I-Worm.Bagle.d

Discussion in 'malware problems & news' started by Marianna, Feb 28, 2004.

Thread Status:
Not open for further replies.
  1. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    This worm spreads via the Internet in the form of an attachment to infected emails.

    The worm itself is a PE EXE file of approximately 15KB, compressed using UPX. The size of the decompressed file is approximately 28KB.


    Characteristics of infected messages:
    Message header:
    Price
    New Price-list
    Hardware devices price-list
    Weekly activity report
    Daily activity report
    Maria
    Jenny
    Jessica
    Registration confirmation
    USA government abolishes the capital punishment
    Freedom for everyone
    Flayers among us
    From Hair-cutter
    Melissa
    Camila
    Price-list
    Pricelist
    Price list
    Hello my friend
    Hi!
    Well...
    Greet the day
    The account
    Looking for the report
    You really love me? he he
    You are dismissed
    Accounts department
    From me
    Monthly incomings summary
    The summary
    Proclivity to servitude
    Ahtung!
    The employee

    Message body:
    none
    Attachment:
    A ZIP file with a random name, with a file size of 15994 bytes. The zipped file contains an EXE file with a random name and and Excel icon.
    Installation
    Once launched, the worm copies itself and all components to the Windows system directory under the names 'readme.exe', 'onde.exe', doc.exe' and 'readme.exeopen' and then registers 'readme.exe in the system registry auto-run key:
    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "gouday.exe" = "%system%\readme.exe"]
    Also creates the following registry key:
    [HKCU\SOFTWARE\DataTime3]
    and saves its variables there.
    The worm attempts to connect to a number of remote sites, storing information about the infected machine on theses sites.

    On launching, the worm launches the MS Notepad (notepad.exe)

    Propagation
    The worm searches for files with the following extensions:
    .wab
    .txt
    .htm
    .html
    .dbx
    .mdx
    .eml
    .nch
    .mmf
    .ods
    .cfg
    .asp
    .php
    .pl
    .adb
    .sht
    and send itself to all email addresses found in these files. The worm uses its own SMTP server to send email.
    Remote administration
    The worm opens and monitors port 2745. A backdoor function means that commands can then be executed and files can be downloaded on the victim computer, with all of this being done from a remote location.
    Other
    The worm attempts to block antivirus database updates by terminating the following processes:
    ATUPDATER.EXE
    AVWUPD32.EXE
    AVPUPD.EXE
    LUALL.EXE
    DRWEBUPW.EXE
    ICSSUPPNT.EXE
    ICSUPP95.EXE
    UPDATE.EXE
    NUPGRADE.EXE
    ATUPDATER.EXE
    AUPDATE.EXE
    AUTODOWN.EXE
    AUTOTRACE.EXE
    AUTOUPDATE.EXE
    AVXQUAR.EXE
    CFIAUDIT.EXE
    MCUPDATE.EXE
    NUPGRADE.EXE
    OUTPOST.EXE
    AVLTMAIN.EXE
    Bagle.d is programmed to stop propagating after March 14, 2004.

    http://www.viruslist.com/eng/viruslist.html?id=1056972
     
Loading...
Thread Status:
Not open for further replies.