W32/Bagle.q@MM

Discussion in 'malware problems & news' started by Marianna, Mar 18, 2004.

Thread Status:
Not open for further replies.
  1. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Virus Information
    Discovery Date: 03/18/2004
    Origin: Unknown
    Length: 25,600 Bytes
    Type: Virus
    SubType: E-mail worm

    Virus Characteristics:
    AVERT has received a sample of this threat and is currently in the process of analyzing it. Further details will be posted when they are available.


    This Bagle variant is bears the following characteristics:

    contains its own SMTP engine to construct outgoing messages
    harvests email addresses from the victim machine
    the From: address of messages is spoofed
    contains a remote access component (notification is sent to hacker)
    copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
    encrypted polymorphic parasitic file infector

    More: http://vil.nai.com/vil/content/v_101108.htm
     
  2. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
    Hi,

    Also bagles R, S enT are there.

    Gerard
     
  3. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    W32/Bagle-Q

    Aliases
    Win32/Bagle.Q

    Type
    Win32 executable file virus

    Description
    W32/Bagle-Q is a mass-mailing virus that spreads in an unusual manner.
    W32/Bagle-Q spreads via a "carrier" email which does not contain the worm as an attachment.

    The email has the following charactersitics:

    The Sender address is spoofed.

    Subject line: randomly chosen from -
    Re: Msg reply
    Re: Hello
    Re: Yahoo!
    Re: Thank you!
    Re: Thanks :)
    RE: Text message
    Re: Document
    Incoming message
    Re: Incoming Message
    Re: Incoming Fax
    Hidden message
    Fax Message Received
    Protected message
    RE: Protected message
    Forum notify
    Request response
    Site changes
    Re: Hi
    Encrypted document

    There is no visible message text.

    The email addresses are harvested from the hard drive of infected machines by searching for files with the extensions WAB, TXT, MSG, HTM, SHTM, STM, XML, DBX, MBX, MDX, EML, NCH, MMF, ODS, CFG, ASP, PHP, WSH, ADB, TBB, SHT, XLS and OFT.

    W32/Bagle-Q avoids email addresses containing the following:

    @hotmail, @msn, @microsoft, rating@, f-secur, anyone@, bugs@, contract@, feste, gold-certs@, help@, info@, nobody@, noone@, kasp, admin, icrosoft, support, ntivi, unix, linux, listserv, certific, sopho, @foo, @iana, free-av, @messagelab, winzip, google, winrar, samples, abuse, panda, cafee, spam, @avp., noreply, local, root@, postmaster@

    When you open the "carrier" email, the email attempts to exploit a vulnerability in Outlook. The exploit may cause the email client to automatically download W32/Bagle-Q from the IP address of a computer infected with a Bagle variant. The IP address of the computer "server" serving the Bagle executable is randomly chosen from the list of of 590 IP addresses from the virus data section.

    The security vulnerability was reportedly patched by Microsoft in Microsoft Security Bulletin MS03-040.

    The "carrier" email connects to port 81 of the host and opens an HTML file. The HTML file drops and launches a Visual Basic script q.vbs. This script connects to the same server and downloads W32/Bagle-Q via an HTTP (web) request to TCP port 81.

    The downloaded copy of W32/Bagle-Q is placed into your system folder with the name directs.exe or direct.exe (depending on the variant).

    W32/Bagle-Q loads on your PC and terminates a wide range of security applications. The list of applications is:
    CLEANER3.EXE
    au.exe
    d3dupdate.exe
    CLEANPC.EXE
    AVprotect9x.exe
    CMGRDIAN.EXE
    CMON016.EXE
    CPF9X206.EXE
    CPFNT206.EXE
    CV.EXE
    CWNB181.EXE
    CWNTDWMO.EXE
    ICSSUPPNT.EXE
    DEFWATCH.EXE
    DEPUTY.EXE
    DPF.EXE
    DPFSETUP.EXE
    DRWATSON.EXE
    ENT.EXE
    ESCANH95.EXE
    AVXQUAR.EXE
    ESCANHNT.EXE
    ESCANV95.EXE
    AVPUPD.EXE
    EXANTIVIRUS-CNET.EXE
    FAST.EXE
    FIREWALL.EXE
    FLOWPROTECTOR.EXE
    FP-WIN_TRIAL.EXE
    FRW.EXE
    FSAV.EXE
    AUTODOWN.EXE
    FSAV530STBYB.EXE
    FSAV530WTBYB.EXE
    FSAV95.EXE
    GBMENU.EXE
    GBPOLL.EXE
    GUARD.EXE
    GUARDDOG.EXE
    HACKTRACERSETUP.EXE
    HTLOG.EXE
    HWPE.EXE
    IAMAPP.EXE
    IAMAPP.EXE
    IAMSERV.EXE
    ICLOAD95.EXE
    ICLOADNT.EXE
    ICMON.EXE
    ICSUPP95.EXE
    ICSUPPNT.EXE
    IFW2000.EXE
    IPARMOR.EXE
    IRIS.EXE
    JAMMER.EXE
    ATUPDATER.EXE
    AUPDATE.EXE
    KAVLITE40ENG.EXE
    KAVPERS40ENG.EXE
    KERIO-PF-213-EN-WIN.EXE
    KERIO-WRL-421-EN-WIN.EXE
    BORG2.EXE
    BS120.EXE
    CDP.EXE
    CFGWIZ.EXE
    CFIADMIN.EXE
    CFIAUDIT.EXE
    AUTOUPDATE.EXE
    CFINET.EXE
    NAVAPW32.EXE
    NAVDX.EXE
    NAVSTUB.EXE
    NAVW32.EXE
    NC2000.EXE
    NCINST4.EXE
    AUTOTRACE.EXE
    NDD32.EXE
    NEOMONITOR.EXE
    NETARMOR.EXE
    NETINFO.EXE
    NETMON.EXE
    NETSCANPRO.EXE
    NETSPYHUNTER-1.2.EXE
    NETSTAT.EXE
    NISSERV.EXE
    NISUM.EXE
    NMAIN.EXE
    NORTON_INTERNET_SECU_3.0_407.EXE
    NPF40_TW_98_NT_ME_2K.EXE
    NPFMESSENGER.EXE
    NPROTECT.EXE
    NSCHED32.EXE
    NTVDM.EXE
    NVARCH16.EXE
    KERIO-WRP-421-EN-WIN.EXE
    KILLPROCESSSETUP161.EXE
    LDPRO.EXE
    LOCALNET.EXE
    LOCKDOWN.EXE
    LOCKDOWN2000.EXE
    LSETUP.EXE
    OUTPOST.EXE
    CFIAUDIT.EXE
    LUCOMSERVER.EXE
    AGENTSVR.EXE
    ANTI-TROJAN.EXE
    ANTI-TROJAN.EXE
    ANTIVIRUS.EXE
    ANTS.EXE
    APIMONITOR.EXE
    APLICA32.EXE
    APVXDWIN.EXE
    ATCON.EXE
    ATGUARD.EXE
    ATRO55EN.EXE
    ATWATCH.EXE
    AVCONSOL.EXE
    AVGSERV9.EXE
    AVSYNMGR.EXE
    BD_PROFESSIONAL.EXE
    BIDEF.EXE
    BIDSERVER.EXE
    BIPCP.EXE
    BIPCPEVALSETUP.EXE
    BISP.EXE
    BLACKD.EXE
    BLACKICE.EXE
    BOOTWARN.EXE
    NWINST4.EXE
    NWTOOL16.EXE
    OSTRONET.EXE
    OUTPOSTINSTALL.EXE
    OUTPOSTPROINSTALL.EXE
    PADMIN.EXE
    PANIXK.EXE
    PAVPROXY.EXE
    DRWEBUPW.EXE
    PCC2002S902.EXE
    PCC2K_76_1436.EXE
    PCCIOMON.EXE
    PCDSETUP.EXE
    PCFWALLICON.EXE
    PCFWALLICON.EXE
    PCIP10117_0.EXE
    PDSETUP.EXE
    PERISCOPE.EXE
    PERSFW.EXE
    PF2.EXE
    AVLTMAIN.EXE
    PFWADMIN.EXE
    PINGSCAN.EXE
    PLATIN.EXE
    POPROXY.EXE
    POPSCAN.EXE
    PORTDETECTIVE.EXE
    PPINUPDT.EXE
    PPTBC.EXE
    PPVSTOP.EXE
    PROCEXPLORERV1.0.EXE
    PROPORT.EXE
    PROTECTX.EXE
    PSPF.EXE
    WGFE95.EXE
    WHOSWATCHINGME.EXE
    AVWUPD32.EXE
    NUPGRADE.EXE
    WHOSWATCHINGME.EXE
    WINRECON.EXE
    WNT.EXE
    WRADMIN.EXE
    WRCTRL.EXE
    WSBGATE.EXE
    WYVERNWORKSFIREWALL.EXE
    XPF202EN.EXE
    ZAPRO.EXE
    ZAPSETUP3001.EXE
    ZATUTOR.EXE
    CFINET32.EXE
    CLEAN.EXE
    CLEANER.EXE
    CLEANER3.EXE
    CLEANPC.EXE
    CMGRDIAN.EXE
    CMON016.EXE
    CPD.EXE
    CFGWIZ.EXE
    CFIADMIN.EXE
    PURGE.EXE
    PVIEW95.EXE
    QCONSOLE.EXE
    QSERVER.EXE
    RAV8WIN32ENG.EXE
    REGEDT32.EXE
    REGEDIT.EXE
    UPDATE.EXE
    RESCUE.EXE
    RESCUE32.EXE
    RRGUARD.EXE
    RSHELL.EXE
    RTVSCN95.EXE
    RULAUNCH.EXE
    SAFEWEB.EXE
    SBSERV.EXE
    SD.EXE
    SETUP_FLOWPROTECTOR_US.EXE
    SETUPVAMEEVAL.EXE
    SFC.EXE
    SGSSFW32.EXE
    SH.EXE
    SHELLSPYINSTALL.EXE
    SHN.EXE
    SMC.EXE
    SOFI.EXE
    SPF.EXE
    SPHINX.EXE
    SPYXX.EXE
    SS3EDIT.EXE
    ST2.EXE
    SUPFTRL.EXE
    LUALL.EXE
    SUPPORTER5.EXE
    SYMPROXYSVC.EXE
    SYSEDIT.EXE
    TASKMON.EXE
    TAUMON.EXE
    TAUSCAN.EXE
    TC.EXE
    TCA.EXE
    TCM.EXE
    TDS2-98.EXE
    TDS2-NT.EXE
    TDS-3.EXE
    TFAK5.EXE
    TGBOB.EXE
    TITANIN.EXE
    TITANINXP.EXE
    TRACERT.EXE
    TRJSCAN.EXE
    TRJSETUP.EXE
    TROJANTRAP3.EXE
    UNDOBOOT.EXE
    VBCMSERV.EXE
    VBCONS.EXE
    VBUST.EXE
    VBWIN9X.EXE
    VBWINNTW.EXE
    VCSETUP.EXE
    VFSETUP.EXE
    VIRUSMDPERSONALFIREWALL.EXE
    VNLAN300.EXE
    VNPC3000.EXE
    VPC42.EXE
    VPFW30S.EXE
    VPTRAY.EXE
    VSCENU6.02D30.EXE
    VSECOMR.EXE
    VSHWIN32.EXE
    VSISETUP.EXE
    VSMAIN.EXE
    VSMON.EXE
    VSSTAT.EXE
    VSWIN9XE.EXE
    VSWINNTSE.EXE
    VSWINPERSE.EXE
    W32DSM89.EXE
    W9X.EXE
    WATCHDOG.EXE
    WEBSCANX.EXE
    CFIAUDIT.EXE
    CFINET.EXE
    ICSUPP95.EXE
    MCUPDATE.EXE
    CFINET32.EXE
    CLEAN.EXE
    CLEANER.EXE
    LUINIT.EXE
    MCAGENT.EXE
    MCUPDATE.EXE
    MFW2EN.EXE
    MFWENG3.02D30.EXE
    MGUI.EXE
    MINILOG.EXE
    MOOLIVE.EXE
    MRFLUX.EXE
    MSCONFIG.EXE
    MSINFO32.EXE
    MSSMMC32.EXE
    MU0311AD.EXE
    NAV80TRY.EXE
    ZAUINST.EXE
    ZONALM2601.EXE
    ZONEALARM.EXE

    A registry entry is added to the following key so that the program directs.exe loads every time you logon to your computer:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    W32/Bagle-Q makes multiple copies of itself into folders which are likely to be part of a file-sharing network. The filenames used are:
    Microsoft Office 2003 Crack, Working!.exe
    Microsoft Windows XP, WinXP Crack, working Keygen.exe
    Microsoft Office XP working Crack, Keygen.exe
    Porno, sex, oral, anal cool, awesome!!.exe
    Porno Screensaver.scr
    Serials.txt.exe
    Porno pics arhive, xxx.exe
    Windows Sourcecode update.doc.exe
    Ahead Nero 7.exe
    Windown Longhorn Beta Leak.exe
    Opera 8 New!.exe
    XXX hardcore images.exe
    WinAmp 6 New!.exe
    WinAmp 5 Pro Keygen Crack Update.exe
    Adobe Photoshop 9 full.exe
    Matrix 3 Revolution English Subtitles.exe
    ACDSee 9.exe

    W32/Bagle-Q infects programs on your PC by appending itself to existing EXE files. The danger of W32/Bagle-Q can be mitigated not only by updating Sophos Anti-Virus but by blocking connections to TCP port 81 through your network firewall (this port is unlikely to be required for any real services).

    Blocking outbound port 81 connections stops computers on your network from downloading the worm from outside. Blocking port 81 inbound means that even if you do get infected you will not pass the virus on to others.

    You should also apply the latest Internet Explorer/Outlook Express patches from Microsoft. The vulnerability used by W32/Bagle-Q is described in the Microsoft Security Bulletin MS03-040 and is referred to as the "Object Tag vulnerability in Popup Window".

    http://www.sophos.com/virusinfo/analyses/w32bagleq.html
     
Thread Status:
Not open for further replies.