¿Necesita ayuda? Pregunte a la comunidad o contrate a un experto.
Ir a Avira Answers
Alias:W32.Beagle.H@mm, Win32.Bagle.Gen@mm, i Worm.Bagle.H
Type:Worm 
Size:~21KB (Pex packed) 
Origin:unknown 
Date:03-01-2004 
Damage:Sends itself as email 
VDF Version:6.24.00.32 
Danger:Low 
Distribution:Medium 

General DescriptionThis worm sends itself, like its predecessors, to email addresses found on the infected system. In addition this version tries to spread over P2P networks.

Symptoms* Open TCP port 2745
* Presence of the mentioned registry entries
* Presence of the mentioned files
* Increased email traffic

Distribution* Sends itself via email using its own smtp engine
* Copies itself to P2P share folders

Technical DetailsWorm/Bagle.H has a variable file size of ~24KB. The file is packed with PEX. The worm will copy itself in %System% folder as:

* i11r54n4.exe (~21KB)

and will create also these aditional files:

* go54o.exe (24,064 bytes)
* ii5nj4.exe (1,536 bytes)
* i1ru54n4.exeopen (ZIP file ~21KB)

The worm will scan all the files having the following extensions for email addresses, and will send itself to them, using a spoofed sender address:

* wab
* txt
* htm
* html
* dbx
* mdx
* eml
* nch
* mmf
* ods
* cfg
* asp
* php
* pl
* adb
* sht

The worm will not send mails to the addresses containing any of the following strings:

* @avp
* @hotmail.com
* @microsoft
* @msn.com
* local
* noreply
* postmaster@
* root@

The return address is spoofed and attachment has a random file name with the extension "zip". Zip archives are sometimes password-protected. The password randomly selected from numbers is mentioned in the email. The subject of the mail is randomly chosen from one of the following:

* :)
* :)
* : -)
* ^ _ ^ meay meay!
* ^ _ ^ mew mew (-:
* ello! =))
* Hey, dude, it's ME ^ _ ^:P
* Hey, ya! =))
* Rear one! : -)
* Hokki =)
* Weah, hello! : -)
* Weeeeee! ;)))

The "Body" of the email is randomly selected from one of the following:

* Argh, i don't like the plaintext:)
* I don't bite, weah!
* Looking forward for a response:P
* Argh, i don't like the plaintext:)
* Argh, i don't like the plaintext:)
* I don't bite, weah!
* Looking forward for a response:P

Worm/Bagle.H can insert several empty characters between the individual words to change its appearance. The attachment is a password-protected ZIP archive with the password mentioned on the last line of the email body:

* ...btw, "<%random string%>" is a password for archive
* archive password: <%random string%>
* password: <%random string%>
* password -- <%random string%>
* pass: <%random string%>
* <%random string%> -- archive password

The zip file attached can have one of the following names:

* Attach.zip
* AttachedDocument.zip
* AttachedFile.zip
* Document.zip
* Info.zip
* Letter.zip
* Message.zip
* MoreInfo.zip
* Msg.zip
* MsgInfo.zip
* Readme.zip
* Text.zip
* TextFile.zip

In addition the following entries will be added to the Windows Registry:

* [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"rate.exe"="C:\\WINDOWS\\System32\\i11r54n4.exe"

* [HKEY_CURRENT_USER\Software\winword]
"frun"=dword:00000001

It will try to terminate also any of the following processes, if these are running:

* ATUPDATER.EXE
* ATUPDATER.EXE
* AUPDATE.EXE
* AUTODOWN.EXE
* AUTOTRACE.EXE
* AUTOUPDATE.EXE
* AVLTMAIN.EXE
* AVPUPD.EXE
* AVWUPD32.EXE
* AVXQUAR.EXE
* CFIAUDIT.EXE
* DRWEBUPW.EXE
* ICSSUPPNT.EXE
* ICSUPP95.EXE
* LUALL.EXE
* MCUPDATE.EXE
* NUPGRADE.EXE
* NUPGRADE.EXE
* OUTPOST.EXE
* UPDATE.EXE

The worm will try to access also one of the following web pages:

* http://postertog.de/scr.php
* http://www.gfotxt.net/scr.php
* http://www.maiklibis.de/scr.php
Descripción insertada por Crony Walker el martes 15 de junio de 2004

Volver . . . .
https:// Esta ventana está cifrada para su seguridad.