08/10/04 - W32/Bagle.ag@MM spreads via e-mail. It follows the routine below:
This is a mass-mailing worm with the following characteristics:
contains its own SMTP engine to construct outgoing messages
harvests email addresses from the victim machine
the From: address of messages is spoofed
attachment can be a password-protected zip file, with the password included in the message body.
contains a remote access component (notification is sent to hacker)
copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
shuts down security programs
Mail Propagation The details are as follows:
From : (address is spoofed)
Subject : Password: %s
Pass - %s
Key - %s
Re:
Re:
foto3
fotogalary
fotoinfo
Lovely animals
Animals
Predators
The snake
Screen
Body Text: (blank)
Attachment: (.EXE, .SCR, .COM, .ZIP, .CPL)
foto3
foto2
foto1
Secret
Doll
Garry
Cat
Dog
Fish
Password-protected ZIP files may also contain a second, randomly-named file with one of the following extensions:
.ini
.cfg
.txt
.vxd
.def
.dll
These files contain only random garbage-characters. The virus copies itself into the Windows System directory as sys_xp.exe . For example:
C:\WINNT\SYSTEM32\sys_xp.exe
More info on this worm:
http://vil.nai.com/vil/content/v_126795.htm Removal Instructions
Go to the following website for removal instructions:
http://vil.nai.com/vil/content/v_126795.htm Download Stinger to Scan for infection:
http://vil.nai.com/vil/stinger
|
