Ha bisogno di assistenza? Chieda alla community oppure consulti un esperto.
Vai ad Avira Answers
Date discovered:28/11/2005
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:20.672 Bytes
MD5 checksum:aee49aa81eceff74a4e5162b6284f989
VDF version:

 General Method of propagation:
   • Email

   •  Kaspersky: Email-Worm.Win32.Bagle.eo
   •  TrendMicro: WORM_BAGLE.BX
   •  VirusBuster: I-Worm.Bagle.EZ
   •  Eset: Win32/Bagle.DR
   •  Bitdefender: Win32.Bagle.EO@mm

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows 2000
   • Windows XP

Side effects:
   • Downloads malicious files
   • Uses its own Email engine
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\wind2ll2.exe

It tries to download some files:

The locations are the following:
   • http://clickhare.com/images/**********
   • http://amerikansk-bulldog.dk/images/**********
   • http://eventpeopleforyou.com/help/**********
   • http://ekshrine.com/images/**********
   • http://www.familia-sanchez.net/images/**********
   • http://www.asymchem.com/images/**********
   • http://www.baku-xeber.com/images/**********
   • http://www.abmedical.pl/images/**********
   • http://www.cellphonemadeinchina.com/images/**********
It is saved on the local hard drive under: %WINDIR%\eml.exe At the time of writing this file was not online for further investigation.

The locations are the following:
   • http://localhost/**********
   • http://localhost/**********
   • http://localhost/**********
It is saved on the local hard drive under: %SYSDIR%\re_file.exe At the time of writing this file was not online for further investigation.

 Registry The values of the following registry keys are removed:

–  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n
   • ICQ Net
   • SkynetsRevenge
   • KasperskyAVEng
   • Norton Antivirus AV
   • PandaAVEngine
   • EasyAV
   • SysMonXP
   • MsInfo
   • FirewallSvr
   • Jammer2nd
   • NetDy
   • HtProtect
   • ICQNet
   • Tiny AV
   • service
   • Special Firewall Service
   • Antivirus
   • 9XHtProtect
   • Zone Labs Client Ex
   • My AV

–  HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n
   • ICQ Net
   • SkynetsRevenge
   • KasperskyAVEng
   • Norton Antivirus AV
   • PandaAVEngine
   • EasyAV
   • SysMonXP
   • MsInfo
   • FirewallSvr
   • Jammer2nd
   • NetDy
   • HtProtect
   • ICQNet
   • Tiny AV
   • service
   • Special Firewall Service
   • Antivirus
   • 9XHtProtect
   • Zone Labs Client Ex
   • My AV

–  HKCU\Software\Microsoft\Windows\CurrentVersion\Ru1n
   • "erfgddfk"="%SYSDIR%\wind2ll2.exe"

The following registry key is added:

   • "erfgddfk"="%SYSDIR%\wind2ll2.exe"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:

The sender address is spoofed.
Generated addresses. Please do not assume that it was the sender's intention to send this email to you. He might not know about his infection or might not even be infected at all. Furthermore it is possible that you will receive bounced emails telling you that you are infected. This might also not be the case.

One of the following:
   • Foto&Video; MAIL.FOTO; D-Foto; S-Foto; m-foto; foto-flower;
      foto-forum; Foto.Md; foto-bank; web-foto; VIP-foto; foto-books;
      FOTO-DIGITAL; Internet-foto; foto telephone; foto land; OK-FOTO;
      AN-FOTO; Foto-War; FOTO HOME; Foto Portal; FOTO-1; FOTO-2; FOTO-3;
      FOTO-4; All-foto; my foto

The body of the email is one of the lines:
   • Foto&Video
   • D-Foto
   • S-Foto
   • m-foto
   • foto-flower
   • foto-forum
   • Foto.Md
   • foto-bank
   • web-foto
   • VIP-foto
   • foto-books
   • Internet-foto
   • foto telephone
   • foto land
   • OK-FOTO
   • AN-FOTO
   • Foto-War
   • Foto Portal
   • FOTO-1
   • FOTO-2
   • FOTO-3
   • FOTO-4
   • All-foto
   • my foto
   • Password:
   • The password is:

The contents of the file is not a copy of itself but another malware.

The filename of the attachment is one of the following:
   • Ales.zip; Alice.zip; Alyce.zip; Andrew.zip; Androw.zip; Androwe.zip;
      Ann.zip; Anna.zip; Anne.zip; Annes.zip; Anthonie.zip; Anthony.zip;
      Anthonye.zip; Avice.zip; Avis.zip; Bennet.zip; Bennett.zip;
      Christean.zip; Christian.zip; Constance.zip; Cybil.zip; Daniel.zip;
      Danyell.zip; Dorithie.zip; Dorothee.zip; Dorothy.zip; Edmond.zip;
      Edmonde.zip; Edmund.zip; Edward.zip; Edwarde.zip; Elizabeth.zip;
      Elizabethe.zip; Ellen.zip; Ellyn.zip; Emanual.zip; Emanuel.zip;
      Emanuell.zip; Ester.zip; Frances.zip; Francis.zip; Fraunces.zip;
      Gabriell.zip; Geoffraie.zip; George.zip; Grace.zip; Harry.zip;
      Harrye.zip; Henrie.zip; Henry.zip; Henrye.zip; Hughe.zip;
      Humphrey.zip; Humphrie.zip; Isabel.zip; Isabell.zip; James.zip;
      Jane.zip; Jeames.zip; Jeffrey.zip; Jeffrye.zip; Joane.zip; Johen.zip;
      John.zip; Josias.zip; Judeth.zip; Judith.zip; Judithe.zip;
      Katherine.zip; Katheryne.zip; Leonard.zip; Leonarde.zip; Margaret.zip;
      Margarett.zip; Margerie.zip; Margerye.zip; Margret.zip; Margrett.zip;
      Marie.zip; Martha.zip; Mary.zip; Marye.zip; Michael.zip; Mychaell.zip;
      Nathaniel.zip; Nathaniell.zip; Nathanyell.zip; Nicholas.zip;
      Nicholaus.zip; Nycholas.zip; Peter.zip; Ralph.zip; Rebecka.zip;
      Richard.zip; Richarde.zip; Robert.zip; Roberte.zip; Roger.zip;
      Rose.zip; Rycharde.zip; Samuell.zip; Sara.zip; Sidney.zip;
      Sindony.zip; Stephen.zip; Susan.zip; Susanna.zip; Suzanna.zip;
      Sybell.zip; Sybyll.zip; Syndony.zip; Thomas.zip; Valentyne.zip;
      William.zip; Winifred.zip; Wynefrede.zip; Wynefreed.zip;

 Mailing  Address generation for FROM field:
To generate addresses it uses the following strings:
   • Ales; Alice; Alyce; Andrew; Androw; Androwe; Ann; Anna; Anne; Annes;
      Anthonie; Anthony; Anthonye; Avice; Avis; Bennet; Bennett; Christean;
      Christian; Constance; Cybil; Daniel; Danyell; Dorithie; Dorothee;
      Dorothy; Edmond; Edmonde; Edmund; Edward; Edwarde; Elizabeth;
      Elizabethe; Ellen; Ellyn; Emanual; Emanuel; Emanuell; Ester; Frances;
      Francis; Fraunces; Gabriell; Geoffraie; George; Grace; Harry; Harrye;
      Henrie; Henry; Henrye; Hughe; Humphrey; Humphrie; Isabel; Isabell;
      James; Jane; Jeames; Jeffrey; Jeffrye; Joane; Johen; John; Josias;
      Judeth; Judith; Judithe; Katherine; Katheryne; Leonard; Leonarde;
      Margaret; Margarett; Margerie; Margerye; Margret; Margrett; Marie;
      Martha; Mary; Marye; Michael; Mychaell; Nathaniel; Nathaniell;
      Nathanyell; Nicholas; Nicholaus; Nycholas; Peter; Ralph; Rebecka;
      Richard; Richarde; Robert; Roberte; Roger; Rose; Rycharde; Samuell;
      Sara; Sidney; Sindony; Stephen; Susan; Susanna; Suzanna; Sybell;
      Sybyll; Syndony; Thomas; Valentyne; William; Winifred; Wynefrede;
      Wynefreed; Wynnefreede

Avoid addresses:
It does not send emails to addresses containing one of the following strings:
   • @eerswqe; @derewrdgrs; @microsoft; rating@; f-secur; news; update;
      anyone@; bugs@; contract@; feste; gold-certs@; help@; info@; nobody@;
      noone@; kasp; admin; icrosoft; support; ntivi; unix; bsd; linux;
      listserv; certific; sopho; @foo; @iana; free-av; @messagelab; winzip;
      google; winrar; samples; abuse; panda; cafee; spam; pgp; @avp.;
      noreply; local; root@; postmaster@

MX Server:
It does not use the standard MX server.
It has the ability to contact the MX server:
   • smtp.mail.ru

 Process termination It tries to terminate the following processes and delete the corresponding files:
   • 1t1epad.exe
   • t1es1t.exe

 Backdoor The following port is opened:

%SYSDIR%\wind2ll2.exe on TCP port 80 in order to provide a proxy server.

 Miscellaneous It creates the following Mutexes:
   • vMuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
   • 'D'r'o'p'p'e'd'S'k'y'N'e't'
   • _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
   • [SkyNet.cz]SystemsMutex
   • AdmSkynetJklS003
   • ____--->>>>U<<<<--____
   • _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Descrizione inserita da Irina Boldea su venerdì 26 maggio 2006
Descrizione aggiornata da Irina Boldea su lunedì 29 maggio 2006

Indietro . . . .
https:// Questa finestra è criptata per tua sicurezza.