W32.Beagle.A@mm, Win32.Bagle.Gen@mm, i-Worm.Bagle.f
~24KB (PEX packed)
Sends itself by email
This worm sends itself, like its predecessors, to email addresses found on the infected system. In addition this version tries to spread over P2P networks.
* Open TCP port 2745
* Presence of the mentioned registry entries
* Presence of the mentioned files
* Increased email traffic
* Sends itself via email using its own smtp engine
* Copies itself to P2P share folders
Worm/Bagle.F has a variable file size of ~24KB. The file is packed with PEX. The attachment of the email is in a ZIP format or it could also be an executable program type. It will copy itself into the %System% folder under the following file name:
and will create also the following files:
* go54o.exe (24,064 bytes)
* ii5nj4.exe (1,536 bytes)
* i1ru54n4.exeopen (ZIP archive ~23KB)
The worm will scan all the files having the following extensions for email addresses, and will send itself to them, using a spoofed sender address:
The worm will not send mails to the addresses containing any of the following strings:
The return address is spoofed and attachment has a random file name with the extension "zip". Zip archives are sometimes password-protected. The password randomly selected from numbers is mentioned in the email. The subject of the mail is randomly chosen from one of the following:
* ^ _ ^ meay meay!
* Bath girl
* ello! =))
* Gallery photo
* Hey, dude, it's ME ^ _ ^:P
* Hey, ya! =))
* Rear one! : -)
* Hokki =)
* My name is Frenk
* Mary Anne
* My photo
* Photo album
* Wau... beautiful (-:
* Weah, hello! : -)
* Weeeeee! ;)))
The body of the email is selected randomly from one the following:
* Argh, i don't like the plaintext :)
* Fell free to chat with me I accept all ages. Don''''t worry I don''''t bite........hope to hear from you soon!
* Hey people whats goin on? If there is anything you want to know about me ask me... I am pretty easygoing I won't bite....not at first anywayz hahaa.....one thing I will say on here tho I am not into the Cyber thing so don't even ask.....Ciao...
* Hey, guys! by the way, I have no problems with my sexual life, so it's absolutly useless try to have icq sex or things like that. Thanks
* Hi! :-)
* Hi! My name is Shreya and I am a goof off!!! So, If you love the outdoors, travelling, books, music, movies, laffing, teasing and/or can poke fun at yourself... please come a hollerin'!!
* Hokki =)
* I am from Taiwan but I study in Camden, New Jersey now. I like to know people from different places .
* I enjoy clean conversations but am open to conversing with women and men with little ones as well. I am very open-minded. All authorization requests will be denied if I don't receive messages and get to know you first.
* I like to be in a company of smart, delicate, and with a good sense of humor people. I am Bulgarian, currently getting my Master's in International Business in USA. Favorite actor: Michael Dudikoff
* I love camping, dirt track racing, going for walks, and I have 2 cats - HotRod and Deebo (named from the movie 'Friday' and he lives up to it!). Life is ever changing, never always easy...
* I love meeting new people and making new friends. I am a Mary Kay Beauty Consultant. I am married to a wonderful man. We have no children, exept for a minature schnauzer that thinks he is a child. Looking forward to meeting you.
* I love to dance, read poetry, make people laugh, and hug as many people a day as i can.
* If I'm online, it problably means I'm pretty bored....so feel free to message me and say hi or whatever else comes to mind at the moment.
* I'm a social butterfly and a natural flirt. Very hard to get my complete attention. Very open and will answer almost anything. But please don't piss me off. I can be sweet and cuddly or a whatever mood I am in that day so everyday
* I'm an open minded person and enjoy chatting w/ other people. I'm free and willing to chat about anything. So feel free to Imed me if you wanna chat.
* I'm married and I stay at home. And I don't do cyber sex so leave me the fuck alone
* i'm tall and skiny I'm studying in Pharm. D program in FL. i like music, movie, dancing, sports, SCUBA diving, traveling and make a lot friends.
* Looking forward for a response :P
* Love the outdoors, literature, writing, and athletics
* My hobbies include crochet, sewing, painting lead figures and playing AD&D. Favorite activities include fishing and camping. I love cats, unicorns(go figure), and fantasy in general.
* Nice friends, nice men, nice sex and feeling great. I don't mind the odd bout of cybersex as I love to use my imagination when I masterbate.
* Single Mom of 3, Full time college student, Graduate in December with an Associates of Applied Science in Computer Information Systems Love the internet.
* When The Trust is Gone So Is The Love That Fades Like the Rain Washing Away All The Sorrows Of Yesterday Why I Ask Myself Must It End Like This Tomorrow, I Tell Myself, I'll Be Okay For Now, I'll Just Live In The Memories Of Our Life Together
* You don t know what you ve got till it s gone *You hurt me more than I deserve, how can you be so cruel? I love you more than you deserve, how can I be such a fool?
The attachment is a password-protected ZIP archive with the password mentioned on the last line of the email body:
* password for archives: <random NUMBER>
* pass: <random NUMBER>
* password: <random NUMBER>
* archive passwords: <random NUMBER>
The name of the attachment is randomly selected from one of the following names and having "exe"; "* scr" or "* zip" extension:
* Bath girl
* Mary Anne
* Photo album
The worm will try to spread also over P2P networks by copying itself in the following folders:
* %Program Files%\bearshare\
* %Program Files%bearshare\shared\
* %Program Files%Common Files\Microsoft Shared\
* %Program Files%kazaa\my shared folders\
* %Program Files%KaZaA Lite\my shared folders\
* %Program Files%morpheus\my shared folders\
by using the following names:
* ACDSee 9.exe
* Adobe Photoshop 9 full.exe
* Ahead Nero 7.exe
* Matrix 3 revolution English Subtitles.exe
* Microsoft Office 2003 Crack, Working!.exe
* Microsoft Office XP working Crack, Keygen.exe
* Microsoft Windows XP, WinXP Crack, working Keygen.exe
* Opera 8 New!.exe
* Porno pics arhive, xxx.exe
* Porno Screensaver.scr
* Porno, sex, orally, anal cool, awesome!!.exe
* WinAmp 5 pro key gene Crack Update.exe
* WinAmp 6 New!.exe
* Windown Longhorn beta Leak.exe
* Windows sourcecode update.doc.exe
* XXX hard core images.exe
In addition the following entries are added to the Windows Registry:
* [HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run]
It will try to terminate also any of the following processes, if these are running:
說明撰寫者 Crony Walker 開啟 2004年6月15日星期二
© 2014 Avira Operations GmbH & Co. KG. 保留所有權利.