W32/Bagle.z@MM

Virus Information
Discovery Date: 04/26/2004
Origin: Unknown
Length: Various (Appended garbage)
Type: Virus
SubType: E-mail worm

- Update 26th April 09:37 PST --
Due to increased prevalence, this threat has had its risk assessment raised to medium.
--

This is a new variant of W32/Bagle@MM. It is packed using UPX. It is not polymorphic and a static MD5 is not suitable as garbage is always appended to the file.

This is a mass-mailing worm with the following characteristics:

contains its own SMTP engine to construct outgoing messages
harvests email addresses from the victim machine
the From: address of messages is spoofed
attachment can be a password-protected zip file, with the password included in the message body.
contains a remote access component (notification is sent to hacker)
copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
Mail Propagation

The details are as follows:

From : (address is spoofed)

It may use the following strings at times:

lizie@
annie@
ann@
christina@
secretGurl@
jessie@
christy@


Subject :

More: http://vil.nai.com/vil/content/v_122415.htm

 

try running these they are online scans

http://housecall.antivirus.com/housecall/s.../start_corp.asp

http://www.ravantivirus.com/scan/

http://www.trojanscan.com/

http://vil.nai.com/vil/stinger/

http://www.pandasoftware.com/activescan/com/

http://www.stop-sign.com/index2.php?n=goog...&mc_install=stp

 

Trend: WORM_BAGLE.Z

WORM_BAGLE.Z is a new variant of the BAGLE worm. It is a memory-resident worm that propagates via email and network shares. It is currently spreading in-the-wild and infecting computer systems running Windows 95, 98, ME, NT, 2000, and XP.

Upon execution, it drops a copy of itself in the Windows system folder using any of the following file names:

DRVDDLL.EXE
DRVDDLL.EXEOPEN
DRVDDLL.EXEOPENOPEN

It also displays the fake error message “Can’t find a viewer associated with the file.” It then creates a registry entry that allows it to automatically execute at every system startup.

This worm uses its own Simple Mail Transfer Protocol (SMTP) engine to propagate. It searches for email addresses in files with the following specific extension names:

ADB ASP CFG CGI DBX DHTM EML HTM JSP MBX MDX MHT MMF MSG NCH ODS OFT PHP PL SHT SHTM STM TBB TXT UIN WAB WSH XLS XML

It skips those addresses that contain any of the following strings:

@avp. @foo @iana @messagelab @microsoft abuse admin anyone@ bsd bugs@ cafee certific contract@ feste free-av f-secur gold-certs@ google help@ icrosoft info@ kasp linux listserv local news nobody@ noone@ noreply ntivi panda pgp postmaster@ rating@ root@ samples sopho spam support unix update winrar winzip

The email it sends out contains a message body only if its attachment is a password-protected .ZIP file.

In its attempt to propagate via network shares, this worm drops copies of itself in folders that contain the string shar in their folder names.

This malware also has backdoor capabilities. It listens to a specific port and waits for commands from a remote malicious user. It terminates several antivirus and security programs, and attempts to connect to specific Web sites. It also deletes registry entries that automatically execute variants of WORM_NETSKY.

After January 25, 2005, it deletes a certain registry key and registry entry, in order to uninstall itself.

If you would like to scan your computer for WORM_BAGLE.Z or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com

WORM_BAGLE.Z is detected and cleaned by Trend Micro pattern file #877 and above.