Details
I-Worm.Bagle.as

This worm spreads via the Internet as an attachment to infected messages. It sends itself to all email addresses harvested from the victim computer. It contains a backdoor function.
The worm itself is a PE EXE file, 18758 bytes or greater in size.
Installation
Once launched, the worm copies itself to the Windows system directory under a variety of names:
Example:
C:\WINDOWS\SYSTEM32\bawindo.exe
C:\WINDOWS\SYSTEM32\bawindo.exeopen
C:\WINDOWS\SYSTEM32\bawindo.exeopenopen
It then registers the appropriate file in the system registry:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
bawindo = %system%\bawindo.exe
This ensures that the worm will launch each time the system is rebooted.
Propagation via email
The worm searches for files with the following extensions:
adb
asp
cfg
cgi
dbx
dhtm
eml
htm
jsp
mbx
mdx
mht
mmf
msg
nch
ods
oft
php
pl
sht
shtm
stm
tbb
txt
uin
wab
wsh
xls
xml

and sends itself to all email addresses harvested from these files. It establishes a direct connection to the recipient’s SMTP server in order to send messages.
Infected messages:
Sender’s address:
Random
Message header:
Re:
Re: Hello
Re: Hi
Re: Thank you!
Re: Thanks
Attachment name:
Joke
Price
price
with one of the following extensions:
com
cpl
exe
scr
Propagation via P2P
The worm creates copies of itself in all subdirectories which contain the word ‘Share’ in their names. The copies are saved under names chosen from the following list:
ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
Kaspersky Antivirus 5.0
KAV 5.0
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Opera 8 New!.exe
Porno pics arhive, xxx.exe
Porno Screensaver.scr
Porno, sex, oral, anal cool, awesome!!.exe
Serials.txt.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe
Remote administration
The worm opens and tracks activity on TCP and UDP port 81 in order to receive commands.

Related Posts

This entry was posted on Friday, December 8th, 2006 at 10:00 pm and is filed under Virus Threats.

Details
I-Worm.Bagle.ao

This worm spreads via the Internet as an attachment to infected emails, and also via file-sharing networks.
It is almost identical to I-Worm.Bagle.an
It is compressed using PEX; the compressed file is 174924 bytes in size, and the uncompressed file is 23556 bytes in size.
Propagation via email
Infected messages:
Message header:
photo
Message body:
photo
The message body appears as an HTML page.
Attachment name:
foto.zip
fotos.zip
The attached archive is 4558 bytes in size.
Attachment contents:
foto.html \1\calc.exe
The first file contains Exploit.CodeBaseExec
The second file contains TrojanDropper.Win32.Small.kv, which installs TrojanDownloader.Win32.Agent.cj on the victim machine. This program then downloads the main module of the worm.
Other
File names, registry key values, remote administration functions and the routine for propagating via file-sharing networks are identical to those of I-Worm.Bagle.an
The worm is programmed to cease functioning and to delete itself after 2nd September 2004.

Related Posts

This entry was posted on Friday, December 8th, 2006 at 8:00 pm and is filed under Virus Threats.

Details
I-Worm.Bagle.an

This worm spreads via the Internet as an attachment to infected emails, and also via file-sharing networks.
It is almost identical to I-Worm.Bagle.al
It is compressed using PEX; the compressed file is 18436 bytes in size, and the uncompressed file is 24068 bytes in size.
Propagation via email
Infected messages:
Message header:
photo
Message body:
photo
The message body appears as an HTML page.
Attachment name:
foto.zip
fotos.zip
Attachment contents:
\foto\foto.html \foto\foto\foto1.exe
The first file contains Exploit.CodeBaseExec
The second file contains TrojanDropper.Win32.Small.kv, which installs TrojanDownloader.Win32.Agent.cj on the victim machine. This program then downloads the main module of the worm.
Remote administration
The worm opens port 82 and listens for commands. This makes it possible for the author of the worm to download and launch files on the victim machine.
Other
File names, registry key values and the routines for propagating via file-sharing networks are identical to those of I-Worm.Bagle.al
The worm is programmed to cease functioning and to delete itself after 2nd September 2004.

Related Posts

This entry was posted on Friday, December 8th, 2006 at 6:00 pm and is filed under Virus Threats.

Details
I-Worm.Bagle.al

Bagle.al is a worm that spreads as an email attachment and via file sharing networks.
The worm is written in Assembler.
Bagle.al is made up of 2 main components:
A ZIP file spreading as an email attachment;
the body of the worm, which is downloaded from specified websites.
Payload
The ZIP file containing the downloader is 5932 bytes in size and contains two files:
price.html
price\price.exe
The file price.html contains a malicious script named exploit.CodeBaseExec, which automatically launches price.exe.
Price.exe is a Trojan dropper designed to install the downloader that will in turn download the body of the worm onto the victim machine. The dropper is 14848 bytes. After it is launched, the dropper copies itself into the Windows system directory under the name windirect.exe and creates the following system registry auto run key:
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“win_upd2.exe”=”%system%\windirect.exe”
It then extracts and saves the downloader in the Windows system directory under the name _dll.exe and launches the downloader (the dll file is 11776 bytes). _dllexe file ends the following processes:
ATUPDATER.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVPUPD.EXE
AVWUPD32.EXE
AVXQUAR.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
DRWEBUPW.EXE
ESCANH95.EXE
ESCANHNT.EXE
FIREWALL.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
MCUPDATE.EXE
NUPGRADE.EXE
NUPGRADE.EXE
OUTPOST.EXE
sys_xp.exe
sysxp.exe
UPDATE.EXE
winxp.exe
Finally, the downloader attempts to download the body of the worm from one of the web sites listed in the dll files. If the worm is successfully downloaded, the Trojan launches it.
The worm component
Bagle.al is based on the source codes spread by Bagle.aa and is 19460 bytes in size.
Installation
Once Bagle.al is launched by the downloader component, it copies itself into the Windows system directory with the name windll.exe and registers the following system registry auto run key:
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“erthgdr”=”%system%\windll.exe”
Bagle.al creates two additional files in the Windows system folder:
windll.exeopen
windll.exeopenopen
Propagation via email
Bagle.al scans the hard drive for files with the following extensions:
adb
asp
cfg
cgi
dbx
dhtm
eml
htm
jsp
mbx
mdx
mht
mmf
msg
nch
ods
oft
php
pl
sht
shtm
stm
tbb
txt
uin
wab
wsh
xls
xml

The worm uses a built-in SMTP server to mail copies of itself to all email addresses harvested from these files.
Infected emails
Subject:
none
Message body:
new price
price
The text is presented as an HTML page.
Attachment name (one of the below, chosen at random):
08_price.zip
new__price.zip
new_price.zip
newprice.zip
price.zip
price_08.zip
price_new.zip
price2.zip
Bagle.al can spread as a password protected ZIP file, in which case the password will be included in the body of the letter either in text or graphic form.Bagle.al will not send infected emails to recipients when the address contains any of the following text strings:
@avp.
@derewrdgrs
@eerswqe
@foo
@iana
@messagelab
@microsoft
abuse
admin
anyone@
bsd
bugs@
cafee
certific
contract@
feste
free-av
f-secur
gold-certs@
google
help@
icrosoft
info@
kasp
linux
listserv
local
news
nobody@
noone@
noreply
ntivi
panda
pgp
postmaster@
rating@
root@
samples
sopho
spam
support
unix
update
winrar
winzip

Propagation via P2P
Bagle.al scans the hard drive for files containing the text string ’shar’ copies itself into all of these under the following names:
ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
Kaspersky Antivirus 5.0
KAV 5.0
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Opera 8 New!.exe
Porno pics arhive, xxx.exe
Porno Screensaver.scr
Porno, sex, oral, anal cool, awesome!!.exe
Serials.txt.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe
Remote administration
Bagle.al opens port 80 on the local HTTP server allowing the controller to download and execute files on the infected machine.
Other
The worm component of Bagle.al is scheduled to stop functioning and slef-destruct after August 10, 2004. However, the downloader module will remain available for possible use for an unspecified period of time.

Related Posts

This entry was posted on Friday, December 8th, 2006 at 4:00 pm and is filed under Virus Threats.

Details
I-Worm.Bagle.ai

This worm spreads via the Internet as an attachment to infected messages and also via P2P networks.
It is approximately 20 KB in size and packed using PEX.
Installation
Once launched, the worm copies itself to the Windows system directory as winxp.exe. It then registers this file in the system registry to ensure that this file is launched each time the system is started.
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“key”=”%system%\winxp.exe”
The worm also creates the following files in the Windows system directory:
winxp.exeopen
winxp.exeopenopen
winxp.exeopenopenopen
winxp.exeopenopenopenopen
Propagation
The worm searches disks for files with extensions from the following lists. It sends itself to all addresses harvested from these files.
adb
asp
cfg
cgi
dbx
dhtm
eml
htm
jsp
mbx
mdx
mht
mmf
msg
nch
ods
oft
php
pl
sht
shtm
stm
tbb
txt
uin
wab
wsh
xls
xml

It uses its own SMTP server to send messages.
Infected messages
Message header:
Re:
Versions of message body:
>Animals
>foto3 and MP3
>fotogalary and Music
>fotoinfo
>Lovely animals
>Predators
>Screen and Music
>The snake
Attachment name:
Cat
Cool_MP3
Dog
Doll
Fish
Garry
MP3
Music_MP3
New_MP3_Player
Attachment name:
com
cpl
exe
scr
zip
The worm can send itself as a password protected ZIP archive. If it does this, the password will be shown in the message body. The password may be in text or graphical format.
The worm will not send itself to addresses containing text strings from the list below:
@avp.
@foo
@hotmail
@iana
@messagelab
@microsoft
@msn
abuse
admin
anyone@
bsd
bugs@
cafee
certific
contract@
feste
free-av
f-secur
gold-certs@
google
help@
icrosoft
info@
kasp
linux
listserv
local
news
nobody@
noone@
noreply
ntivi
panda
pgp
postmaster@
rating@
root@
samples
sopho
spam
support
unix
update
winrar
winzip
Propagation via P2P
The worm searches disks for folders containing the text string shar. It then copies itself several times to these folders under the following names:
ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
Kaspersky Antivirus 5.0
KAV 5.0
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Opera 8 New!.exe
Porno pics arhive, xxx.exe
Porno Screensaver.scr
Porno, sex, oral, anal cool, awesome!!.exe
Serials.txt.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe
Remote administration
The worm opens port 1080 and another port chosen at random. It then tracks port activity.
Other
The worm is programmed to cease activity and self-destruct after 5th May 2006.
It tracks the execution of most well-known antivirus products and firewalls and terminates these processes..
The worm’s body contains a list of URLs. It attempts to download from these sites. At the moment of writing, none of the sites are functioning.

Related Posts

This entry was posted on Friday, December 8th, 2006 at 2:00 pm and is filed under Virus Threats.

Details
I-Worm.Bagle.ah

This worm is almost identical to I-Worm.Bagle.ai.
It differs from Bagle.ai only in its size, the name of the file it creates, and the corresponding registry key. It creates a file named sysxp.exe, rather than winxp.exe.

Related Posts

This entry was posted on Friday, December 8th, 2006 at 12:00 pm and is filed under Virus Threats.

Details
I-Worm.Bagle.aa

This worm spreads via the Internet as an attachment to infected messages, and also via file-sharing networks.
It is packed using UPX and PEX. The unpacked file is approximately 66KB in size.
The file contains a ZIP archive which contains the complete source code of the worm.
Installation
Once launched, the worm copies itself to the Windows system directory as loader_name.exe, and registers this file in the system registry, to ensure the file is run every time the system is started:
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“reg_key” = “%system%\loader_name.exe”
The worm also creates 2 additional files in the Windows system registry:
loader_name.exeopen
loader_name.exeopenopen
Propagation
The worm searches disks for files with the following extensions:
adb
asp
cfg
cgi
dbx
dhtm
eml
htm
jsp
mbx
mdx
mht
mmf
msg
nch
ods
oft
php
pl
sht
shtm
stm
tbb
txt
uin
wab
wsh
xls
xml

and sends itself to all email addresses harvested from these files.
It uses its own SMTP server to send messages.
Infected messages:
Message header (chosen from the list below):
Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
RE: Incoming Msg
RE: Message Notify
Notification
Changes..
Update
Fax Message
Protected message
RE: Protected message
Forum notify
Site changes
Re: Hi
Encrypted document
Message body (chosen from the list below)
Read the attach.
Your file is attached.
More info is in attach
See attach.
Please, have a look at the attached file.
Your document is attached.
Please, read the document.
Attach tells everything.
Attached file tells everything.
Check attached file for details.
Check attached file.
Pay attention at the attach.
See the attached file for details.
Message is in attach
Here is the file.
Attachment name (chosen from the list below):
Information
Details
text_document
Updates
Readme
Document
Info
Details
MoreInfo
Message
Attachment extension (chosen from the list below):
exe
scr
com
zip
vbs
hta
cpl
If the attached file has the extension .hta, the size of the attached file will be approximately 208KB. If the attached file has the extension .vbs then the size of the attached file will be approximately 211KB.
The worm is capable of sending itself in a password protected zip archive. In such cases, the password will be shown in the message body, either in text format or as an image.
It does not send infected messages to addresses which contain any of the lines of text listed below:
@hotmail
@msn
@microsoft
rating@
f-secur
news
update
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
sopho
@foo
@iana
free-av
@messagelab
winzip
google
winrar
samples
abuse
panda
cafee
spam
pgp
@avp.
noreply
local
root@
postmaster@
Propagation via P2P networks
The worm searches disks for folders where the name contains the word ’shar’ and copies itself several times to all such folders found. Copies are made under the following names:
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Porno Screensaver.scr
Porno, sex, oral, anal cool, awesome!!.exe
Porno pics arhive, xxx.exe
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe
Opera 8 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Matrix 3 Revolution English Subtitles.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
ACDSee 9.exe
Remote administration
The worm opens and tracks activity on port 1234.
The backdoor function makes it possible for the source code of the worm to be remotely mass mailed at any time.
Other
The worm is programmed to cease activity and delete itself after 7th July 2004.

Related Posts

This entry was posted on Friday, December 8th, 2006 at 10:00 am and is filed under Virus Threats.