Nume:Worm/Bagle.FR
Descoperit pe data de:01/03/2006
Tip:Vierme
ITW:Da
Numar infectii raportate:Mediu
Potential de raspandire:Mediu
Potential de distrugere:Scazut
Fisier static:Nu
Marime:~ 21.000 Bytes
Versiune VDF:6.33.01.40

 General Metoda de raspandire:
   • Email


Alias:
   •  Symantec: W32.Beagle.DW@mm
   •  Mcafee: W32/Bagle.gen!Sality
   •  Kaspersky: Email-Worm.Win32.Bagle.fr
   •  TrendMicro: WORM_BAGLE.DF
   •  Sophos: W32/Bagle-DM


Sistem de operare:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Descarca un fisier malware
   • Utilizeaza propriul motor de email
   • Modificari in registri

 Fisiere Se copiaza in urmatoarea locatie:
   • %SYSDIR%\windll32lib.exe



Se copiaza in urmatoarele locatii (fisierele au atasate la sfarsit caractere aleatorii si se diferentiaza astfel de original):
   • %SYSDIR%\windll32lib.exeopen
   • %SYSDIR%\windll32lib.exeopenopen



Este creat fisierul:

– Fisier inofensiv:
   • %WINDIR%\vcremoval.dll




Incearca sa descarce un fisier:

– Adresele sunt urmatoarele:
   • http://www.amanit.ru/**********
   • http://www.anthonyflanagan.com/**********
   • http://www.approved1stmortgage.com/**********
   • http://www.argument.h12.ru/**********
   • http://www.arkebek.de/**********
   • http://www.artek.org/**********
   • http://www.asianfestival.nl/**********
   • http://www.astergut.at/**********
   • http://www.aviation-center.de/**********
   • http://www.bbsh.org/**********
   • http://www.besino.com/**********
   • http://www.bestbuy.de/**********
   • http://www.beta.mtw.ru/**********
   • http://www.bga-gsm.ru/**********
   • http://www.blessino.com/**********
   • http://www.blueeyeinc.com/**********
   • http://www.breaklight.be/**********
   • http://www.brzesko.net.pl/**********
   • http://www.catsystem.com.kg/**********
   • http://www.cdnpartner.com.pl/**********
   • http://www.ceskyhosting.cz/**********
   • http://www.channeland.com/**********
   • http://www.compsolutionstore.com/**********
   • http://www.concept.kg/**********
   • http://www.corpsite.com/**********
   • http://www.couponcapital.net/**********
   • http://www.DarrkSydebaby.com/**********
   • http://www.dehut-westerhoven.nl/**********
   • http://www.dhl.kg/**********
   • http://www.dierollendedisco.de/**********
   • http://www.discobaradventure.be/**********
   • http://www.e-nfo.com/**********
   • http://www.e-power.com.cn/**********
   • http://www.ecobank.kg/**********
   • http://www.elenalazar.com/**********
   • http://www.epicbiz.com/**********
   • http://www.europa.kg/**********
   • http://www.everett.wednet.edu/**********
   • http://www.externet.hu/**********
   • http://www.forester.kg/**********
   • http://www.fotocliparts.de/**********
   • http://www.fotonw.org/**********
   • http://www.freesites.com.br/**********
   • http://www.funbunker.de/**********
   • http://www.funworld.tv/**********
   • http://www.gameser.com@share.gameser.com/**********
   • http://www.gci-bln.de/**********
   • http://www.gcnet.ru/**********
   • http://www.giantrevenue.com/**********
   • http://www.himpsi.org/**********
   • http://www.i3dvr.com/**********
   • http://www.ibigmart.net/**********
   • http://www.idb-group.net/**********
   • http://www.illusionoflife.net/**********
   • http://www.infocuspromo.com/**********
   • http://www.irinaswelt.de/**********
   • http://www.jansenboiler.com/**********
   • http://www.jasnet.pl/**********
   • http://www.jcribeiro.com/**********
   • http://www.jewelleryamberproducts.com/**********
   • http://www.jimvann.com/**********
   • http://www.jldr.ca/**********
   • http://www.jordanramey.net/**********
   • http://www.joy-musik-sound.de/**********
   • http://www.justrepublicans.com/**********
   • http://www.katel.kg/**********
   • http://www.knicks.nl/**********
   • http://www.koebers.pl/**********
   • http://www.kogaionon.com/**********
   • http://www.kplus.kg/**********
   • http://www.kradtraining.de/**********
   • http://www.kranenberg.de/**********
   • http://www.kranenberg.de:113547@/**********
   • http://www.kstrus.com.pl/**********
   • http://www.ktsonline.de/**********
   • http://www.lahelaino.com/**********
   • http://www.lawform.com.au/**********
   • http://www.leetexgroup.com/**********
   • http://www.leshrak.de/**********
   • http://www.leshrak.de:prophets@/**********
   • http://www.logoseiten.de/**********
   • http://www.magicbottle.com.tw/**********
   • http://www.mcuserver.cz/**********
   • http://www.mega-spass.com/**********
   • http://www.mega.kg/**********
   • http://www.mepbisu.de/**********
   • http://www.mepmh.de/**********
   • http://www.mtfdesign.com/**********
   • http://www.mtransit.kg/**********
   • http://www.neotech.kg/**********
   • http://www.nikonfotoshare.com/**********
   • http://www.novosti.kg/**********
   • http://www.ok.kg/**********
   • http://www.onepositiveplace.org/**********
   • http://www.online.kg/**********
   • http://www.orangesuburban.5u.com/**********
   • http://www.otv.ch/**********
   • http://www.pageantpage.com/**********
   • http://www.pankration.com/**********
   • http://www.para-agility.com/**********
   • http://www.pdxracing.net/**********
   • http://www.pfadfinder-leobersdorf.com/**********
   • http://www.pipni.cz/**********
   • http://www.pjwstk.edu.pl/**********
   • http://www.polizeimotorrad.de/**********
   • http://www.proway-consulting.com/**********
   • http://www.pugetsoundyc.org/**********
   • http://www.pyrlandia-boogie.pl/**********
   • http://www.qphoto.co.za/**********
   • http://www.raecoinc.com/**********
   • http://www.realgps.com/**********
   • http://www.realty.kg/**********
   • http://www.redlightpictures.com/**********
   • http://www.reliance-yachts.com/**********
   • http://www.relocationflorida.com/**********
   • http://www.rentalstation.com/**********
   • http://www.rieraquadros.com.br/**********
   • http://www.roaming.kg/**********
   • http://www.sacohalle.be/**********
   • http://www.scanex-medical.fi/**********
   • http://www.scoping4success.com/**********
   • http://www.sert.ru/**********
   • http://www.sigi.lu/**********
   • http://www.spadochron.pl/**********
   • http://www.ssc.kg/**********
   • http://www.ssmifc.ca/**********
   • http://www.stadtmeyers.de/**********
   • http://www.stadtmeyers.de:R2D2c3po@/**********
   • http://www.sterlingirb.com/**********
   • http://www.sunassetholdings.com/**********
   • http://www.szantomierz.art.pl/**********
   • http://www.szosa.pl/**********
   • http://www.tambourenvereine.ch/**********
   • http://www.tarnow.opoka.org.pl/**********
   • http://www.tc-muraene.com/**********
   • http://www.tc-muraene.com:hunter@/**********
   • http://www.theroyalregistry.com/**********
   • http://www.transportation.gov.bh/**********
   • http://www.tumar.kg/**********
   • http://www.tunguska.hu/**********
   • http://www.turkeyhomes.com/**********
   • http://www.turkeyhomes.com@/**********
   • http://www.ulpiano.org/**********
   • http://www.unicity.pl/**********
   • http://www.vbw.info/**********
   • http://www.velezcourtesymanagement.com/**********
   • http://www.vorrix.com/**********
   • http://www.webpark.pl/**********
   • http://www.wecompete.com/**********
   • http://www.wp.pl/**********
   • http://www.wwwebad.com/**********
   • http://www.xpager321.wz.cz/**********
   • http://www.yamdiamonds.com/**********
   • http://www.zander-yachting.com/**********

 Registrii sistemului Una din urmatoarele valori este adaugata in registri pentru pornirea automata a procesului dupa reboot:

–  HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "winshell"="%SYSDIR%\windll32lib.exe"

 Email Are un motor SMTP integrat. Va fi facuta o conexiune directa cu serverul destinatar. Iata caracteristicile lui:


De la:
Adresa este falsificata.


Catre:
– Adrese de email gasite pe sistem.


Subiect:
Unul din urmatoarele:
   • Phshing is illigal
   • Where did you learn to scam?
   • You are a criminal and will be busted!
   • You steal from innocent people



Corpul email-ului:
– Contine cod HTML.
Corpul email-ului este unul din textele:

   •
     Dude,
I found your email from whois info of a web page that was used in spam and illigal activity,
please do something or you will be sued and busted.
Was very dumb to leave your email, asshole!

P.S Attached file is self-exatracting archive with information about your criminal activity.
     
     

   •
     Hey pal. Do you know, that your webpage paypalll.comprovides a phishing attack?
Open attached file for a proof
hmmmm it's quite nice, but I think that cops would be interested in it.
So my friend. take the page away and put a Appologize on it.
Or the Police will hear from me.
Cya my friend
     

   •
     Hi!
Just to inform you that your email is used by a spamer who intends
to steal bank account information thru a fake site.
If you are not involded, I can bring you additionnal information. Check attached file for a proof.
If you are, you're a little son of a bitch.
     
     


Atasament:
Numele fisierului atasat este unul din urmatoarele:
   • your_info.exe
   • whois_info.exe
   • myscreenshot.exe
   • scam.exe
   • proof.exe

 Email Cautare adrese:
Cauta adrese de email in urmatoarele fisiere:
   • .wab; .txt; .msg; .htm; .shtm; .stm; .xml; .dbx; .mbx; .mdx; .eml;
      .nch; .mmf; .ods; .cfg; .asp; .php; .pl; .wsh; .adb; .tbb; .sht; .xls;
      .oft; .uin; .cgi; .mht; .dhtm; .jsp

 P2P     Cauta directoarele care au in numele lor textul:
   • share

   Daca reuseste, sunt create urmatoarele fisiere:
   • anna benson sex video.exe; kate beckinsale nude pictures.exe; jenna
      elfman sex anal deepthroat.exe; miss america Porno, sex, oral, anal
      cool, awesome!!.exe; Porno Screensaver.scr; Serials.txt.exe; barrett
      jackson nude photos, movies, porn video.exe; Britney Spears sex
      photos.exe; paris hilton Porno pics arhive, xxx.exe; Windows
      Sourcecode update.doc.exe; Ahead Nero 10.exe; Windown Vista Beta
      Leak.exe; IE beta 7.exe; Serials 2005 database.exe; XXX hardcore
      images.exe; Adobe Photoshop 9 full.exe;


Descrizione inserita da Alexander Vukcevic su mercoledì 1 marzo 2006
Descrizione aggiornata da Alexander Vukcevic su lunedì 6 marzo 2006

Indietro . . . .