Nu trimite email-uri la adrese care contin unul din urmatoarele siruri de caractere:
   • @microsoft; rating@; f-secur; news; update; anyone@; bugs@; contract@;
      feste; gold-certs@; help@; info@; nobody@; noone@; kasp; admin;
      icrosoft; support; ntivi; unix; bsd; linux; listserv; certific; sopho;
      @foo; @iana; free-av; @messagelab; winzip; google; winrar; samples;
      abuse; panda; cafee; spam; pgp; @avp.; noreply; local; root@;
      postmaster@

P2P Pentru a infecta alte sisteme din retele Peer-to-Peer, efectueaza urmatarele operatii:

–   Cauta directoarele care au in numele lor textul:
   • shar

   Daca reuseste, sunt create urmatoarele fisiere:
   • Microsoft Office 2003 Crack, Working!.exe; Microsoft Windows XP, WinXP
      Crack, working Keygen.exe; Microsoft Office XP working Crack,
      Keygen.exe; Porno, sex, oral, anal cool, awesome!!.exe; Porno
      Screensaver.scr; Serials.txt.exe; KAV 5.0; Kaspersky Antivirus 5.0;
      Porno pics arhive, xxx.exe; Windows Sourcecode update.doc.exe; Ahead
      Nero 7.exe; Windown Longhorn Beta Leak.exe; Opera 8 New!.exe; XXX
      hardcore images.exe; WinAmp 6 New!.exe; WinAmp 5 Pro Keygen Crack
      Update.exe; Adobe Photoshop 9 full.exe; Matrix 3 Revolution English
      Subtitles.exe; ACDSee 9.exe

   Aceste fişiere sunt copii ale malware-ului.

Terminarea proceselor Lista cu procesele oprite:
   • OUTPOST.EXE; NMAIN.EXE; NORTON_INTERNET_SECU_3.0_407.EXE;
      NPF40_TW_98_NT_ME_2K.EXE; NPFMESSENGER.EXE; NPROTECT.EXE;
      NSCHED32.EXE; NTVDM.EXE; NVARCH16.EXE; KERIO-WRP-421-EN-WIN.EXE;
      KILLPROCESSSETUP161.EXE; LDPRO.EXE; LOCALNET.EXE; LOCKDOWN.EXE;
      LOCKDOWN2000.EXE; LSETUP.EXE; CLEANPC.EXE; AVprotect9x.exe;
      CMGRDIAN.EXE; CMON016.EXE; CPF9X206.EXE; CPFNT206.EXE; CV.EXE;
      CWNB181.EXE; CWNTDWMO.EXE; ICSSUPPNT.EXE; DEFWATCH.EXE; DEPUTY.EXE;
      DPF.EXE; DPFSETUP.EXE; DRWATSON.EXE; ENT.EXE; ESCANH95.EXE;
      AVXQUAR.EXE; ESCANHNT.EXE; ESCANV95.EXE; AVPUPD.EXE;
      EXANTIVIRUS-CNET.EXE; FAST.EXE; FIREWALL.EXE; FLOWPROTECTOR.EXE;
      FP-WIN_TRIAL.EXE; FRW.EXE; FSAV.EXE; AUTODOWN.EXE; FSAV530STBYB.EXE;
      FSAV530WTBYB.EXE; FSAV95.EXE; GBMENU.EXE; GBPOLL.EXE; GUARD.EXE;
      GUARDDOG.EXE; HACKTRACERSETUP.EXE; HTLOG.EXE; HWPE.EXE; IAMAPP.EXE;
      IAMAPP.EXE; IAMSERV.EXE; ICLOAD95.EXE; ICLOADNT.EXE; ICMON.EXE;
      ICSUPP95.EXE; ICSUPPNT.EXE; IFW2000.EXE; IPARMOR.EXE; IRIS.EXE;
      JAMMER.EXE; ATUPDATER.EXE; AUPDATE.EXE; KAVLITE40ENG.EXE;
      KAVPERS40ENG.EXE; KERIO-PF-213-EN-WIN.EXE; KERIO-WRL-421-EN-WIN.EXE;
      BORG2.EXE; BS120.EXE; CDP.EXE; CFGWIZ.EXE; CFIADMIN.EXE; CFIAUDIT.EXE;
      AUTOUPDATE.EXE; CFINET.EXE; NAVAPW32.EXE; NAVDX.EXE; NAVSTUB.EXE;
      NAVW32.EXE; NC2000.EXE; NCINST4.EXE; AUTOTRACE.EXE; NDD32.EXE;
      NEOMONITOR.EXE; NETARMOR.EXE; NETINFO.EXE; NETMON.EXE; NETSCANPRO.EXE;
      NETSPYHUNTER-1.2.EXE; NETSTAT.EXE; NISSERV.EXE; NISUM.EXE;
      CFIAUDIT.EXE; LUCOMSERVER.EXE; AGENTSVR.EXE; ANTI-TROJAN.EXE;
      ANTI-TROJAN.EXE; ANTIVIRUS.EXE; ANTS.EXE; APIMONITOR.EXE;
      APLICA32.EXE; APVXDWIN.EXE; ATCON.EXE; ATGUARD.EXE; ATRO55EN.EXE;
      ATWATCH.EXE; AVCONSOL.EXE; AVGSERV9.EXE; AVSYNMGR.EXE;
      BD_PROFESSIONAL.EXE; BIDEF.EXE; BIDSERVER.EXE; BIPCP.EXE;
      BIPCPEVALSETUP.EXE; BISP.EXE; BLACKD.EXE; BLACKICE.EXE; BOOTWARN.EXE;
      NWINST4.EXE; NWTOOL16.EXE; OSTRONET.EXE; OUTPOSTINSTALL.EXE;
      OUTPOSTPROINSTALL.EXE; PADMIN.EXE; PANIXK.EXE; PAVPROXY.EXE;
      DRWEBUPW.EXE; PCC2002S902.EXE; PCC2K_76_1436.EXE; PCCIOMON.EXE;
      PCDSETUP.EXE; PCFWALLICON.EXE; PCFWALLICON.EXE; PCIP10117_0.EXE;
      PDSETUP.EXE; PERISCOPE.EXE; PERSFW.EXE; PF2.EXE; AVLTMAIN.EXE;
      PFWADMIN.EXE; PINGSCAN.EXE; PLATIN.EXE; POPROXY.EXE; POPSCAN.EXE;
      PORTDETECTIVE.EXE; PPINUPDT.EXE; PPTBC.EXE; PPVSTOP.EXE;
      PROCEXPLORERV1.0.EXE; PROPORT.EXE; PROTECTX.EXE; PSPF.EXE; WGFE95.EXE;
      WHOSWATCHINGME.EXE; AVWUPD32.EXE; NUPGRADE.EXE; WHOSWATCHINGME.EXE;
      WINRECON.EXE; WNT.EXE; WRADMIN.EXE; WRCTRL.EXE; WSBGATE.EXE;
      WYVERNWORKSFIREWALL.EXE; XPF202EN.EXE; ZAPRO.EXE; ZAPSETUP3001.EXE;
      ZATUTOR.EXE; CFINET32.EXE; CLEAN.EXE; CLEANER.EXE; CLEANER3.EXE;
      CLEANPC.EXE; CMGRDIAN.EXE; CMON016.EXE; CPD.EXE; CFGWIZ.EXE;
      CFIADMIN.EXE; PURGE.EXE; PVIEW95.EXE; QCONSOLE.EXE; QSERVER.EXE;
      RAV8WIN32ENG.EXE; REGEDT32.EXE; REGEDIT.EXE; UPDATE.EXE; RESCUE.EXE;
      RESCUE32.EXE; RRGUARD.EXE; RSHELL.EXE; RTVSCN95.EXE; RULAUNCH.EXE;
      SAFEWEB.EXE; SBSERV.EXE; SD.EXE; SETUP_FLOWPROTECTOR_US.EXE;
      SETUPVAMEEVAL.EXE; SFC.EXE; SGSSFW32.EXE; SH.EXE; SHELLSPYINSTALL.EXE;
      SHN.EXE; SMC.EXE; SOFI.EXE; SPF.EXE; SPHINX.EXE; SPYXX.EXE;
      SS3EDIT.EXE; ST2.EXE; SUPFTRL.EXE; LUALL.EXE; SUPPORTER5.EXE;
      SYMPROXYSVC.EXE; SYS_XP.EXE; SYSXP.EXE; SYSEDIT.EXE; TASKMON.EXE;
      TAUMON.EXE; TAUSCAN.EXE; TC.EXE; TCA.EXE; TCM.EXE; TDS2-98.EXE;
      TDS2-NT.EXE; TDS-3.EXE; TFAK5.EXE; TGBOB.EXE; TITANIN.EXE;
      TITANINXP.EXE; TRACERT.EXE; TRJSCAN.EXE; TRJSETUP.EXE;
      TROJANTRAP3.EXE; UNDOBOOT.EXE; VBCMSERV.EXE; VBCONS.EXE; VBUST.EXE;
      VBWIN9X.EXE; VBWINNTW.EXE; VCSETUP.EXE; VFSETUP.EXE;
      VIRUSMDPERSONALFIREWALL.EXE; VNLAN300.EXE; VNPC3000.EXE; VPC42.EXE;
      VPFW30S.EXE; VPTRAY.EXE; VSCENU6.02D30.EXE; VSECOMR.EXE; VSHWIN32.EXE;
      VSISETUP.EXE; VSMAIN.EXE; VSMON.EXE; VSSTAT.EXE; VSWIN9XE.EXE;
      VSWINNTSE.EXE; VSWINPERSE.EXE; W32DSM89.EXE; W9X.EXE; WATCHDOG.EXE;
      WEBSCANX.EXE; CFIAUDIT.EXE; CFINET.EXE; ICSUPP95.EXE; MCUPDATE.EXE;
      CFINET32.EXE; CLEAN.EXE; CLEANER.EXE; LUINIT.EXE; MCAGENT.EXE;
      MCUPDATE.EXE; MFW2EN.EXE; MFWENG3.02D30.EXE; MGUI.EXE; MINILOG.EXE;
      MOOLIVE.EXE; MRFLUX.EXE; MSCONFIG.EXE; MSINFO32.EXE; MSSMMC32.EXE;
      MU0311AD.EXE; NAV80TRY.EXE; ZAUINST.EXE; ZONALM2601.EXE; ZONEALARM.EXE

Backdoor Deschide portul

– winxp.exe pe portul TCP 1080

Alte informatii Mutex:
Creeaza urmatorii mutecsi:
   • MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
   • 'D'r'o'p'p'e'd'S'k'y'N'e't'
   • _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
   • [SkyNet.cz]SystemsMutex
   • AdmSkynetJklS003
   • ____--->>>>U<<<<--____
   • _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

Detaliile fisierului Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit un program de compresie runtime.

Descripción insertada por Andrei Gherman el viernes 14 de abril de 2006
Descripción actualizada por Andrei Gherman el viernes 14 de abril de 2006

Volver . . . .

Protección destacada para PC del hogar

Productos gratis

Más populares

Todos los productos

Paquetes de soluciones

Terminales

Server

Paquetes de soluciones

Puertas de enlace de correo

Puertas de enlace web

Plataformas de colaboración

Particulares

Empresas

Laboratorio de virus

Más soporte

Hágase socio de Avira

Particulares

Empresas

?Solo quiere evaluar un producto?

Manuales y herramientas