Content

W32/Bagle.n@MM

Type
Virus
SubType
E-mail worm
Discovery Date
03/13/2004
Length
21kb
Minimum DAT
4337 (03/13/2004)
Updated DAT
5090 (08/03/2007)
Minimum Engine
5.1.00
Description Added
03/13/2004
Description Modified
04/13/2004 8:49 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update April 13,2004 --
 Due to decreasing prevalence the risk assessment for W32/Bagle.n@MM has been lowered to Low-Profiled.

-- Update March 13,2004 --
 Due to increasing prevalence the risk assessment for W32/Bagle.n@MM has been raised to Medium.

If you think that you may be infected with Bagle.n, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present.  This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).

Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

This Bagle variant bears the following characteristics:

  • contains its own SMTP engine to construct outgoing messages
  • harvests email addresses from the victim machine
  • the From: address of messages is spoofed
  • attachment can be a password-protected zip or rar file, with the password included in the message body, or in an image file attached to the message.
  • contains a remote access component (notification is sent to hacker)
  • copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
  • encrypted polymorphic parasitic file infector

Mail Propagation

The message-bodies are constructed very similarly to those for its predecessor, using several parts, to effectively customize the email, to make it appear to be a legitimate warning notification. The details are as follows:

From : (the address may be spoofed, using the recipient's domain name and a user name taken from the following list, or another address found on the local system)

  • management@
  • administration@
  • staff@
  • noreply@
  • support@ 
  • other address found on the system  

Subject :

  • Account notify
  • E-mail account disabling warning.
  • E-mail account security warning.
  • Email account utilization warning.
  • Email report
  • E-mail technical support message.
  • E-mail technical support warning.
  • E-mail warning
  • Encrypted document
  • Fax Message Received
  • Forum notify
  • Hidden message
  • Important notify
  • Important notify about your e-mail account.
  • Incoming message
  • Notify about using the e-mail account.
  • Notify about your e-mail account utilization.
  • Notify from e-mail technical support.
  • Protected message
  • Re: Document
  • Re: Hello
  • Re: Hi
  • Re: Incoming Fax
  • Re: Incoming Message
  • Re: Msg reply
  • RE: Protected message
  • RE: Text message
  • Re: Thank you!
  • Re: Thanks :)
  • Re: Yahoo!
  • Request response
  • Site changes
  • Warning about your e-mail account.

Body Text:

Greeting -

  • Dear user of %s ,
  • Dear user of %s e-mail server gateway,
  • Hello user of %s e-mail server,
  • Dear user, the management of %s mailing system wants to let you know that,

(Where %s is the user's domain is chosen from the To: address. For example the user's domain for user@mail.com  would be "mail.com")

Main message body -

  • Your e-mail account has been temporary disabled because of unauthorized access.
  • Our main mailing server will be temporary unavaible for next two days, to continue receiving mail in these days you have to configure our free auto-forwarding service.
  • Your e-mail account will be disabled because of improper using in next three days, if you are still wishing to use it, please, resign your account information.
  • We warn you about some attacks on your e-mail account. Your computer may contain viruses, in order to keep your computer and e-mail account safe, please, follow the instructions.
  • Our antivirus software has detected a large ammount of viruses outgoing from your email account, you may use our free anti-virus tool to clean up your computer software.
  • Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to keep your computer safe, follow the instructions.

Attachment explanation -

  • Advanced details can be found in attached file.
  • Find the white rabbit.
  • Follow the wabbit.
  • For details see the attach.
  • For details see the attached file.
  • For further details see the attach.
  • For more information see the attached file.
  • Further details can be obtained from attached file.
  • Here is the file.
  • Message is in attach
  • More info in attach
  • Pay attention on attached file.
  • Please, have a look at the attached file.
  • Please, read the attach for further details.
  • Read the attach.
  • See attach.
  • See the attached file for details.
  • Your file is attached.

Password information -  (if received as a ZIP or RAR file) 

  • Password: %password%
  • Pass - %password%
  • Password - %password%
  • For security reasons attached file is password protected. The password is (attached image inserted)
  • For security purposes the attached file is password protected. Password -- (attached image inserted)
  • Note: Use password (attached image inserted) to open archive
  • Attached file is protected with the password for security reasons. Password is (attached image inserted)
  • In order to read the attach you have to use the following password: (attached image inserted)
  • Archive password: (attached image inserted)
  • Password - (attached image inserted)
  • Password: (attached image inserted)

Closing -

  • The Management,
  • Sincerely,
  • Best wishes,
  • Have a good day,
  • Cheers,
  • Kind regards,

The (user's domain) team                           http://www.(user's domain)

(Where the first part of the closing is selected from the list. The second part is always present.)

Attachment: (May be .EXE, .PIF, .ZIP, or .RAR)

  • Attach
  • Details
  • details
  • Document
  • Encrypted
  • first_part
  • Gift
  • Info
  • Information
  • Message
  • MoreInfo
  • pub_document
  • Readme
  • Text
  • text_document
  • TextDocument
  • (The virus may also attach an image file (.BMP, .JPG, .GIF) to the message that contains the password to a password-protected zip file, which contains the virus)

The virus copies itself into the Windows System directory as WINUPD.EXE. For example:

  • C:\WINNT\SYSTEM32\WINUPD.EXE

It also creates two files, WINUPD.EXEOPEN, WINUPD.EXEOPENOPEN which may either be another copy of itself or a ZIP or RAR file to be sent in email.  It may also create another file named WINUPD.EXEOPENOPENOPEN, which is an image file containing the password as an image.

    The following Registry key is added to hook system startup:

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\
      CurrentVersion\Run "winupd.exe" = C:\WINNT\SYSTEM32\winupd.exe

    An additional key is created as well:

    • HKEY_CURRENT_USER\Software\winupd

    The worm uses the following icon, to make it appear that the file is a true-type font:
     

    This worm attempts to terminate the process of programs with the the following filenames:

    • AGENTSVR.EXE
    • ANTI-TROJAN.EXE
    • ANTI-TROJAN.EXE
    • ANTIVIRUS.EXE
    • ANTS.EXE
    • APIMONITOR.EXE
    • APLICA32.EXE
    • APVXDWIN.EXE
    • ATCON.EXE
    • ATGUARD.EXE
    • ATRO55EN.EXE
    • ATUPDATER.EXE
    • ATWATCH.EXE
    • au.exe
    • AUPDATE.EXE
    • AUTODOWN.EXE
    • AUTOTRACE.EXE
    • AUTOUPDATE.EXE
    • AVCONSOL.EXE
    • AVGSERV9.EXE
    • AVLTMAIN.EXE
    • AVprotect9x.exe
    • AVPUPD.EXE
    • AVSYNMGR.EXE
    • AVWUPD32.EXE
    • AVXQUAR.EXE
    • BD_PROFESSIONAL.EXE
    • BIDEF.EXE
    • BIDSERVER.EXE
    • BIPCP.EXE
    • BIPCPEVALSETUP.EXE
    • BISP.EXE
    • BLACKD.EXE
    • BLACKICE.EXE
    • BOOTWARN.EXE
    • BORG2.EXE
    • BS120.EXE
    • CDP.EXE
    • CFGWIZ.EXE
    • CFGWIZ.EXE
    • CFIADMIN.EXE
    • CFIADMIN.EXE
    • CFIAUDIT.EXE
    • CFIAUDIT.EXE
    • CFIAUDIT.EXE
    • CFINET.EXE
    • CFINET.EXE
    • CFINET32.EXE
    • CFINET32.EXE
    • CLEAN.EXE
    • CLEAN.EXE
    • CLEANER.EXE
    • CLEANER.EXE
    • CLEANER3.EXE
    • CLEANER3.EXE
    • CLEANPC.EXE
    • CLEANPC.EXE
    • CMGRDIAN.EXE
    • CMGRDIAN.EXE
    • CMON016.EXE
    • CMON016.EXE
    • CPD.EXE
    • CPF9X206.EXE
    • CPFNT206.EXE
    • CV.EXE
    • CWNB181.EXE
    • CWNTDWMO.EXE
    • d3dupdate.exe
    • DEFWATCH.EXE
    • DEPUTY.EXE
    • DPF.EXE
    • DPFSETUP.EXE
    • DRWATSON.EXE
    • DRWEBUPW.EXE
    • ENT.EXE
    • ESCANH95.EXE
    • ESCANHNT.EXE
    • ESCANV95.EXE
    • EXANTIVIRUS-CNET.EXE
    • FAST.EXE
    • FIREWALL.EXE
    • FLOWPROTECTOR.EXE
    • FP-WIN_TRIAL.EXE
    • FRW.EXE
    • FSAV.EXE
    • FSAV530STBYB.EXE
    • FSAV530WTBYB.EXE
    • FSAV95.EXE
    • GBMENU.EXE
    • GBPOLL.EXE
    • GUARD.EXE
    • GUARDDOG.EXE
    • HACKTRACERSETUP.EXE
    • HTLOG.EXE
    • HWPE.EXE
    • IAMAPP.EXE
    • IAMAPP.EXE
    • IAMSERV.EXE
    • ICLOAD95.EXE
    • ICLOADNT.EXE
    • ICMON.EXE
    • ICSSUPPNT.EXE
    • ICSUPP95.EXE
    • ICSUPP95.EXE
    • ICSUPPNT.EXE
    • IFW2000.EXE
    • IPARMOR.EXE
    • IRIS.EXE
    • JAMMER.EXE
    • KAVLITE40ENG.EXE
    • KAVPERS40ENG.EXE
    • KERIO-PF-213-EN-WIN.EXE
    • KERIO-WRL-421-EN-WIN.EXE
    • KERIO-WRP-421-EN-WIN.EXE
    • KILLPROCESSSETUP161.EXE
    • LDPRO.EXE
    • LOCALNET.EXE
    • LOCKDOWN.EXE
    • LOCKDOWN2000.EXE
    • LSETUP.EXE
    • LUALL.EXE
    • LUCOMSERVER.EXE
    • LUINIT.EXE
    • MCAGENT.EXE
    • MCUPDATE.EXE
    • MCUPDATE.EXE
    • MFW2EN.EXE
    • MFWENG3.02D30.EXE
    • MGUI.EXE
    • MINILOG.EXE
    • MOOLIVE.EXE
    • MRFLUX.EXE
    • MSCONFIG.EXE
    • MSINFO32.EXE
    • MSSMMC32.EXE
    • MU0311AD.EXE
    • NAV80TRY.EXE
    • NAVAPW32.EXE
    • NAVDX.EXE
    • NAVSTUB.EXE
    • NAVW32.EXE
    • NC2000.EXE
    • NCINST4.EXE
    • NDD32.EXE
    • NEOMONITOR.EXE
    • NETARMOR.EXE
    • NETINFO.EXE
    • NETMON.EXE
    • NETSCANPRO.EXE
    • NETSPYHUNTER-1.2.EXE
    • NETSTAT.EXE
    • NISSERV.EXE
    • NISUM.EXE
    • NMAIN.EXE
    • NORTON_INTERNET_SECU_3.0_407.EXE
    • NPF40_TW_98_NT_ME_2K.EXE
    • NPFMESSENGER.EXE
    • NPROTECT.EXE
    • NSCHED32.EXE
    • NTVDM.EXE
    • NUPGRADE.EXE
    • NVARCH16.EXE
    • NWINST4.EXE
    • NWTOOL16.EXE
    • OSTRONET.EXE
    • OUTPOST.EXE
    • OUTPOSTINSTALL.EXE
    • OUTPOSTPROINSTALL.EXE
    • PADMIN.EXE
    • PANIXK.EXE
    • PAVPROXY.EXE
    • PCC2002S902.EXE
    • PCC2K_76_1436.EXE
    • PCCIOMON.EXE
    • PCDSETUP.EXE
    • PCFWALLICON.EXE
    • PCFWALLICON.EXE
    • PCIP10117_0.EXE
    • PDSETUP.EXE
    • PERISCOPE.EXE
    • PERSFW.EXE
    • PF2.EXE
    • PFWADMIN.EXE
    • PINGSCAN.EXE
    • PLATIN.EXE
    • POPROXY.EXE
    • POPSCAN.EXE
    • PORTDETECTIVE.EXE
    • PPINUPDT.EXE
    • PPTBC.EXE
    • PPVSTOP.EXE
    • PROCEXPLORERV1.0.EXE
    • PROPORT.EXE
    • PROTECTX.EXE
    • PSPF.EXE
    • PURGE.EXE
    • PVIEW95.EXE
    • QCONSOLE.EXE
    • QSERVER.EXE
    • RAV8WIN32ENG.EXE
    • REGEDIT.EXE
    • REGEDT32.EXE
    • RESCUE.EXE
    • RESCUE32.EXE
    • RRGUARD.EXE
    • RSHELL.EXE
    • RTVSCN95.EXE
    • RULAUNCH.EXE
    • SAFEWEB.EXE
    • SBSERV.EXE
    • SD.EXE
    • SETUP_FLOWPROTECTOR_US.EXE
    • SETUPVAMEEVAL.EXE
    • SFC.EXE
    • SGSSFW32.EXE
    • SH.EXE
    • SHELLSPYINSTALL.EXE
    • SHN.EXE
    • SMC.EXE
    • SOFI.EXE
    • SPF.EXE
    • SPHINX.EXE
    • SPYXX.EXE
    • SS3EDIT.EXE
    • ST2.EXE
    • SUPFTRL.EXE
    • SUPPORTER5.EXE
    • SYMPROXYSVC.EXE
    • SYSEDIT.EXE
    • TASKMON.EXE
    • TAUMON.EXE
    • TAUSCAN.EXE
    • TC.EXE
    • TCA.EXE
    • TCM.EXE
    • TDS2-98.EXE
    • TDS2-NT.EXE
    • TDS-3.EXE
    • TFAK5.EXE
    • TGBOB.EXE
    • TITANIN.EXE
    • TITANINXP.EXE
    • TRACERT.EXE
    • TRJSCAN.EXE
    • TRJSETUP.EXE
    • TROJANTRAP3.EXE
    • UNDOBOOT.EXE
    • UPDATE.EXE
    • VBCMSERV.EXE
    • VBCONS.EXE
    • VBUST.EXE
    • VBWIN9X.EXE
    • VBWINNTW.EXE
    • VCSETUP.EXE
    • VFSETUP.EXE
    • VIRUSMDPERSONALFIREWALL.EXE
    • VNLAN300.EXE
    • VNPC3000.EXE
    • VPC42.EXE
    • VPFW30S.EXE
    • VPTRAY.EXE
    • VSCENU6.02D30.EXE
    • VSECOMR.EXE
    • VSHWIN32.EXE
    • VSISETUP.EXE
    • VSMAIN.EXE
    • VSMON.EXE
    • VSSTAT.EXE
    • VSWIN9XE.EXE
    • VSWINNTSE.EXE
    • VSWINPERSE.EXE
    • W32DSM89.EXE
    • W9X.EXE
    • WATCHDOG.EXE
    • WEBSCANX.EXE
    • WGFE95.EXE
    • WHOSWATCHINGME.EXE
    • WHOSWATCHINGME.EXE
    • WINRECON.EXE
    • WNT.EXE
    • WRADMIN.EXE
    • WRCTRL.EXE
    • WSBGATE.EXE
    • WYVERNWORKSFIREWALL.EXE
    • XPF202EN.EXE
    • ZAPRO.EXE
    • ZAPSETUP3001.EXE
    • ZATUTOR.EXE
    • ZAUINST.EXE
    • ZONALM2601.EXE
    • ZONEALARM.EXE

    The worm opens TCP port 2556 on the victim machine.

    After Dec 31, 2005, the worm deactivates itself by deleting its registry run key.

    Symptoms

  • Outgoing messages matching the described characteristics
  • Files/Registry keys as described
  • Increase in filesize of .EXE files by approx. 21kb
  • System listening on TCP Port 2556

    • Method of Infection

    Mail Propagation

    This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:

    • .adb
    • .asp
    • .cfg
    • .cgi
    • .dbx
    • .dhtm
    • .eml
    • .htm
    • .jsp
    • .mbx
    • .mdx
    • .mht
    • .mmf
    • .msg
    • .nch
    • .ods
    • .oft
    • .php
    • .pl
    • .sht
    • .shtm
    • .stm
    • .tbb
    • .txt
    • .uin
    • .wab
    • .wsh
    • .xls
    • .xml

    The virus spoofs the sender address by using a harvested address in the From: field.

    The virus avoids sending itself to addresses containing the following:

    • @avp.
    • @foo
    • @hotmail.com
    • @iana
    • @messagelab
    • @microsoft
    • @msn
    • abuse
    • admin
    • anyone@
    • bsd
    • bugs@
    • cafee
    • certific
    • contract@
    • feste
    • free-av
    • f-secur
    • gold-certs@
    • google
    • help@
    • icrosoft
    • info@
    • kasp
    • linux
    • listserv
    • local
    • nobody@
    • noone@
    • noreply
    • ntivi
    • panda
    • pgp
    • postmaster@
    • rating@
    • root@
    • samples
    • sopho
    • spam
    • support
    • unix
    • winrar
    • winzip

    Peer To Peer Propagation

    Files are created in folders that contain the phrase shar :

    • ACDSee 9.exe
    • Adobe Photoshop 9 full.exe
    • Ahead Nero 7.exe
    • Matrix 3 Revolution English Subtitles.exe
    • Microsoft Office 2003 Crack, Working!.exe
    • Microsoft Office XP working Crack, Keygen.exe
    • Microsoft Windows XP, WinXP Crack, working Keygen.exe
    • Opera 8 New!.exe
    • Porno pics arhive, xxx.exe
    • Porno Screensaver.scr
    • Porno, sex, oral, anal cool, awesome!!.exe
    • Serials.txt.exe
    • WinAmp 5 Pro Keygen Crack Update.exe
    • WinAmp 6 New!.exe
    • Windown Longhorn Beta Leak.exe
    • Windows Sourcecode update.doc.exe
    • XXX hardcore images.exe

    Remote Access Component

    The virus listens on TCP port 2556 for remote connections.

    Removal

    All Users
    Use specified     engine and DAT files (or later) for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Stinger
         Stinger  has been updated to assist in detecting and repairing this threat.

    McAfee Threatscan
    ThreatScan signatures that can detect the W32/Bagle.n@MM virus are available from:

    ThreatScan Signature version: 2004-03-15

    ThreatScan users can detect the virus by running a ThreatScan task using the following settings:

    • Select the "Remote Infection Detection" category and "Windows Virus Checks" template.

    -or-

    • Select the "Other" category and "Scan All Vulnerabilities" template.

    For additional information:

    Run the "ThreatScan Template Report"
    Look for module number #4071

    McAfee Desktop Firewall
         To prevent possible remote access McAfee Desktop Firewall users can block incoming TCP port 2556.

    Sniffer® Technologies
    Since this is a mass mailing virus only and does not have any remote component; due to changing offset for subject mail from and the attachments for the emails mentioned in the virus, we cannot create a Sniffer filter for this virus.
    Recommendation for customers:

    1) Create a capture profile with Capture on only SMTP traffic.
    2) Analyze the traffic for Subject, Mail To, and Attachments in the Decode mentioned in     this description to identify if there is a virus propagating from specific IP's.

    Variants

    Variants

      N/A

    All Information

    Overview -

    This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

    Aliases

    • PE_BAGLE.N-O (Trend)
    • W32.Beagle.M@mm (Symantec)
    • W32/Bagle.n!pwdrar (McAfee)
    • W32/Bagle.n!pwdzip (McAfee)
    • W32/Bagle.P@mm (F-Secure)

    Characteristics

    Characteristics -

    -- Update April 13,2004 --
     Due to decreasing prevalence the risk assessment for W32/Bagle.n@MM has been lowered to Low-Profiled.

    -- Update March 13,2004 --
     Due to increasing prevalence the risk assessment for W32/Bagle.n@MM has been raised to Medium.

    If you think that you may be infected with Bagle.n, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present.  This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).

    Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

    This Bagle variant bears the following characteristics:

    • contains its own SMTP engine to construct outgoing messages
    • harvests email addresses from the victim machine
    • the From: address of messages is spoofed
    • attachment can be a password-protected zip or rar file, with the password included in the message body, or in an image file attached to the message.
    • contains a remote access component (notification is sent to hacker)
    • copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
    • encrypted polymorphic parasitic file infector

    Mail Propagation

    The message-bodies are constructed very similarly to those for its predecessor, using several parts, to effectively customize the email, to make it appear to be a legitimate warning notification. The details are as follows:

    From : (the address may be spoofed, using the recipient's domain name and a user name taken from the following list, or another address found on the local system)

    • management@
    • administration@
    • staff@
    • noreply@
    • support@ 
    • other address found on the system  

    Subject :

    • Account notify
    • E-mail account disabling warning.
    • E-mail account security warning.
    • Email account utilization warning.
    • Email report
    • E-mail technical support message.
    • E-mail technical support warning.
    • E-mail warning
    • Encrypted document
    • Fax Message Received
    • Forum notify
    • Hidden message
    • Important notify
    • Important notify about your e-mail account.
    • Incoming message
    • Notify about using the e-mail account.
    • Notify about your e-mail account utilization.
    • Notify from e-mail technical support.
    • Protected message
    • Re: Document
    • Re: Hello
    • Re: Hi
    • Re: Incoming Fax
    • Re: Incoming Message
    • Re: Msg reply
    • RE: Protected message
    • RE: Text message
    • Re: Thank you!
    • Re: Thanks :)
    • Re: Yahoo!
    • Request response
    • Site changes
    • Warning about your e-mail account.

    Body Text:

    Greeting -

    • Dear user of %s ,
    • Dear user of %s e-mail server gateway,
    • Hello user of %s e-mail server,
    • Dear user, the management of %s mailing system wants to let you know that,

    (Where %s is the user's domain is chosen from the To: address. For example the user's domain for user@mail.com  would be "mail.com")

    Main message body -

    • Your e-mail account has been temporary disabled because of unauthorized access.
    • Our main mailing server will be temporary unavaible for next two days, to continue receiving mail in these days you have to configure our free auto-forwarding service.
    • Your e-mail account will be disabled because of improper using in next three days, if you are still wishing to use it, please, resign your account information.
    • We warn you about some attacks on your e-mail account. Your computer may contain viruses, in order to keep your computer and e-mail account safe, please, follow the instructions.
    • Our antivirus software has detected a large ammount of viruses outgoing from your email account, you may use our free anti-virus tool to clean up your computer software.
    • Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to keep your computer safe, follow the instructions.

    Attachment explanation -

    • Advanced details can be found in attached file.
    • Find the white rabbit.
    • Follow the wabbit.
    • For details see the attach.
    • For details see the attached file.
    • For further details see the attach.
    • For more information see the attached file.
    • Further details can be obtained from attached file.
    • Here is the file.
    • Message is in attach
    • More info in attach
    • Pay attention on attached file.
    • Please, have a look at the attached file.
    • Please, read the attach for further details.
    • Read the attach.
    • See attach.
    • See the attached file for details.
    • Your file is attached.

    Password information -  (if received as a ZIP or RAR file) 

    • Password: %password%
    • Pass - %password%
    • Password - %password%
    • For security reasons attached file is password protected. The password is (attached image inserted)
    • For security purposes the attached file is password protected. Password -- (attached image inserted)
    • Note: Use password (attached image inserted) to open archive
    • Attached file is protected with the password for security reasons. Password is (attached image inserted)
    • In order to read the attach you have to use the following password: (attached image inserted)
    • Archive password: (attached image inserted)
    • Password - (attached image inserted)
    • Password: (attached image inserted)

    Closing -

    • The Management,
    • Sincerely,
    • Best wishes,
    • Have a good day,
    • Cheers,
    • Kind regards,

    The (user's domain) team                           http://www.(user's domain)

    (Where the first part of the closing is selected from the list. The second part is always present.)

    Attachment: (May be .EXE, .PIF, .ZIP, or .RAR)

    • Attach
    • Details
    • details
    • Document
    • Encrypted
    • first_part
    • Gift
    • Info
    • Information
    • Message
    • MoreInfo
    • pub_document
    • Readme
    • Text
    • text_document
    • TextDocument
    • (The virus may also attach an image file (.BMP, .JPG, .GIF) to the message that contains the password to a password-protected zip file, which contains the virus)

    The virus copies itself into the Windows System directory as WINUPD.EXE. For example:

    • C:\WINNT\SYSTEM32\WINUPD.EXE

    It also creates two files, WINUPD.EXEOPEN, WINUPD.EXEOPENOPEN which may either be another copy of itself or a ZIP or RAR file to be sent in email.  It may also create another file named WINUPD.EXEOPENOPENOPEN, which is an image file containing the password as an image.

      The following Registry key is added to hook system startup:

      • HKEY_CURRENT_USER\Software\Microsoft\Windows\
        CurrentVersion\Run "winupd.exe" = C:\WINNT\SYSTEM32\winupd.exe

      An additional key is created as well:

      • HKEY_CURRENT_USER\Software\winupd

      The worm uses the following icon, to make it appear that the file is a true-type font:
       

      This worm attempts to terminate the process of programs with the the following filenames:

      • AGENTSVR.EXE
      • ANTI-TROJAN.EXE
      • ANTI-TROJAN.EXE
      • ANTIVIRUS.EXE
      • ANTS.EXE
      • APIMONITOR.EXE
      • APLICA32.EXE
      • APVXDWIN.EXE
      • ATCON.EXE
      • ATGUARD.EXE
      • ATRO55EN.EXE
      • ATUPDATER.EXE
      • ATWATCH.EXE
      • au.exe
      • AUPDATE.EXE
      • AUTODOWN.EXE
      • AUTOTRACE.EXE
      • AUTOUPDATE.EXE
      • AVCONSOL.EXE
      • AVGSERV9.EXE
      • AVLTMAIN.EXE
      • AVprotect9x.exe
      • AVPUPD.EXE
      • AVSYNMGR.EXE
      • AVWUPD32.EXE
      • AVXQUAR.EXE
      • BD_PROFESSIONAL.EXE
      • BIDEF.EXE
      • BIDSERVER.EXE
      • BIPCP.EXE
      • BIPCPEVALSETUP.EXE
      • BISP.EXE
      • BLACKD.EXE
      • BLACKICE.EXE
      • BOOTWARN.EXE
      • BORG2.EXE
      • BS120.EXE
      • CDP.EXE
      • CFGWIZ.EXE
      • CFGWIZ.EXE
      • CFIADMIN.EXE
      • CFIADMIN.EXE
      • CFIAUDIT.EXE
      • CFIAUDIT.EXE
      • CFIAUDIT.EXE
      • CFINET.EXE
      • CFINET.EXE
      • CFINET32.EXE
      • CFINET32.EXE
      • CLEAN.EXE
      • CLEAN.EXE
      • CLEANER.EXE
      • CLEANER.EXE
      • CLEANER3.EXE
      • CLEANER3.EXE
      • CLEANPC.EXE
      • CLEANPC.EXE
      • CMGRDIAN.EXE
      • CMGRDIAN.EXE
      • CMON016.EXE
      • CMON016.EXE
      • CPD.EXE
      • CPF9X206.EXE
      • CPFNT206.EXE
      • CV.EXE
      • CWNB181.EXE
      • CWNTDWMO.EXE
      • d3dupdate.exe
      • DEFWATCH.EXE
      • DEPUTY.EXE
      • DPF.EXE
      • DPFSETUP.EXE
      • DRWATSON.EXE
      • DRWEBUPW.EXE
      • ENT.EXE
      • ESCANH95.EXE
      • ESCANHNT.EXE
      • ESCANV95.EXE
      • EXANTIVIRUS-CNET.EXE
      • FAST.EXE
      • FIREWALL.EXE
      • FLOWPROTECTOR.EXE
      • FP-WIN_TRIAL.EXE
      • FRW.EXE
      • FSAV.EXE
      • FSAV530STBYB.EXE
      • FSAV530WTBYB.EXE
      • FSAV95.EXE
      • GBMENU.EXE
      • GBPOLL.EXE
      • GUARD.EXE
      • GUARDDOG.EXE
      • HACKTRACERSETUP.EXE
      • HTLOG.EXE
      • HWPE.EXE
      • IAMAPP.EXE
      • IAMAPP.EXE
      • IAMSERV.EXE
      • ICLOAD95.EXE
      • ICLOADNT.EXE
      • ICMON.EXE
      • ICSSUPPNT.EXE
      • ICSUPP95.EXE
      • ICSUPP95.EXE
      • ICSUPPNT.EXE
      • IFW2000.EXE
      • IPARMOR.EXE
      • IRIS.EXE
      • JAMMER.EXE
      • KAVLITE40ENG.EXE
      • KAVPERS40ENG.EXE
      • KERIO-PF-213-EN-WIN.EXE
      • KERIO-WRL-421-EN-WIN.EXE
      • KERIO-WRP-421-EN-WIN.EXE
      • KILLPROCESSSETUP161.EXE
      • LDPRO.EXE
      • LOCALNET.EXE
      • LOCKDOWN.EXE
      • LOCKDOWN2000.EXE
      • LSETUP.EXE
      • LUALL.EXE
      • LUCOMSERVER.EXE
      • LUINIT.EXE
      • MCAGENT.EXE
      • MCUPDATE.EXE
      • MCUPDATE.EXE
      • MFW2EN.EXE
      • MFWENG3.02D30.EXE
      • MGUI.EXE
      • MINILOG.EXE
      • MOOLIVE.EXE
      • MRFLUX.EXE
      • MSCONFIG.EXE
      • MSINFO32.EXE
      • MSSMMC32.EXE
      • MU0311AD.EXE
      • NAV80TRY.EXE
      • NAVAPW32.EXE
      • NAVDX.EXE
      • NAVSTUB.EXE
      • NAVW32.EXE
      • NC2000.EXE
      • NCINST4.EXE
      • NDD32.EXE
      • NEOMONITOR.EXE
      • NETARMOR.EXE
      • NETINFO.EXE
      • NETMON.EXE
      • NETSCANPRO.EXE
      • NETSPYHUNTER-1.2.EXE
      • NETSTAT.EXE
      • NISSERV.EXE
      • NISUM.EXE
      • NMAIN.EXE
      • NORTON_INTERNET_SECU_3.0_407.EXE
      • NPF40_TW_98_NT_ME_2K.EXE
      • NPFMESSENGER.EXE
      • NPROTECT.EXE
      • NSCHED32.EXE
      • NTVDM.EXE
      • NUPGRADE.EXE
      • NVARCH16.EXE
      • NWINST4.EXE
      • NWTOOL16.EXE
      • OSTRONET.EXE
      • OUTPOST.EXE
      • OUTPOSTINSTALL.EXE
      • OUTPOSTPROINSTALL.EXE
      • PADMIN.EXE
      • PANIXK.EXE
      • PAVPROXY.EXE
      • PCC2002S902.EXE
      • PCC2K_76_1436.EXE
      • PCCIOMON.EXE
      • PCDSETUP.EXE
      • PCFWALLICON.EXE
      • PCFWALLICON.EXE
      • PCIP10117_0.EXE
      • PDSETUP.EXE
      • PERISCOPE.EXE
      • PERSFW.EXE
      • PF2.EXE
      • PFWADMIN.EXE
      • PINGSCAN.EXE
      • PLATIN.EXE
      • POPROXY.EXE
      • POPSCAN.EXE
      • PORTDETECTIVE.EXE
      • PPINUPDT.EXE
      • PPTBC.EXE
      • PPVSTOP.EXE
      • PROCEXPLORERV1.0.EXE
      • PROPORT.EXE
      • PROTECTX.EXE
      • PSPF.EXE
      • PURGE.EXE
      • PVIEW95.EXE
      • QCONSOLE.EXE
      • QSERVER.EXE
      • RAV8WIN32ENG.EXE
      • REGEDIT.EXE
      • REGEDT32.EXE
      • RESCUE.EXE
      • RESCUE32.EXE
      • RRGUARD.EXE
      • RSHELL.EXE
      • RTVSCN95.EXE
      • RULAUNCH.EXE
      • SAFEWEB.EXE
      • SBSERV.EXE
      • SD.EXE
      • SETUP_FLOWPROTECTOR_US.EXE
      • SETUPVAMEEVAL.EXE
      • SFC.EXE
      • SGSSFW32.EXE
      • SH.EXE
      • SHELLSPYINSTALL.EXE
      • SHN.EXE
      • SMC.EXE
      • SOFI.EXE
      • SPF.EXE
      • SPHINX.EXE
      • SPYXX.EXE
      • SS3EDIT.EXE
      • ST2.EXE
      • SUPFTRL.EXE
      • SUPPORTER5.EXE
      • SYMPROXYSVC.EXE
      • SYSEDIT.EXE
      • TASKMON.EXE
      • TAUMON.EXE
      • TAUSCAN.EXE
      • TC.EXE
      • TCA.EXE
      • TCM.EXE
      • TDS2-98.EXE
      • TDS2-NT.EXE
      • TDS-3.EXE
      • TFAK5.EXE
      • TGBOB.EXE
      • TITANIN.EXE
      • TITANINXP.EXE
      • TRACERT.EXE
      • TRJSCAN.EXE
      • TRJSETUP.EXE
      • TROJANTRAP3.EXE
      • UNDOBOOT.EXE
      • UPDATE.EXE
      • VBCMSERV.EXE
      • VBCONS.EXE
      • VBUST.EXE
      • VBWIN9X.EXE
      • VBWINNTW.EXE
      • VCSETUP.EXE
      • VFSETUP.EXE
      • VIRUSMDPERSONALFIREWALL.EXE
      • VNLAN300.EXE
      • VNPC3000.EXE
      • VPC42.EXE
      • VPFW30S.EXE
      • VPTRAY.EXE
      • VSCENU6.02D30.EXE
      • VSECOMR.EXE
      • VSHWIN32.EXE
      • VSISETUP.EXE
      • VSMAIN.EXE
      • VSMON.EXE
      • VSSTAT.EXE
      • VSWIN9XE.EXE
      • VSWINNTSE.EXE
      • VSWINPERSE.EXE
      • W32DSM89.EXE
      • W9X.EXE
      • WATCHDOG.EXE
      • WEBSCANX.EXE
      • WGFE95.EXE
      • WHOSWATCHINGME.EXE
      • WHOSWATCHINGME.EXE
      • WINRECON.EXE
      • WNT.EXE
      • WRADMIN.EXE
      • WRCTRL.EXE
      • WSBGATE.EXE
      • WYVERNWORKSFIREWALL.EXE
      • XPF202EN.EXE
      • ZAPRO.EXE
      • ZAPSETUP3001.EXE
      • ZATUTOR.EXE
      • ZAUINST.EXE
      • ZONALM2601.EXE
      • ZONEALARM.EXE

      The worm opens TCP port 2556 on the victim machine.

      After Dec 31, 2005, the worm deactivates itself by deleting its registry run key.

      Symptoms

      Symptoms -

    • Outgoing messages matching the described characteristics
    • Files/Registry keys as described
    • Increase in filesize of .EXE files by approx. 21kb
    • System listening on TCP Port 2556

      • Method of Infection

      Method of Infection -

      Mail Propagation

      This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:

      • .adb
      • .asp
      • .cfg
      • .cgi
      • .dbx
      • .dhtm
      • .eml
      • .htm
      • .jsp
      • .mbx
      • .mdx
      • .mht
      • .mmf
      • .msg
      • .nch
      • .ods
      • .oft
      • .php
      • .pl
      • .sht
      • .shtm
      • .stm
      • .tbb
      • .txt
      • .uin
      • .wab
      • .wsh
      • .xls
      • .xml

      The virus spoofs the sender address by using a harvested address in the From: field.

      The virus avoids sending itself to addresses containing the following:

      • @avp.
      • @foo
      • @hotmail.com
      • @iana
      • @messagelab
      • @microsoft
      • @msn
      • abuse
      • admin
      • anyone@
      • bsd
      • bugs@
      • cafee
      • certific
      • contract@
      • feste
      • free-av
      • f-secur
      • gold-certs@
      • google
      • help@
      • icrosoft
      • info@
      • kasp
      • linux
      • listserv
      • local
      • nobody@
      • noone@
      • noreply
      • ntivi
      • panda
      • pgp
      • postmaster@
      • rating@
      • root@
      • samples
      • sopho
      • spam
      • support
      • unix
      • winrar
      • winzip

      Peer To Peer Propagation

      Files are created in folders that contain the phrase shar :

      • ACDSee 9.exe
      • Adobe Photoshop 9 full.exe
      • Ahead Nero 7.exe
      • Matrix 3 Revolution English Subtitles.exe
      • Microsoft Office 2003 Crack, Working!.exe
      • Microsoft Office XP working Crack, Keygen.exe
      • Microsoft Windows XP, WinXP Crack, working Keygen.exe
      • Opera 8 New!.exe
      • Porno pics arhive, xxx.exe
      • Porno Screensaver.scr
      • Porno, sex, oral, anal cool, awesome!!.exe
      • Serials.txt.exe
      • WinAmp 5 Pro Keygen Crack Update.exe
      • WinAmp 6 New!.exe
      • Windown Longhorn Beta Leak.exe
      • Windows Sourcecode update.doc.exe
      • XXX hardcore images.exe

      Remote Access Component

      The virus listens on TCP port 2556 for remote connections.

      Removal -

      Removal -

      All Users
      Use specified       engine and DAT files (or later) for detection and removal.

      Modifications made to the system Registry and/or INI files for the purposes of hooking system startup will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

      Additional Windows ME/XP removal considerations

      Stinger
             Stinger  has been updated to assist in detecting and repairing this threat.

      McAfee Threatscan
      ThreatScan signatures that can detect the W32/Bagle.n@MM virus are available from:

      ThreatScan Signature version: 2004-03-15

      ThreatScan users can detect the virus by running a ThreatScan task using the following settings:

      • Select the "Remote Infection Detection" category and "Windows Virus Checks" template.

      -or-

      • Select the "Other" category and "Scan All Vulnerabilities" template.

      For additional information:

      Run the "ThreatScan Template Report"
      Look for module number #4071

      McAfee Desktop Firewall
             To prevent possible remote access McAfee Desktop Firewall users can block incoming TCP port 2556.

      Sniffer® Technologies
      Since this is a mass mailing virus only and does not have any remote component; due to changing offset for subject mail from and the attachments for the emails mentioned in the virus, we cannot create a Sniffer filter for this virus.
      Recommendation for customers:

      1) Create a capture profile with Capture on only SMTP traffic.
      2) Analyze the traffic for Subject, Mail To, and Attachments in the Decode mentioned in       this description to identify if there is a virus propagating from specific IP's.

      Variants

      Variants -

        N/A