Worm/Bagle.FR - Worm

Ver também

Sumário

Descrição completa

Estatísticas

Vírus	Worm/Bagle.FR
Data em que surgiu:	01/03/2006
Tipo:	Worm
Incluído na lista "In The Wild"	Sim
Nível de danos:	Médio
Nível de distribuição:	Médio
Nível de risco:	Baixo
Ficheiro estático:	Não
Tamanho:	~ 21.000 Bytes
Versão VDF:	6.33.01.40

Vulgarmente Meio de transmissão:
   • E-mail

Alias:
   • Symantec: W32.Beagle.DW@mm
   • Mcafee: W32/Bagle.gen!Sality
   • Kaspersky: Email-Worm.Win32.Bagle.fr
   • TrendMicro: WORM_BAGLE.DF
   • Sophos: W32/Bagle-DM

Sistemas Operativos:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Descarrega um ficheiro malicioso
   • Utiliza o seu próprio motor de E-mail
   • Altera o registo do Windows

Ficheiros Autocopia-se para a seguinte localização:
   • %SYSDIR%\windll32lib.exe

Copia-se a si próprio para as seguintes localizações. São adicionados caracteres aleatórios no final dos ficheiros para serem diferentes dos originais.
   • %SYSDIR%\windll32lib.exeopen
   • %SYSDIR%\windll32lib.exeopenopen

É criado o seguinte ficheiro:

– Ficheiro não malicioso:
   • %WINDIR%\vcremoval.dll

Tenta efectuar o download do ficheiro:

– A partir das seguintes localizações:
   • http://www.amanit.ru/**********
   • http://www.anthonyflanagan.com/**********
   • http://www.approved1stmortgage.com/**********
   • http://www.argument.h12.ru/**********
   • http://www.arkebek.de/**********
   • http://www.artek.org/**********
   • http://www.asianfestival.nl/**********
   • http://www.astergut.at/**********
   • http://www.aviation-center.de/**********
   • http://www.bbsh.org/**********
   • http://www.besino.com/**********
   • http://www.bestbuy.de/**********
   • http://www.beta.mtw.ru/**********
   • http://www.bga-gsm.ru/**********
   • http://www.blessino.com/**********
   • http://www.blueeyeinc.com/**********
   • http://www.breaklight.be/**********
   • http://www.brzesko.net.pl/**********
   • http://www.catsystem.com.kg/**********
   • http://www.cdnpartner.com.pl/**********
   • http://www.ceskyhosting.cz/**********
   • http://www.channeland.com/**********
   • http://www.compsolutionstore.com/**********
   • http://www.concept.kg/**********
   • http://www.corpsite.com/**********
   • http://www.couponcapital.net/**********
   • http://www.DarrkSydebaby.com/**********
   • http://www.dehut-westerhoven.nl/**********
   • http://www.dhl.kg/**********
   • http://www.dierollendedisco.de/**********
   • http://www.discobaradventure.be/**********
   • http://www.e-nfo.com/**********
   • http://www.e-power.com.cn/**********
   • http://www.ecobank.kg/**********
   • http://www.elenalazar.com/**********
   • http://www.epicbiz.com/**********
   • http://www.europa.kg/**********
   • http://www.everett.wednet.edu/**********
   • http://www.externet.hu/**********
   • http://www.forester.kg/**********
   • http://www.fotocliparts.de/**********
   • http://www.fotonw.org/**********
   • http://www.freesites.com.br/**********
   • http://www.funbunker.de/**********
   • http://www.funworld.tv/**********
   • http://www.gameser.com@share.gameser.com/**********
   • http://www.gci-bln.de/**********
   • http://www.gcnet.ru/**********
   • http://www.giantrevenue.com/**********
   • http://www.himpsi.org/**********
   • http://www.i3dvr.com/**********
   • http://www.ibigmart.net/**********
   • http://www.idb-group.net/**********
   • http://www.illusionoflife.net/**********
   • http://www.infocuspromo.com/**********
   • http://www.irinaswelt.de/**********
   • http://www.jansenboiler.com/**********
   • http://www.jasnet.pl/**********
   • http://www.jcribeiro.com/**********
   • http://www.jewelleryamberproducts.com/**********
   • http://www.jimvann.com/**********
   • http://www.jldr.ca/**********
   • http://www.jordanramey.net/**********
   • http://www.joy-musik-sound.de/**********
   • http://www.justrepublicans.com/**********
   • http://www.katel.kg/**********
   • http://www.knicks.nl/**********
   • http://www.koebers.pl/**********
   • http://www.kogaionon.com/**********
   • http://www.kplus.kg/**********
   • http://www.kradtraining.de/**********
   • http://www.kranenberg.de/**********
   • http://www.kranenberg.de:113547@/**********
   • http://www.kstrus.com.pl/**********
   • http://www.ktsonline.de/**********
   • http://www.lahelaino.com/**********
   • http://www.lawform.com.au/**********
   • http://www.leetexgroup.com/**********
   • http://www.leshrak.de/**********
   • http://www.leshrak.de:prophets@/**********
   • http://www.logoseiten.de/**********
   • http://www.magicbottle.com.tw/**********
   • http://www.mcuserver.cz/**********
   • http://www.mega-spass.com/**********
   • http://www.mega.kg/**********
   • http://www.mepbisu.de/**********
   • http://www.mepmh.de/**********
   • http://www.mtfdesign.com/**********
   • http://www.mtransit.kg/**********
   • http://www.neotech.kg/**********
   • http://www.nikonfotoshare.com/**********
   • http://www.novosti.kg/**********
   • http://www.ok.kg/**********
   • http://www.onepositiveplace.org/**********
   • http://www.online.kg/**********
   • http://www.orangesuburban.5u.com/**********
   • http://www.otv.ch/**********
   • http://www.pageantpage.com/**********
   • http://www.pankration.com/**********
   • http://www.para-agility.com/**********
   • http://www.pdxracing.net/**********
   • http://www.pfadfinder-leobersdorf.com/**********
   • http://www.pipni.cz/**********
   • http://www.pjwstk.edu.pl/**********
   • http://www.polizeimotorrad.de/**********
   • http://www.proway-consulting.com/**********
   • http://www.pugetsoundyc.org/**********
   • http://www.pyrlandia-boogie.pl/**********
   • http://www.qphoto.co.za/**********
   • http://www.raecoinc.com/**********
   • http://www.realgps.com/**********
   • http://www.realty.kg/**********
   • http://www.redlightpictures.com/**********
   • http://www.reliance-yachts.com/**********
   • http://www.relocationflorida.com/**********
   • http://www.rentalstation.com/**********
   • http://www.rieraquadros.com.br/**********
   • http://www.roaming.kg/**********
   • http://www.sacohalle.be/**********
   • http://www.scanex-medical.fi/**********
   • http://www.scoping4success.com/**********
   • http://www.sert.ru/**********
   • http://www.sigi.lu/**********
   • http://www.spadochron.pl/**********
   • http://www.ssc.kg/**********
   • http://www.ssmifc.ca/**********
   • http://www.stadtmeyers.de/**********
   • http://www.stadtmeyers.de:R2D2c3po@/**********
   • http://www.sterlingirb.com/**********
   • http://www.sunassetholdings.com/**********
   • http://www.szantomierz.art.pl/**********
   • http://www.szosa.pl/**********
   • http://www.tambourenvereine.ch/**********
   • http://www.tarnow.opoka.org.pl/**********
   • http://www.tc-muraene.com/**********
   • http://www.tc-muraene.com:hunter@/**********
   • http://www.theroyalregistry.com/**********
   • http://www.transportation.gov.bh/**********
   • http://www.tumar.kg/**********
   • http://www.tunguska.hu/**********
   • http://www.turkeyhomes.com/**********
   • http://www.turkeyhomes.com@/**********
   • http://www.ulpiano.org/**********
   • http://www.unicity.pl/**********
   • http://www.vbw.info/**********
   • http://www.velezcourtesymanagement.com/**********
   • http://www.vorrix.com/**********
   • http://www.webpark.pl/**********
   • http://www.wecompete.com/**********
   • http://www.wp.pl/**********
   • http://www.wwwebad.com/**********
   • http://www.xpager321.wz.cz/**********
   • http://www.yamdiamonds.com/**********
   • http://www.zander-yachting.com/**********

Registry (Registo do Windows) Um dos seguintes valores é adicionado para executar o processo depois reinicializar:

– HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• "winshell"="%SYSDIR%\windll32lib.exe"

E-mail Tem um motor SMTP integrado para enviar emails.É criada uma ligação directa com o servidor de destino. Tem as seguintes características:

De:
O endereço do remetente é falsificado.

Para:
– Endereços de email encontrados em determinados ficheiros no sistema.

Assunto:
Um dos seguintes:
   • Phshing is illigal
   • Where did you learn to scam?
   • You are a criminal and will be busted!
   • You steal from innocent people

Corpo:
– Contém código HTML.
O corpo do email é um dos seguintes:

   •
     Dude,
I found your email from whois info of a web page that was used in spam and illigal activity,
please do something or you will be sued and busted.
Was very dumb to leave your email, asshole!

P.S Attached file is self-exatracting archive with information about your criminal activity.



   •
     Hey pal. Do you know, that your webpage paypalll.comprovides a phishing attack?
Open attached file for a proof
hmmmm it's quite nice, but I think that cops would be interested in it.
So my friend. take the page away and put a Appologize on it.
Or the Police will hear from me.
Cya my friend


   •
     Hi!
Just to inform you that your email is used by a spamer who intends
to steal bank account information thru a fake site.
If you are not involded, I can bring you additionnal information. Check attached file for a proof.
If you are, you're a little son of a bitch.



Atalho:
O ficheiro de atalho tem um dos seguintes nomes:
   • your_info.exe
   • whois_info.exe
   • myscreenshot.exe
   • scam.exe
   • proof.exe

Mailing Pesquisa endereços:
Procura endereços de email nos seguintes ficheiros:
   • .wab; .txt; .msg; .htm; .shtm; .stm; .xml; .dbx; .mbx; .mdx; .eml;
      .nch; .mmf; .ods; .cfg; .asp; .php; .pl; .wsh; .adb; .tbb; .sht; .xls;
      .oft; .uin; .cgi; .mht; .dhtm; .jsp

P2P    Procura directórios com o seguinte texto:
   • share

   Em caso de ser bem sucedido, são criados os seguintes ficheiros:
   • anna benson sex video.exe; kate beckinsale nude pictures.exe; jenna
      elfman sex anal deepthroat.exe; miss america Porno, sex, oral, anal
      cool, awesome!!.exe; Porno Screensaver.scr; Serials.txt.exe; barrett
      jackson nude photos, movies, porn video.exe; Britney Spears sex
      photos.exe; paris hilton Porno pics arhive, xxx.exe; Windows
      Sourcecode update.doc.exe; Ahead Nero 10.exe; Windown Vista Beta
      Leak.exe; IE beta 7.exe; Serials 2005 database.exe; XXX hardcore
      images.exe; Adobe Photoshop 9 full.exe;

Veja aqui uma breve descrição.

Descrição adicionada por Alexander Vukcevic em Wed, 01 Mar 2006 08:22 (GMT+1)
Descrição adicionada por Alexander Vukcevic em Mon, 06 Mar 2006 08:32 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« back