03/08/04 - Bagle.P
This Bagle variant is bears the following characteristics:
- contains its own SMTP engine to construct outgoing messages
- harvests email addresses from the victim machine
- the From: address of messages is spoofed
- contains a remote access component (notification is sent to hacker)
- copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
- encrypted polymorphic parasitic file infector
Proactive Detection
This virus is detected as a trojan or variant New Malware.b when scanning with the 4335 DATs or greater, with program heuristics and the scanning of compressed files enabled.
Parasitically infected files, are detected as virus or variant W32/Bagle.n with the 4337 DATs or greater.
Mail Propagation
The message-bodies are constructed very similarly to those for its predecessor, using several parts, to effectively customize the email, to make it appear to be a legitimate warning notification. The details are as follows:
From : (the address may be spoofed, using the recipient's domain name and a user name taken from the following list, or another address found on the local system)
- management@
- administration@
- staff@
- noreply@
- support@
- antivirus@
- antispam@
Subject:
- Password: %s
- Pass - %s
- Password - %s
- E-mail account security warning.
- Notify about using the e-mail account.
- Warning about your e-mail account.
- Important notify about your e-mail account.
- Email account utilization warning.
- E-mail technical support message.
- E-mail technical support warning.
- Email report
- Important notify
- Account notify
- E-mail warning
- Notify from e-mail technical support.
- Notify about your e-mail account utilization.
- E-mail account disabling warning.
- Re: Msg reply
- Re: Hello
- Re: Yahoo!
- Re: Thank you!
- Re: Thanks :)
- RE: Text message
- Re: Document
- Incoming message
- Re: Incoming Message
- Re: Incoming Fax
- Hidden message
- Fax Message Received
- Protected message
- RE: Protected message
- Forum notify
- Request response
- Site changes
- Re: Hi
- Encrypted document
Body text:
Greeting -
- Dear user of %s ,
- Dear user of %s e-mail server gateway,
- Dear user of " %s " mailing server,
- Dear user of " %s " mailing domain,
- Dear user of " %s " domain,
- Dear user of e-mail server " %s ",
- Hello user of %s e-mail server,
- Dear user of " %s " mailing system,
- Dear user, the management of %s
(Where %s is the user's domain is chosen from the To: address. For example the user's domain for user@mail.com would be "mail.com")
Main body -
- mailing system wants to let you know that, Your e-mail account has been temporary disabled because of unauthorized access. Our main mailing server will be temporary unavaible for next two days,
to continue receiving mail in these days you have to configure our free
auto-forwarding service.
- Your e-mail account will be disabled because of improper using in next three days, if you are still wishing to use it, please, resign your
account information.
- We warn you about some attacks on your e-mail account. Your computer may contain viruses, in order to keep your computer and e-mail account safe, please, follow the instructions.
- Our antivirus software has detected a large ammount of viruses outgoing from your email account, you may use our free anti-virus tool to clean up your computer software.
- Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to keep your computer safe, follow the instructions.
- Read the attach.
- Your file is attached.
- More info in attach
- See attach.
- Follow the wabbit.
- Find the white rabbit.
- Please, have a look at the attached file.
- See the attached file for details.
- Message is in attach
- Here is the file.
- For more information see the attached file.
- Further details can be obtained from attached file.
- Advanced details can be found in attached file.
- For details see the attach.
- For details see the attached file.
- For further details see the attach.
- Please, read the attach for further details.
- Pay attention on attached file.
Password Information -
- For security reasons attached file is password protected. The password is (attached image inserted)
- For security purposes the attached file is password protected. Password -- (attached image inserted)
- Note: Use password (attached image inserted) to open archive.
- Attached file is protected with the password for security reasons. Password is (attached image inserted)
- In order to read the attach you have to use the following password: (attached image inserted)
- Archive password: (attached image inserted)
- Password - (attached image inserted)
- Password: (attached image inserted)
Closing -
- The Management,
- Sincerely,
- Best wishes,
- Yours,
- Have a good day,
- Cheers,
- Kind regards,
The %s team (where %s is the user's domain name containing a link)
Attachment The attachment is a randomly named executable, which may be stored within a ZIP or RAR file (password protected), or simply as a .PIF file. The filename may be:
- Attach
- Information
- Details
- Encrypted
- first_part
- Readme
- Document
- Info
- TextDocument
- Text
- details
- Gift
- text_document
- pub_document
- MoreInfo
- Message
The virus copies itself into the Windows System directory as using the following names For example:
- C:\WINNT\SYSTEM32\WINUPD.EXE
- C:\WINNT\SYSTEM32\winupd.exeopen
- C:\WINNT\SYSTEM32\winupd.exeopenopen
The following Registry key is added to hook system startup:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "winupd.exe" = C:\WINNT\SYSTEM32\winupd.exe
Removal Instructions
Go to the following website for removal instructions:
http://vil.nai.com/vil/content/v_101098.htm Download Stinger to Scan for infection:
http://vil.nai.com/vil/stinger
More info on this worm:
http://vil.nai.com/vil/content/v_101098.htm
|
