03/19/04 - W32/Bagle.Q
This W32/Bagle variant bears the following characteristics:
- contains its own SMTP engine to construct outgoing messages
- This virus spreads by sending a seemingly blank email. This email uses a Microsoft vulnerability found in security bulletin MS03-032 to download the worm on port 81 without requiring user intervention/action
- harvests email addresses from the victim machine
- the From: address of messages is spoofed
- contains a remote access component (notification is sent to hacker)
- copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
- encrypted polymorphic parasitic file infector
Proactive Detection
This virus is detected as a trojan or variant New Malware.b when scanning with the 4339 DATs or greater, with program heuristics and the scanning of compressed files enabled.
Parasitically infected files are detected as virus or variant W32/Bagle with the 4338 DATs (or greater).
The script components that are downloaded (via previewing the email message) are detected as VBS/Psyme with the 4306 DATs or greater.
Infection Mechansim
Emails are constructed to take advantage of the Object Tag vulnerability in Internet Explorer. Thus upon viewing an email, a remote HTML file is downloaded from port 81 of a remote machine.
The HTML file drops a VBS script (Q.VBS), which is responsible for downloading the worm (as SM.EXE ) from a remote machine (port 81). The script then runs SM.EXE.
Mail Propagation
The message-bodies are constructed very similarly to those for its predecessor, using several parts, to effectively customize the email, to make it appear to be a legitimate warning notification.
NOTE: The virus has the ability to propagate via email containing hidden HTML code. The message would appear to be blank upon previewing it. These emails do not contain a binary attachment, but utilize a known Microsoft vulnerability to download the virus from the remote sites.
The details are as follows:
From : (the address may be spoofed, using the recipient's domain name and a user name taken from the following list, or another address found on the local system)
- management@
- administration@
- staff@
- noreply@
- support@
- antivirus@
- antispam@
Subject:
- Password: %s
- Pass - %s
- Password - %s
- E-mail account security warning.
- Notify about using the e-mail account.
- Warning about your e-mail account.
- Important notify about your e-mail account.
- Email account utilization warning.
- E-mail technical support message.
- E-mail technical support warning.
- Email report
- Important notify
- Account notify
- E-mail warning
- Notify from e-mail technical support.
- Notify about your e-mail account utilization.
- E-mail account disabling warning.
- Re: Msg reply
- Re: Hello
- Re: Yahoo!
- Re: Thank you!
- Re: Thanks :)
- RE: Text message
- Re: Document
- Incoming message
- Re: Incoming Message
- Re: Incoming Fax
- Hidden message
- Fax Message Received
- Protected message
- RE: Protected message
- Forum notify
- Request response
- Site changes
- Re: Hi
- Encrypted document
Attachment: (no attachment)
The worm uses the Object Tag vulnerability in Internet Explorer, which allows for the writing and overwriting of local files by exploiting the ADODB.Stream object. A remote file ( random_name.php ) is downloaded upon viewing the email message. This file is actually a HTML file containing a VBS script, and it is detected as VBS/Psyme with the 4306 DATs or greater. When run, this script creates another VBS script (Q.VBS) - again detected as VBS/Psyme - which is responsible for downloading the worm from one of the following IP addresses.
More info on this worm:
http://vil.nai.com/vil/content/v_101108.htm Removal Instructions
Go to the following website for removal instructions:
http://vil.nai.com/vil/content/v_101108.htm Download Stinger to Scan for infection:
http://vil.nai.com/vil/stinger |
