Besoin d’aide ? Fais appel à la communauté ou embauche un spécialiste.
Aller à Avira Answers
Alias:W32.Beagle.A@mm, Win32.Bagle.Gen@mm, i-Worm.Bagle.f
Type:Worm 
Size:~24KB (PEX packed) 
Origin:unknown 
Date:02-29-2004 
Damage:Sends itself by email 
VDF Version:6.24.00.27 
Danger:Low 
Distribution:Medium 

General DescriptionThis worm sends itself, like its predecessors, to email addresses found on the infected system. In addition this version tries to spread over P2P networks.

Symptoms* Open TCP port 2745
* Presence of the mentioned registry entries
* Presence of the mentioned files
* Increased email traffic

Distribution* Sends itself via email using its own smtp engine
* Copies itself to P2P share folders

Technical DetailsWorm/Bagle.F has a variable file size of ~24KB. The file is packed with PEX. The attachment of the email is in a ZIP format or it could also be an executable program type. It will copy itself into the %System% folder under the following file name:

* i1ru74n4.exe

and will create also the following files:

* go54o.exe (24,064 bytes)
* ii5nj4.exe (1,536 bytes)
* i1ru54n4.exeopen (ZIP archive ~23KB)

The worm will scan all the files having the following extensions for email addresses, and will send itself to them, using a spoofed sender address:

* wab
* txt
* htm
* html
* dbx
* mdx
* eml
* nch
* mmf
* ods
* cfg
* asp
* php
* pl
* adb
* sht

The worm will not send mails to the addresses containing any of the following strings:

* @avp
* @hotmail.com
* @microsoft
* @msn.com
* local
* noreply
* postmaster@
* root@

The return address is spoofed and attachment has a random file name with the extension "zip". Zip archives are sometimes password-protected. The password randomly selected from numbers is mentioned in the email. The subject of the mail is randomly chosen from one of the following:

* ^ _ ^ meay meay!
* Audra
* Bath girl
* beautiful
* Caitie
* ello! =))
* Photographer
* Gallery photo
* groom
* Hey, dude, it's ME ^ _ ^:P
* Hey, ya! =))
* Rear one! : -)
* Hokki =)
* July
* kate
* My name is Frenk
* Katrina
* Kelley
* kleopatra
* Mandy
* Mary Anne
* My photo
* Myphotos
* Photo album
* rebecca
* Tammy
* Wau... beautiful (-:
* Weah, hello! : -)
* Weeeeee! ;)))

The body of the email is selected randomly from one the following:

* Argh, i don't like the plaintext :)
* Fell free to chat with me I accept all ages. Don''''t worry I don''''t bite........hope to hear from you soon!
* Hey people whats goin on? If there is anything you want to know about me ask me... I am pretty easygoing I won't bite....not at first anywayz hahaa.....one thing I will say on here tho I am not into the Cyber thing so don't even ask.....Ciao...
* Hey, guys! by the way, I have no problems with my sexual life, so it's absolutly useless try to have icq sex or things like that. Thanks
* Hi! :-)
* Hi! My name is Shreya and I am a goof off!!! So, If you love the outdoors, travelling, books, music, movies, laffing, teasing and/or can poke fun at yourself... please come a hollerin'!!
* Hokki =)
* I am from Taiwan but I study in Camden, New Jersey now. I like to know people from different places .
* I enjoy clean conversations but am open to conversing with women and men with little ones as well. I am very open-minded. All authorization requests will be denied if I don't receive messages and get to know you first.
* I like to be in a company of smart, delicate, and with a good sense of humor people. I am Bulgarian, currently getting my Master's in International Business in USA. Favorite actor: Michael Dudikoff
* I love camping, dirt track racing, going for walks, and I have 2 cats - HotRod and Deebo (named from the movie 'Friday' and he lives up to it!). Life is ever changing, never always easy...
* I love meeting new people and making new friends. I am a Mary Kay Beauty Consultant. I am married to a wonderful man. We have no children, exept for a minature schnauzer that thinks he is a child. Looking forward to meeting you.
* I love to dance, read poetry, make people laugh, and hug as many people a day as i can.
* If I'm online, it problably means I'm pretty bored....so feel free to message me and say hi or whatever else comes to mind at the moment.
* I'm a social butterfly and a natural flirt. Very hard to get my complete attention. Very open and will answer almost anything. But please don't piss me off. I can be sweet and cuddly or a whatever mood I am in that day so everyday
* I'm an open minded person and enjoy chatting w/ other people. I'm free and willing to chat about anything. So feel free to Imed me if you wanna chat.
* I'm married and I stay at home. And I don't do cyber sex so leave me the fuck alone
* i'm tall and skiny I'm studying in Pharm. D program in FL. i like music, movie, dancing, sports, SCUBA diving, traveling and make a lot friends.
* Looking forward for a response :P
* Love the outdoors, literature, writing, and athletics
* My hobbies include crochet, sewing, painting lead figures and playing AD&D. Favorite activities include fishing and camping. I love cats, unicorns(go figure), and fantasy in general.
* Nice friends, nice men, nice sex and feeling great. I don't mind the odd bout of cybersex as I love to use my imagination when I masterbate.
* Single Mom of 3, Full time college student, Graduate in December with an Associates of Applied Science in Computer Information Systems Love the internet.
* When The Trust is Gone So Is The Love That Fades Like the Rain Washing Away All The Sorrows Of Yesterday Why I Ask Myself Must It End Like This Tomorrow, I Tell Myself, I'll Be Okay For Now, I'll Just Live In The Memories Of Our Life Together
* You don t know what you ve got till it s gone *You hurt me more than I deserve, how can you be so cruel? I love you more than you deserve, how can I be such a fool?

The attachment is a password-protected ZIP archive with the password mentioned on the last line of the email body:

* password for archives: <random NUMBER>
* pass: <random NUMBER>
* password: <random NUMBER>
* archive passwords: <random NUMBER>

The name of the attachment is randomly selected from one of the following names and having "exe"; "* scr" or "* zip" extension:

* Aline
* Anna
* Audra
* Bath girl
* Barbi
* Caitie
* caroline
* Gallery
* It_I
* Jammie
* July
* Julie
* kate
* Kelly
* kleopatra
* LisaMandy
* Mary Anne
* myfotos
* Photo album
* Photomontage
* Picture
* Rana
* rebecca
* Sarah
* Tammy
* stacy

The worm will try to spread also over P2P networks by copying itself in the following folders:

* %Program Files%\bearshare\
* %Program Files%bearshare\shared\
* %Program Files%Common Files\Microsoft Shared\
* %Program Files%kazaa\my shared folders\
* %Program Files%KaZaA Lite\my shared folders\
* %Program Files%morpheus\my shared folders\

by using the following names:

* ACDSee 9.exe
* Adobe Photoshop 9 full.exe
* Ahead Nero 7.exe
* Matrix 3 revolution English Subtitles.exe
* Microsoft Office 2003 Crack, Working!.exe
* Microsoft Office XP working Crack, Keygen.exe
* Microsoft Windows XP, WinXP Crack, working Keygen.exe
* Opera 8 New!.exe
* Porno pics arhive, xxx.exe
* Porno Screensaver.scr
* Porno, sex, orally, anal cool, awesome!!.exe
* Serials.txt.exe
* shared
* WinAmp 5 pro key gene Crack Update.exe
* WinAmp 6 New!.exe
* Windown Longhorn beta Leak.exe
* Windows sourcecode update.doc.exe
* XXX hard core images.exe

In addition the following entries are added to the Windows Registry:

* [HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run]
"rate.exe"="C:\\WINDOWS\\System32\\i1ru54n4.exe"

* [HKEY_CURRENT_USER\Software\winword]
"frun"=dword:00000001

It will try to terminate also any of the following processes, if these are running:

* ATUPDATER.EXE
* ATUPDATER.EXE
* AUPDATE.EXE
* AUTODOWN.EXE
* AUTOTRACE.EXE
* AUTOUPDATE.EXE
* AVLTMAIN.EXE
* AVPUPD.EXE
* AVWUPD32.EXE
* AVXQUAR.EXE
* CFIAUDIT.EXE
* DRWEBUPW.EXE
* ICSSUPPNT.EXE
* ICSUPP95.EXE
* LUALL.EXE
* MCUPDATE.EXE
* NUPGRADE.EXE
* NUPGRADE.EXE
* OUTPOST.EXE
* UPDATE.EXE
Description insérée par Crony Walker le mardi 15 juin 2004

Retour . . . .
https:// Cet écran est crypté pour votre sécurité.