Ha bisogno di assistenza? Chieda alla community oppure consulti un esperto.
Vai ad Avira Answers
Nome del virus:Worm/Bagle.FR
Scoperto:01/03/2006
Tipo:Worm
In circolazione (ITW):Si
Numero delle infezioni segnalate:Medio
Potenziale di propagazione:Medio
Potenziale di danni:Basso
File statico:No
Dimensione del file:~ 21.000 Byte
Versione VDF:6.33.01.40

 Generale Metodo di propagazione:
   • Email


Alias:
   •  Symantec: W32.Beagle.DW@mm
   •  Mcafee: W32/Bagle.gen!Sality
   •  Kaspersky: Email-Worm.Win32.Bagle.fr
   •  TrendMicro: WORM_BAGLE.DF
   •  Sophos: W32/Bagle-DM


Piattaforme / Sistemi operativi:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Scarica un file “maligno”
   • Utilizza un proprio motore SMTP per l'invio di email
   • Modifica del registro

 File Si copia alla seguente posizione:
   • %SYSDIR%\windll32lib.exe



Copia se stesso nelle seguenti posizioni. Questi file hanno dei byte casuali aggiunti in coda, pertanto possono differire dall'originale:
   • %SYSDIR%\windll32lib.exeopen
   • %SYSDIR%\windll32lib.exeopenopen



Viene creato il seguente file:

– File “non maligno”:
   • %WINDIR%\vcremoval.dll




Prova a scaricare un file:

– Le posizioni sono le seguenti:
   • http://www.amanit.ru/**********
   • http://www.anthonyflanagan.com/**********
   • http://www.approved1stmortgage.com/**********
   • http://www.argument.h12.ru/**********
   • http://www.arkebek.de/**********
   • http://www.artek.org/**********
   • http://www.asianfestival.nl/**********
   • http://www.astergut.at/**********
   • http://www.aviation-center.de/**********
   • http://www.bbsh.org/**********
   • http://www.besino.com/**********
   • http://www.bestbuy.de/**********
   • http://www.beta.mtw.ru/**********
   • http://www.bga-gsm.ru/**********
   • http://www.blessino.com/**********
   • http://www.blueeyeinc.com/**********
   • http://www.breaklight.be/**********
   • http://www.brzesko.net.pl/**********
   • http://www.catsystem.com.kg/**********
   • http://www.cdnpartner.com.pl/**********
   • http://www.ceskyhosting.cz/**********
   • http://www.channeland.com/**********
   • http://www.compsolutionstore.com/**********
   • http://www.concept.kg/**********
   • http://www.corpsite.com/**********
   • http://www.couponcapital.net/**********
   • http://www.DarrkSydebaby.com/**********
   • http://www.dehut-westerhoven.nl/**********
   • http://www.dhl.kg/**********
   • http://www.dierollendedisco.de/**********
   • http://www.discobaradventure.be/**********
   • http://www.e-nfo.com/**********
   • http://www.e-power.com.cn/**********
   • http://www.ecobank.kg/**********
   • http://www.elenalazar.com/**********
   • http://www.epicbiz.com/**********
   • http://www.europa.kg/**********
   • http://www.everett.wednet.edu/**********
   • http://www.externet.hu/**********
   • http://www.forester.kg/**********
   • http://www.fotocliparts.de/**********
   • http://www.fotonw.org/**********
   • http://www.freesites.com.br/**********
   • http://www.funbunker.de/**********
   • http://www.funworld.tv/**********
   • http://www.gameser.com@share.gameser.com/**********
   • http://www.gci-bln.de/**********
   • http://www.gcnet.ru/**********
   • http://www.giantrevenue.com/**********
   • http://www.himpsi.org/**********
   • http://www.i3dvr.com/**********
   • http://www.ibigmart.net/**********
   • http://www.idb-group.net/**********
   • http://www.illusionoflife.net/**********
   • http://www.infocuspromo.com/**********
   • http://www.irinaswelt.de/**********
   • http://www.jansenboiler.com/**********
   • http://www.jasnet.pl/**********
   • http://www.jcribeiro.com/**********
   • http://www.jewelleryamberproducts.com/**********
   • http://www.jimvann.com/**********
   • http://www.jldr.ca/**********
   • http://www.jordanramey.net/**********
   • http://www.joy-musik-sound.de/**********
   • http://www.justrepublicans.com/**********
   • http://www.katel.kg/**********
   • http://www.knicks.nl/**********
   • http://www.koebers.pl/**********
   • http://www.kogaionon.com/**********
   • http://www.kplus.kg/**********
   • http://www.kradtraining.de/**********
   • http://www.kranenberg.de/**********
   • http://www.kranenberg.de:113547@/**********
   • http://www.kstrus.com.pl/**********
   • http://www.ktsonline.de/**********
   • http://www.lahelaino.com/**********
   • http://www.lawform.com.au/**********
   • http://www.leetexgroup.com/**********
   • http://www.leshrak.de/**********
   • http://www.leshrak.de:prophets@/**********
   • http://www.logoseiten.de/**********
   • http://www.magicbottle.com.tw/**********
   • http://www.mcuserver.cz/**********
   • http://www.mega-spass.com/**********
   • http://www.mega.kg/**********
   • http://www.mepbisu.de/**********
   • http://www.mepmh.de/**********
   • http://www.mtfdesign.com/**********
   • http://www.mtransit.kg/**********
   • http://www.neotech.kg/**********
   • http://www.nikonfotoshare.com/**********
   • http://www.novosti.kg/**********
   • http://www.ok.kg/**********
   • http://www.onepositiveplace.org/**********
   • http://www.online.kg/**********
   • http://www.orangesuburban.5u.com/**********
   • http://www.otv.ch/**********
   • http://www.pageantpage.com/**********
   • http://www.pankration.com/**********
   • http://www.para-agility.com/**********
   • http://www.pdxracing.net/**********
   • http://www.pfadfinder-leobersdorf.com/**********
   • http://www.pipni.cz/**********
   • http://www.pjwstk.edu.pl/**********
   • http://www.polizeimotorrad.de/**********
   • http://www.proway-consulting.com/**********
   • http://www.pugetsoundyc.org/**********
   • http://www.pyrlandia-boogie.pl/**********
   • http://www.qphoto.co.za/**********
   • http://www.raecoinc.com/**********
   • http://www.realgps.com/**********
   • http://www.realty.kg/**********
   • http://www.redlightpictures.com/**********
   • http://www.reliance-yachts.com/**********
   • http://www.relocationflorida.com/**********
   • http://www.rentalstation.com/**********
   • http://www.rieraquadros.com.br/**********
   • http://www.roaming.kg/**********
   • http://www.sacohalle.be/**********
   • http://www.scanex-medical.fi/**********
   • http://www.scoping4success.com/**********
   • http://www.sert.ru/**********
   • http://www.sigi.lu/**********
   • http://www.spadochron.pl/**********
   • http://www.ssc.kg/**********
   • http://www.ssmifc.ca/**********
   • http://www.stadtmeyers.de/**********
   • http://www.stadtmeyers.de:R2D2c3po@/**********
   • http://www.sterlingirb.com/**********
   • http://www.sunassetholdings.com/**********
   • http://www.szantomierz.art.pl/**********
   • http://www.szosa.pl/**********
   • http://www.tambourenvereine.ch/**********
   • http://www.tarnow.opoka.org.pl/**********
   • http://www.tc-muraene.com/**********
   • http://www.tc-muraene.com:hunter@/**********
   • http://www.theroyalregistry.com/**********
   • http://www.transportation.gov.bh/**********
   • http://www.tumar.kg/**********
   • http://www.tunguska.hu/**********
   • http://www.turkeyhomes.com/**********
   • http://www.turkeyhomes.com@/**********
   • http://www.ulpiano.org/**********
   • http://www.unicity.pl/**********
   • http://www.vbw.info/**********
   • http://www.velezcourtesymanagement.com/**********
   • http://www.vorrix.com/**********
   • http://www.webpark.pl/**********
   • http://www.wecompete.com/**********
   • http://www.wp.pl/**********
   • http://www.wwwebad.com/**********
   • http://www.xpager321.wz.cz/**********
   • http://www.yamdiamonds.com/**********
   • http://www.zander-yachting.com/**********

 Registro Uno dei seguenti valori viene aggiunto per eseguire il processo dopo il riavvio:

–  HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "winshell"="%SYSDIR%\windll32lib.exe"

 Email Contiene un motore SMTP integrato per inviare le email. Verrà stabilita una connessione diretta con il server di destinazione. Le caratteristiche sono descritte di seguito:


Da:
L'indirizzo del mittente è falso.


A:
– Indirizzi email trovati in specifici file sul sistema.


Oggetto:
Uno dei seguenti:
   • Phshing is illigal
   • Where did you learn to scam?
   • You are a criminal and will be busted!
   • You steal from innocent people



Corpo dell'email:
– Contiene codice HTML.
Il corpo dell’email è come uno dei seguenti:

   •
     Dude,
I found your email from whois info of a web page that was used in spam and illigal activity,
please do something or you will be sued and busted.
Was very dumb to leave your email, asshole!

P.S Attached file is self-exatracting archive with information about your criminal activity.
     

     

   •
     Hey pal. Do you know, that your webpage paypalll.comprovides a phishing attack?
Open attached file for a proof
hmmmm it's quite nice, but I think that cops would be interested in it.
So my friend. take the page away and put a Appologize on it.
Or the Police will hear from me.
Cya my friend
     


   •
     Hi!
Just to inform you that your email is used by a spamer who intends
to steal bank account information thru a fake site.
If you are not involded, I can bring you additionnal information. Check attached file for a proof.
If you are, you're a little son of a bitch.
     

     


File allegato:
Il nome del file allegato è uno dei seguenti:
   • your_info.exe
   • whois_info.exe
   • myscreenshot.exe
   • scam.exe
   • proof.exe

 Invio di messaggi Cerca indirizzi:
Cerca i seguenti file per gli indirizzi email:
   • .wab; .txt; .msg; .htm; .shtm; .stm; .xml; .dbx; .mbx; .mdx; .eml;
      .nch; .mmf; .ods; .cfg; .asp; .php; .pl; .wsh; .adb; .tbb; .sht; .xls;
      .oft; .uin; .cgi; .mht; .dhtm; .jsp

 P2P    Cerca le directory che contengono la seguente sottostringa:
   • share

   Se riuscito, i seguenti file vengono creati:
   • anna benson sex video.exe; kate beckinsale nude pictures.exe; jenna
      elfman sex anal deepthroat.exe; miss america Porno, sex, oral, anal
      cool, awesome!!.exe; Porno Screensaver.scr; Serials.txt.exe; barrett
      jackson nude photos, movies, porn video.exe; Britney Spears sex
      photos.exe; paris hilton Porno pics arhive, xxx.exe; Windows
      Sourcecode update.doc.exe; Ahead Nero 10.exe; Windown Vista Beta
      Leak.exe; IE beta 7.exe; Serials 2005 database.exe; XXX hardcore
      images.exe; Adobe Photoshop 9 full.exe;


Descrizione inserita da Alexander Vukcevic su mercoledì 1 marzo 2006
Descrizione aggiornata da Alexander Vukcevic su lunedì 6 marzo 2006

Indietro . . . .
https:// Questa finestra è criptata per tua sicurezza.