Request Services
  Data Systems Services
  About Data Systems
  News & Announcements
 
Virus Alert
Virus Hoaxes
  Quick Links
  Classroom Reservations
  Equipment Reservations
  Software Downloads
 
Data Systems Only! (Password Protected)
  Live Remote Assistance
 


W32/Bagle.ad@MM

08/10/04 - W32/Bagle.ad@MM spreads via e-mail. It follows the routine below:

The risk assessment of this threat has been upgraded to Low-Profiled due to media attention at:

http://news.zdnet.co.uk/internet/security/0,39020375,39159596,00.htm

This is a mass-mailing worm with the following characteristics:

contains its own SMTP engine to construct outgoing messages
harvests email addresses from the victim machine
the From: address of messages is spoofed
attachment can be a password-protected zip file, with the password included in the message body (as plaintext or within an image).
contains a remote access component (notification is sent to hacker)
copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
uses various mutex names selected from those W32/Netsky variants have used, in order to prevent those W32/Netsky variants running on infected machines.
the sample is packed with UPX runtime compressor.

Note: The worm carries its source code (assembler) in its body, encrypted. When mass-mailing itself, the worm may also include a copy of the source code (within a ZIP archive, SOURCES.ZIP). It is not unlikely therefore that we will see further trivial variants based on this source. Though various differences may be expected, the following parameters are most likely (easy) to be modified:

port number used by backdoor
backdoor password
date of 'expiry'

Mail Propagation

The details are as follows:

From : (address is spoofed)
Subject :

Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks :)
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
RE: Incoming Msg
RE: Message Notify
Notification
Changes..
Update
Fax Message
Protected message
RE: Protected message
Forum notify
Site changes
Re: Hi
Encrypted document,0

Body Text:

Various message bodies are used, in some cases containing the password for an encrypted attachment (either in plaintext, or within an image).

Attachment:

The following filenames are used:
Information
Details
text_document
Updates
Readme
Document
Info
Details
MoreInfo
Message
using one the following extensions:

Script dropper - using one of the following file extensions:
HTA
VBS
Executable, using one of the following file extensions:
exe
scr
com
cpl
Executable dropper, CPL file with .CPL file extension.
If the attachment is a ZIP file, the archive may be encrpyted (password protected). The password is contained in the message body (plaintext or image).

More info on this worm:
http://vil.nai.com/vil/content/v_126562.htm

Removal Instructions

Go to the following website for removal instructions:

http://vil.nai.com/vil/content/v_126562.htm

Download Stinger to Scan for infection:
http://vil.nai.com/vil/stinger

Back to the top