W32/Bagle.z@MM

Discussion in 'malware problems & news' started by Marianna, Apr 26, 2004.

Thread Status:
Not open for further replies.
  1. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Virus Information
    Discovery Date: 04/26/2004
    Origin: Unknown
    Length: Various (Appended garbage)
    Type: Virus
    SubType: E-mail worm

    - Update 26th April 09:37 PST --
    Due to increased prevalence, this threat has had its risk assessment raised to medium.
    --

    This is a new variant of W32/Bagle@MM. It is packed using UPX. It is not polymorphic and a static MD5 is not suitable as garbage is always appended to the file.

    This is a mass-mailing worm with the following characteristics:

    contains its own SMTP engine to construct outgoing messages
    harvests email addresses from the victim machine
    the From: address of messages is spoofed
    attachment can be a password-protected zip file, with the password included in the message body.
    contains a remote access component (notification is sent to hacker)
    copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
    Mail Propagation

    The details are as follows:

    From : (address is spoofed)

    It may use the following strings at times:

    lizie@
    annie@
    ann@
    christina@
    secretGurl@
    jessie@
    christy@


    Subject :

    More: http://vil.nai.com/vil/content/v_122415.htm
     
  2. unicornia_34

    unicornia_34 Registered Member

    Joined:
    Apr 23, 2004
    Posts:
    8
  3. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Trend: WORM_BAGLE.Z

    WORM_BAGLE.Z is a new variant of the BAGLE worm. It is a memory-resident worm that propagates via email and network shares. It is currently spreading in-the-wild and infecting computer systems running Windows 95, 98, ME, NT, 2000, and XP.

    Upon execution, it drops a copy of itself in the Windows system folder using any of the following file names:

    DRVDDLL.EXE
    DRVDDLL.EXEOPEN
    DRVDDLL.EXEOPENOPEN

    It also displays the fake error message “Can’t find a viewer associated with the file.” It then creates a registry entry that allows it to automatically execute at every system startup.

    This worm uses its own Simple Mail Transfer Protocol (SMTP) engine to propagate. It searches for email addresses in files with the following specific extension names:

    ADB ASP CFG CGI DBX DHTM EML HTM JSP MBX MDX MHT MMF MSG NCH ODS OFT PHP PL SHT SHTM STM TBB TXT UIN WAB WSH XLS XML

    It skips those addresses that contain any of the following strings:

    @avp. @foo @iana @messagelab @microsoft abuse admin anyone@ bsd bugs@ cafee certific contract@ feste free-av f-secur gold-certs@ google help@ icrosoft info@ kasp linux listserv local news nobody@ noone@ noreply ntivi panda pgp postmaster@ rating@ root@ samples sopho spam support unix update winrar winzip

    The email it sends out contains a message body only if its attachment is a password-protected .ZIP file.

    In its attempt to propagate via network shares, this worm drops copies of itself in folders that contain the string shar in their folder names.

    This malware also has backdoor capabilities. It listens to a specific port and waits for commands from a remote malicious user. It terminates several antivirus and security programs, and attempts to connect to specific Web sites. It also deletes registry entries that automatically execute variants of WORM_NETSKY.

    After January 25, 2005, it deletes a certain registry key and registry entry, in order to uninstall itself.

    If you would like to scan your computer for WORM_BAGLE.Z or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com

    WORM_BAGLE.Z is detected and cleaned by Trend Micro pattern file #877 and above.
     
Thread Status:
Not open for further replies.