Description complète

Nume:	Worm/Bagle.FH
Descoperit pe data de:	03/02/2006
Tip:	Vierme
ITW:	Da
Numar infectii raportate:	Scazut spre mediu
Potential de raspandire:	Mediu spre ridicat
Potential de distrugere:	Mediu
Fisier static:	Nu
Marime:	~17.000 Bytes
Versiune VDF:	6.33.00.194
Euristica:	TR/Bagle.Gen.B

General Metode de raspandire:
   • Email
   • Peer to Peer

Alias:
   • Symantec: W32.Beagle.DM@mm
   • Mcafee: W32/Bagle.do@MM
   • Kaspersky: Email-Worm.Win32.Bagle.fj
   • TrendMicro: WORM_BAGLE.CL
   • F-Secure: W32/Bagle.DX@mm
   • Sophos: Troj/BagleDl-BK
   • Panda: W32/Bagle.GR.worm
   • VirusBuster: I-Worm.Bagle.GI
   • Eset: Win32/Bagle.EZ
   • Bitdefender: Win32.Worm.Bagle.CL

Initial identificat ca:
   • TR/Bagle.Gen.B

Sistem de operare:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Efecte secundare:
   • Blocheaza accesul la website-uri ale firmelor de securitate
   • Inchide aplicatiile de securitate
   • Descarca fisiere
   • Utilizeaza propriul motor de email
   • Reduce setarile de securitate
   • Modificari in registri

Fisiere Se copiaza in urmatoarea locatie:
   • %SYSDIR%\sysformat.exe

Se copiaza in urmatoarea locatie (fisierul are atasate la sfarsit caractere aleatorii si se diferentiaza astfel de original):
   • %SYSDIR%\sysformat.exeopen

O sectiune este adaugata fisierului.
– Catre: %SYSDIR%\sysformat.exeopen Cu urmatorul continut:
   • %combinatie de caractere aleatoare%

Redenumeste urmatoarele fisiere:

    • aaa.exe în bbb.exe
    • mysuperprog1.exe în mysuperprog2.exe

Sterge urmatorul fisier:
   • mysuperprog.exe

Sunt create fisierele:

– Creeaza o arhiva ce contine o copie malware:
   • %SYSDIR%\sysformat.exeopenopen

– %SYSDIR%\sysformat.exeopenopenopen Acesta este un fisier text care nu prezinta pericol si are urmatorul continut:
   • %combinatie de caractere aleatoare%

Incearca sa descarce un fisier:

– Adresele sunt urmatoarele:
   • http://www.cnsrvr.com/**********
   • http://www.casinofunnights.com/**********
   • http://www.ec.cox-wacotrib.com/**********
   • http://www.crazyiron.ru/**********
   • http://www.uni-esma.de/**********
   • http://www.sorisem.net/**********
   • http://www.varc.lv/**********
   • http://www.belwue.de/**********
   • http://www.thetildegroup.com/**********
   • http://www.vybercz.cz/**********
   • http://www.kyno.cz/**********
   • http://www.forumgestionvilles.com/**********
   • http://www.campus-and-more.com/**********
   • http://www.capitalforex.com/**********
   • http://www.capitalspreadspromo.com/**********
   • http://www.prineus.de/**********
   • http://www.databoots.de/**********
   • http://www.steintrade.net/**********
   • http://www.njzt.net/**********
   • http://www.emarrynet.com/**********
   • http://www.zebrachina.net/**********
   • http://www.lxlight.com/**********
   • http://www.yili-lighting.com/**********
   • http://www.fachman.com/**********
   • http://www.q-serwer.net/**********
   • http://www.wellness-i.com/**********
   • http://www.newportsystemsusa.com/**********
   • http://www.westcoastcadd.com/**********
   • http://www.wing49.cz/**********
   • http://www.posteffects.com/**********
   • http://www.provax.sk/**********
   • http://www.casinobrillen.de/**********
   • http://www.duodaydream.nl/**********
   • http://www.finlaw.ru/**********
   • http://www.fitdina.com/**********
   • http://www.flashcardplayer.com/**********
   • http://www.flox-avant.ru/**********
   • http://www.lotslink.com/**********
   • http://www.algor.com/**********
   • http://www.gaspekas.com/**********
   • http://www.ezybidz.com/**********
   • http://www.genesisfinancialonline.com/**********
   • http://www.georg-kuenzle.ch/**********
   • http://www.girardelli.com/**********
   • http://www.rodoslovia.ru/**********
   • http://www.golden-gross.ru/**********
   • http://www.gregoryolson.com/**********
   • http://www.gtechna.com/**********
   • http://www.lunardi.com/**********
   • http://www.sgmisburg.de/**********
   • http://www.harmony-farms.net/**********
   • http://www.hftmusic.com/**********
   • http://www.hiwmreport.com/**********
   • http://www.horizonimagingllc.com/**********
   • http://www.hotelbus.de/**********
   • http://www.howiwinmoney.com/**********
   • http://www.ietcn.com/**********
   • http://www.import-world.com/**********
   • http://www.houstonzoo.org/**********
   • http://www.interorient.ru/**********
   • http://www.internalcardreaders.com/**********
   • http://www.interstrom.ru/**********
   • http://www.iutoledo.org/**********
   • http://www.wena.net/**********
   • http://www.iesgrantarajal.org/**********
   • http://www.alexandriaradiology.com/**********
   • http://www.booksbyhunter.com/**********
   • http://www.wxcsxy.com/**********
   • http://www.coupdepinceau.com/**********
   • http://www.erotologist.com/**********
   • http://www.jackstitt.com/**********
   • http://www.imspress.com/**********
   • http://www.digitalefoto.net/**********
   • http://www.josemarimuro.com/**********
   • http://www.eversetic.com/**********
   • http://www.curious.be/**********
   • http://www.kameo-bijux.ru/**********
   • http://www.karrad6000.ru/**********
   • http://www.kaztransformator.kz/**********
   • http://www.keywordthief.com/**********
Fisierul este stocat pe hard disc la: %SYSDIR%\re_file.exe La momentul realizarii descrierii, acest fisier nu era disponibil pentru o analiza ulterioara.

Registrii sistemului Urmatoarea cheie este adaugata in registri, in mod repetat, pentru a porni procesul dupa reboot.

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • sysformat = %SYSDIR%\sysformat.exe

Valorile urmatoarelor chei sunt sterse din registrii sistemului:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • My AV
   • ICQ Net

– [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   • My AV
   • ICQ Net

Se sterg urmatoarele chei din registri, inclusiv toate valorile si cheile subordnate:
   • [HKCU\Software\New Key 1\1]
   • [HKCU\Software\New Key 1\2]
   • [HKCU\Software\New Key 1\New Key 1]

Urmatoarele chei sunt adaugate in registrii sistemului:

– [HKCU\Software\Microsoft\Params]
   • FirstRun = dword:00000001

– [HKLM\SOFTWARE\Microsoft\DownloadManager]

Urmatoarea cheie din registri este modificata:

Dezactiveaza Windows Firewall:
– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess]
   Vechea valoare:
   • Start = %setarile utilizatorului%
   Noua valoare:
   • Start = dword:00000004

Email Are un motor SMTP integrat. Va fi facuta o conexiune directa cu serverul destinatar. Iata caracteristicile lui:

De la:
Adresa este falsificata.

Catre:
– Adrese de email gasite pe sistem.

Subiect:
Unul din urmatoarele:
   • Delivery service mail
   • Delivery by mail
   • Registration is accepted
   • Is delivered mail
   • You are made active

Corpul email-ului:
Corpul email-ului este unul din textele:
   • Thanks for use of our software.
   • Before use read the help.

Atasament:
Numele fisierului atasat este unul din urmatoarele:
   • wsd01.zip
   • viupd02.zip
   • siupd02.zip
   • guupd02.zip
   • zupd02.zip
   • upd02.zip
   • Jol03.zip

Atasamentul este o copie a fisierului creat: %SYSDIR%\sysformat.exeopenopen

Email-ul poate arata ca unul din urmatoarele:

Email Cautare adrese:
Cauta adrese de email in urmatoarele fisiere:
   • .wab; .txt; .msg; .htm; .shtm; .stm; .xml; .dbx; .mbx; .mdx; .eml;
      .nch; .mmf; .ods; .cfg; .asp; .php; .pl; .wsh; .adb; .tbb; .sht; .xls;
      .oft; .uin; .cgi; .mht; .dhtm; .jsp

Adrese evitate:
Nu trimite email-uri la adrese care contin unul din urmatoarele siruri de caractere:
   • @microsoft; rating@; f-secur; news; update; anyone@; bugs@; contract@;
      feste; gold-certs@; help@; info@; nobody@; noone@; kasp; admin;
      icrosoft; support; ntivi; unix; bsd; linux; listserv; certific; sopho;
      @foo; @iana; free-av; @messagelab; winzip; google; winrar; samples;
      abuse; panda; cafee; spam; pgp; @avp.; noreply; local; root@;
      postmaster@

Rezolvarea adreselor internet:
Nu foloseste serverul DNS implicit.
Se poate conecta la serverul DNS:
   • 217.5.97.137

P2P Pentru a infecta alte sisteme din retele Peer-to-Peer, efectueaza urmatarele operatii:

–   Cauta directoarele care au in numele lor textul:
   • shar

   Daca reuseste, sunt create urmatoarele fisiere:
   • 1.exe; 2.exe; 3.exe; 4.exe; 5.scr; 6.exe; 7.exe; 8.exe; 9.exe; 10.exe;
      Ahead Nero 7.exe; Windown Longhorn Beta Leak.exe; Opera 8 New!.exe;
      XXX hardcore images.exe; WinAmp 6 New!.exe; WinAmp 5 Pro Keygen Crack
      Update.exe; Adobe Photoshop 9 full.exe; Matrix 3 Revolution English
      Subtitles.exe; ACDSee 9.exe

Fisiere host Fisierul

– In acest caz, inregistrarile existente sunt sterse.

– Accesul la urmatoarele domenii este blocat:
   • ad.doubleclick.net; ad.fastclick.net; ads.fastclick.net;
      ar.atwola.com; atdmt.com; avp.ch; avp.com; avp.ru; awaps.net;
      banner.fastclick.net; banners.fastclick.net; ca.com; click.atdmt.com;
      clicks.atdmt.com; dispatch.mcafee.com; download.mcafee.com;
      download.microsoft.com; downloads.microsoft.com; engine.awaps.net;
      fastclick.net; f-secure.com; ftp.f-secure.com; ftp.sophos.com;
      go.microsoft.com; liveupdate.symantec.com; mast.mcafee.com;
      mcafee.com; media.fastclick.net; msdn.microsoft.com; my-etrust.com;
      nai.com; networkassociates.com; office.microsoft.com;
      phx.corporate-ir.net; secure.nai.com; securityresponse.symantec.com;
      service1.symantec.com; sophos.com; spd.atdmt.com;
      support.microsoft.com; symantec.com; update.symantec.com;
      updates.symantec.com; us.mcafee.com; vil.nai.com; viruslist.ru;
      windowsupdate.microsoft.com; www.avp.ch; www.avp.com; www.avp.ru;
      www.awaps.net; www.ca.com; www.fastclick.net; www.f-secure.com;
      www.kaspersky.ru; www.mcafee.com; www.my-etrust.com; www.nai.com;
      www.networkassociates.com; www.sophos.com; www.symantec.com;
      www.trendmicro.com; www.viruslist.ru; www3.ca.com

Fisierul hosts modificat va arata astfel:

Terminarea proceselor Lista cu procesele oprite:
   • mcagent.exe; mcvsshld.exe; mcshield.exe; mcvsescn.exe; mcvsrte.exe;
      DefWatch.exe; Rtvscan.exe; ccEvtMgr.exe; NISUM.EXE; ccPxySvc.exe;
      navapsvc.exe; NPROTECT.EXE; nopdb.exe; ccApp.exe; Avsynmgr.exe;
      VsStat.exe; Vshwin32.exe; alogserv.exe; RuLaunch.exe; Avconsol.exe;
      PavFires.exe; FIREWALL.EXE; ATUPDATER.EXE; LUALL.EXE; DRWEBUPW.EXE;
      AUTODOWN.EXE; NUPGRADE.EXE; OUTPOST.EXE; ICSSUPPNT.EXE; ICSUPP95.EXE;
      ESCANH95.EXE; AVXQUAR.EXE; ESCANHNT.EXE; ATUPDATER.EXE; AUPDATE.EXE;
      AUTOTRACE.EXE; AUTOUPDATE.EXE; AVXQUAR.EXE; AVWUPD32.EXE; AVPUPD.EXE;
      CFIAUDIT.EXE; UPDATE.EXE; NUPGRADE.EXE; MCUPDATE.EXE; pavsrv50.exe;
      AVENGINE.EXE; APVXDWIN.EXE; pavProxy.exe; navapw32.exe; navapsvc.exe;
      ccProxy.exe; navapsvc.exe; NPROTECT.EXE; SAVScan.exe; SNDSrvc.exe;
      symlcsvc.exe; LUCOMS~1.EXE; blackd.exe; bawindo.exe;
      FrameworkService.exe; VsTskMgr.exe; SHSTAT.EXE; UpdaterUI.exe

Alte informatii Mutex:
Creeaza urmatorii mutecsi:
• vMuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
• _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

Detaliile fisierului Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit un program de compresie runtime.

Description insérée par Andrei Gherman le vendredi 3 février 2006
Description mise à jour par Andrei Gherman le vendredi 10 février 2006

Retour . . . .

Protection avancée pour votre PC

Produits gratuits

Les plus populaires

Tous les produits

Offres groupées

Stations de travail

Server

Offres groupées

Mail Gateways

Web Gateways

Plateformes collaboratives

Particuliers

Entreprises

Virus Lab

Support avancé

Programme Avira Partner

Particuliers

Entreprises

Une simple évaluation vous suffit ?

Manuels et outils