W32/Bagle.n@MM

Discussion in 'malware problems & news' started by Marianna, Mar 13, 2004.

Thread Status:
Not open for further replies.
  1. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Virus Information
    Discovery Date: 03/13/2004
    Origin: Unknown
    Length: 21kb
    Type: Virus
    SubType: E-mail worm

    This Bagle variant bears the following characteristics:

    contains its own SMTP engine to construct outgoing messages
    harvests email addresses from the victim machine
    the From: address of messages is spoofed
    attachment can be a password-protected zip file, with the password included in the message body, or in an image file attached to the message.
    contains a remote access component (notification is sent to hacker)
    copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
    encrypted polymorphic parasitic file infector
    Mail Propagation

    The message-bodies are constructed very similarly to those for its predecessor, using several parts, to effectively customize the email, to make it appear to be a legitimate warning notification. The details are as follows:

    From : (the address may be spoofed, using the recipient's domain name and a user name taken from the following list, or another address found on the local system)

    management@
    administration@
    staff@
    noreply@
    support@
    other address found on the system
    Subject :

    Account notify
    E-mail account disabling warning.
    E-mail account security warning.
    Email account utilization warning.
    Email report
    E-mail technical support message.
    E-mail technical support warning.
    E-mail warning
    Encrypted document
    Fax Message Received
    Forum notify
    Hidden message
    Important notify
    Important notify about your e-mail account.
    Incoming message
    Notify about using the e-mail account.
    Notify about your e-mail account utilization.
    Notify from e-mail technical support.
    Protected message
    Re: Document
    Re: Hello
    Re: Hi
    Re: Incoming Fax
    Re: Incoming Message
    Re: Msg reply
    RE: Protected message
    RE: Text message
    Re: Thank you!
    Re: Thanks :)
    Re: Yahoo!
    Request response
    Site changes
    Warning about your e-mail account.
    Body Text:

    Greeting -

    Dear user of %s ,
    Dear user of %s e-mail server gateway,
    Hello user of %s e-mail server,
    Dear user, the management of %s mailing system wants to let you know that,
    (Where %s is the user's domain is chosen from the To: address. For example the user's domain for user@mail.com would be "mail.com")

    Main message body -

    Your e-mail account has been temporary disabled because of unauthorized access.
    Our main mailing server will be temporary unavaible for next two days, to continue receiving mail in these days you have to configure our free auto-forwarding service.
    Your e-mail account will be disabled because of improper using in next three days, if you are still wishing to use it, please, resign your account information.
    We warn you about some attacks on your e-mail account. Your computer may contain viruses, in order to keep your computer and e-mail account safe, please, follow the instructions.
    Our antivirus software has detected a large ammount of viruses outgoing from your email account, you may use our free anti-virus tool to clean up your computer software.
    Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to keep your computer safe, follow the instructions.
    Attachment explanation -

    Read more: http://vil.nai.com/vil/content/v_101095.htm
     
  2. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    Just a reminder, this is new... :eek:

    -edit-
    picture copied from the ca.com site
     

    Attached Files:

Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.