需要修復電腦?
聘請專家
Alias:WORM_BAGLE.AB, W32/Bagle.ab@mm
Type:Worm 
Size:~67 kB 
Origin: 
Date:07-06-2004 
Damage:Sent by email 
VDF Version:6.26.00.14 
Danger:Low 
Distribution:Medium 

General DescriptionAffected Operating Systems:
Microsoft Windows 9x/ME/NT/2000/XP/Server 2003

DistributionWorm/Bagle.ab searches the system for email addresses, having one of the following extensions:

.wab
.txt
.msg
.htm
.shtm
.stm
.xml
.dbx
.mbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.pl
.wsh
.adb
.tbb
.sht
.xls
.oft
.uin
.cgi
.mht
.dhtm
.jsp

The worm uses its own SMTP Engine. An email sent by Worm/Bagle.ab has the following structure:

Subject: (one of the following lines)

Changes..
Encrypted document
Fax Message
Forum notify
Incoming message
Notification
Protected message
Re: Document
Re: Hello
Re: Hi
Re: Incoming Message
RE: Incoming Msg
RE: Message Notify
Re: Msg reply
RE: Protected message
RE: Text message
Re: Thank you!
Re: Thanks :)
Re: Yahoo! Site changes Update
Body: (one of the following lines)
Attach tells everything.
Attached file tells everything.
Check attached file for details.
Check attached file.
Here is the file.
Message is in attach
More info is in attach
Pay attention at the attach.
Please, have a look at the attached file.
Please, read the document.
Read the attach. See attach.
See the attached file for details.
Your document is attached.
Your file is attached.
Attachment: (one of the following files)
Information
Details
text_document
Updates
Readme
Document
Info M
oreInfo
Message
The attachment has one of the following extensions:
.hta
.vbs
.exe
.scr
.com
.cpl
.zip

Worm/Bagle.ab has a backdoor component, which communicates over TCP Port 1234.

Technical DetailsAttention: Worm/Bagle.ab has an identical functionality with Worm/Bagle.ad...
When activated, Worm/Bagle.ab shows the a window:

Title: Error!

Text: Can't find viewer associated with the file

The worm generates 7 different Mutexes to hinder Worm/NetSky activity:

[SkyNet.cz]SystemsMutex AdmSkynetJklS003 _--->>>>U<<<<--____ _-
oO]xX|-S-k-y-N-e-t-|Xx[Oo-_'D'r'o'p'p'e'd'S'k'y'N'e't' -oOaxX|-+S+-+k+-+y+-
+N+-+e+-+t+-|XxKOo-_ MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D

It deletes the following application keys from Windows Registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\

containing one of the following strings:

"My AV"
"Zone Labs Client Ex"
"9XHtProtect"
"Antivirus"
"Special Firewall Service"
"service"
"Tiny AV"
"ICQNet"
"HtProtect"
"NetDy"
"Jammer2nd"
"FirewallSvr"
"MsInfo"
"SysMonXP"
"EasyAV"
"PandaAVEngine"
"Norton Antivirus AV"
"KasperskyAVEng"
"SkynetsRevenge"
"ICQ Net"

Worm/Bagle.ab creates the following files:

%SystemDIR%\loader_name.exe
%SystemDIR%\loader_name.exeopen
%SystemDIR%\loader_name.exeopenopen

and the following entry in Windows Registry:


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
"reg_key" = "%System%\loader_name.exe"

The worm copies itself in all directories containing the string "Shar", with the
following file names:

ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
Kaspersky Antivirus 5.0
KAV 5.0
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Opera 8 New!.exe
Porno pics arhive, xxx.exe
Porno Screensaver.scr
Porno, sex, oral, anal cool, awesome!!.exe
Serials.txt.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe
說明撰寫者 Crony Walker 開啟 2004年6月15日星期二

返回 . . . .
https:// 為了你的安全,此視窗已加密。