W32/Bagle.q@MM

Content

W32/Bagle.q@MM

Type: Virus
SubType: E-mail worm
Discovery Date: 03/17/2004
Length: 25,600 Bytes
Minimum DAT: 4340 (03/22/2004)
Updated DAT: 5090 (08/03/2007)
Minimum Engine: 5.1.00
Description Added: 03/17/2004
Description Modified: 03/30/2004 6:13 PM (PT)

Risk Assessment

Corporate User: Low-Profiled
Home User: Low-Profiled

Tab Navigation

Characteristics

-- Update March 18th 2004 06:45 PST --
The majority of the 590 IP addresses seen have been closed down. At the time of writing 39 were still responding

-- Update March 18th 2004 04:25 PST --
This threat has been deemed Low-Profiled due to media attention at the following site:

www.emedia.com.my/Current_News/NST/Thursday/NewsBreak/
20040318174911/Article/indexb_html
--

This W32/Bagle variant bears the following characteristics:

contains its own SMTP engine to construct outgoing messages
This virus spreads by sending a seemingly blank email. This email uses a Microsoft vulnerability found in security bulletin MS03-032 to download the worm on port 81 without requiring user intervention/action
harvests email addresses from the victim machine
the From: address of messages is spoofed
contains a remote access component (notification is sent to hacker)
copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
encrypted polymorphic parasitic file infector

Proactive Detection

This virus is detected as a trojan or variant New Malware.b when scanning with the 4339 DATs or greater, with program heuristics and the scanning of compressed files enabled.

Parasitically infected files are detected as virus or variant W32/Bagle with the 4338 DATs (or greater).

The script components that are downloaded (via previewing the email message) are detected as VBS/Psyme with the 4306 DATs or greater.

Infection Mechansim

Emails are constructed to take advantage of the Object Tag vulnerability in Internet Explorer. Thus upon viewing an email, a remote HTML file is downloaded from port 81 of a remote machine.

The HTML file drops a VBS script (Q.VBS), which is responsible for downloading the worm (as SM.EXE ) from a remote machine (port 81). The script then runs SM.EXE.

Mail Propagation

The message-bodies are constructed very similarly to those for its predecessor, using several parts, to effectively customize the email, to make it appear to be a legitimate warning notification.

NOTE: The virus has the ability to propagate via email containing hidden HTML code. The message would appear to be blank upon previewing it. These emails do not contain a binary attachment, but utilize a known Microsoft vulnerability to download the virus from the remote sites.

The details are as follows:

From : (the address may be spoofed, using the recipient's domain name and a user name taken from the following list, or another address found on the local system)

management@
administration@
staff@
noreply@
support@
antivirus@
antispam@

Subject:

Password: %s
Pass - %s
Password - %s
E-mail account security warning.
Notify about using the e-mail account.
Warning about your e-mail account.
Important notify about your e-mail account.
Email account utilization warning.
E-mail technical support message.
E-mail technical support warning.
Email report
Important notify
Account notify
E-mail warning
Notify from e-mail technical support.
Notify about your e-mail account utilization.
E-mail account disabling warning.
Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks :)
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
Re: Incoming Fax
Hidden message
Fax Message Received
Protected message
RE: Protected message
Forum notify
Request response
Site changes
Re: Hi
Encrypted document

Attachment: (no attachment)

The worm uses the Object Tag vulnerability in Internet Explorer, which allows for the writing and overwriting of local files by exploiting the ADODB.Stream object. A remote file (random_name.php ) is downloaded upon viewing the email message. This file is actually a HTML file containing a VBS script, and it is detected as VBS/Psyme with the 4306 DATs or greater. When run, this script creates another VBS script (Q.VBS) - again detected as VBS/Psyme - which is responsible for downloading the worm from one of the following IP addresses.

12.202.237.159
12.215.146.21
12.216.112.116
12.216.240.162
12.217.207.113
12.219.25.124
12.220.67.12
12.221.150.192
12.221.192.229
12.221.80.25
12.222.118.236
12.222.216.56
12.222.223.242
12.222.81.119
129.107.101.93
129.81.227.184
129.81.239.139
129.81.75.32
130.160.206.10
134.193.180.26
134.50.87.32
137.165.219.59
138.87.144.111
138.87.209.62
138.87.210.7
140.112.241.234
140.112.251.34
140.112.251.51
140.113.138.95
143.248.22.233
147.46.120.105
155.230.106.164
161.45.171.210
161.45.198.133
161.45.198.45
161.45.199.50
161.45.215.114
161.45.234.125
161.45.234.98
161.45.244.66
161.45.250.216
161.45.250.223
161.45.251.88
163.180.61.70
163.25.105.29
165.134.174.100
165.134.175.146
165.134.187.102
165.134.30.63
166.104.223.58
168.115.122.139
169.230.73.208
169.233.34.17
169.233.42.189
171.64.213.173
172.143.140.211
172.196.216.67
172.197.45.246
172.197.69.221
172.200.104.47
172.203.155.47
198.248.37.116
198.68.133.112
199.89.229.122
200.101.91.212
200.104.204.116
200.104.53.10
200.106.79.77
200.141.160.239
200.198.90.156
200.207.166.42
200.90.107.104
200.95.37.195
200.97.29.200
202.173.152.26
203.144.159.170
203.219.71.118
203.231.71.197
203.234.156.71
203.240.148.136
203.242.178.110
203.249.87.7
203.253.16.44
203.45.29.117
203.88.49.225
204.210.188.229
205.251.211.14
208.180.134.153
208.180.218.171
209.121.80.213
209.184.177.157
209.34.41.11
210.118.250.163
210.183.30.212
210.6.164.134
210.6.227.251
210.98.252.110
211.108.217.117
211.110.113.191
211.118.218.66
211.119.23.91
211.172.200.60
211.173.187.106
211.181.1.68
211.183.53.227
211.187.219.40
211.212.208.181
211.232.110.5
211.232.133.37
211.232.21.22
211.232.62.42
211.235.15.144
211.238.196.72
211.238.255.228
211.238.34.233
211.239.146.171
211.242.155.146
211.28.70.2
211.41.226.61
211.53.97.155
211.61.219.190
212.179.117.105
212.179.123.227
212.186.190.35
212.199.219.202
213.245.10.105
213.61.149.46
216.194.46.105
217.132.15.130
217.132.67.18
217.132.96.143
218.144.174.55
218.154.213.158
218.190.180.211
218.237.249.200
218.239.156.233
218.50.182.87
218.76.5.84
219.15.112.80
219.251.73.78
221.153.61.232
24.1.58.14
24.10.136.202
24.100.74.92
24.108.113.7
24.108.129.22
24.108.132.127
24.108.5.170
24.108.56.176
24.108.86.144
24.112.235.36
24.116.169.77
24.116.90.197
24.118.56.142
24.126.155.29
24.126.173.31
24.127.40.168
24.128.95.254
24.13.109.43
24.13.183.226
24.13.59.97
24.136.216.177
24.140.15.74
24.141.7.244
24.141.73.22
24.143.7.15
24.144.27.24
24.145.164.9
24.151.169.217
24.158.12.215
24.158.137.74
24.159.124.119
24.16.92.57
24.161.209.227
24.164.64.122
24.167.26.11
24.169.251.65
24.17.34.241
24.170.46.177
24.171.136.45
24.175.21.96
24.175.229.21
24.175.69.29
24.176.237.71
24.18.242.25
24.18.95.76
24.19.162.244
24.192.223.75
24.196.122.147
24.197.136.125
24.198.88.152
24.199.114.218
24.2.83.15
24.20.149.122
24.200.102.240
24.205.176.236
24.205.69.15
24.206.67.189
24.208.68.178
24.209.101.61
24.211.189.223
24.214.104.3
24.214.134.51
24.217.143.14
24.220.189.61
24.221.14.188
24.222.194.255
24.222.206.245
24.224.236.131
24.229.92.78
24.231.156.251
24.231.202.33
24.239.210.203
24.240.149.119
24.241.201.198
24.243.229.252
24.247.174.252
24.27.129.115
24.27.133.249
24.28.137.137
24.3.166.162
24.30.126.179
24.31.122.240
24.36.28.176
24.37.5.17
24.4.224.28
24.4.232.3
24.43.61.0
24.44.197.9
24.49.135.147
24.5.193.106
24.5.4.197
24.50.137.152
24.50.29.51
24.53.19.250
24.54.12.106
24.55.225.61
24.57.46.14
24.6.169.94
24.6.197.40
24.6.210.51
24.6.249.209
24.64.159.239
24.64.84.125
24.64.92.129
24.65.11.109
24.65.16.117
24.67.188.215
24.68.56.236
24.7.147.3
24.7.172.139
24.7.189.204
24.77.134.52
24.77.64.27
24.77.72.167
24.78.141.182
24.78.149.10
24.78.164.182
24.79.172.120
24.8.177.96
24.80.196.225
24.81.159.145
24.82.133.226
24.82.50.69
24.84.218.164
24.99.22.178
35.11.176.84
4.10.74.131
4.11.105.135
4.12.35.57
4.12.7.76
4.13.73.34
4.34.197.197
4.40.36.41
4.42.98.96
4.43.153.130
4.46.131.126
4.46.64.9
4.47.121.110
4.5.128.188
4.5.57.133
4.5.70.191
4.60.187.66
4.61.145.14
4.62.78.87
4.63.180.225
4.65.12.31
4.65.54.16
4.65.60.210
4.8.132.136
4.8.164.62
4.8.204.152
4.8.227.139
4.8.40.57
61.102.189.120
61.105.239.10
61.106.201.149
61.250.126.203
61.33.146.212
61.33.146.213
61.33.200.42
61.34.187.178
61.37.174.163
61.37.174.199
61.40.0.235
61.40.158.237
61.59.189.62
61.93.167.227
61.97.114.91
61.97.116.142
61.97.116.199
61.99.86.117
62.215.83.153
63.203.156.220
63.205.32.83
64.160.201.183
65.100.122.132
65.165.186.160
65.167.185.189
65.167.185.90
65.28.19.47
65.29.98.241
65.33.202.194
65.33.90.68
65.37.55.128
65.38.16.127
65.50.143.163
65.68.100.34
65.69.84.202
65.71.33.251
65.73.134.209
65.94.151.100
66.112.231.113
66.131.140.145
66.131.25.57
66.169.229.186
66.169.239.220
66.169.99.119
66.171.141.72
66.176.82.39
66.183.208.158
66.186.231.62
66.188.120.91
66.188.128.55
66.188.89.69
66.189.203
66.189.243.51
66.190.21.77
66.190.248.234
66.191.112.44
66.205.114.167
66.214.142.6
66.214.189.27
66.214.195.108
66.229.45.187
66.233.129.107
66.233.155.49
66.233.165.201
66.233.191.250
66.233.213.161
66.233.95.30
66.237.50.87
66.244.94.156
66.26.169.4
66.27.228.114
66.42.182.72
66.69.123.222
66.74.198.156
66.75.155.232
66.75.17.32
66.75.24.158
66.75.37.186
66.75.59.118
66.76.163.129
66.76.164.90
66.76.170.157
66.76.232.136
66.76.93.246
67.121.104.43
67.124.198.68
67.127.159.47
67.160.147.136
67.160.195.8
67.160.198.206
67.162.155.185
67.164.60.106
67.165.246.134
67.166.112.180
67.166.116.241
67.167.220.130
67.168.218.238
67.168.68.197
67.169.13.236
67.169.173.204
67.169.96.37
67.170.102.147
67.170.234.126
67.170.75.107
67.171.157.22
67.171.230.94
67.171.232.77
67.173.189.14
67.21.120.2
67.21.121.138
67.22.58.130
67.23.100.10
67.38.163.3
67.85.50.79
68.1.129.228
68.1.230.192
68.1.50.140
68.101.79.59
68.104.209.10
68.104.56.100
68.105.33.166
68.105.85.123
68.107.106.192
68.107.117.224
68.107.160.181
68.107.23.153
68.108.221.107
68.108.244.137
68.108.38.85
68.108.71.199
68.108.86.222
68.108.87.23
68.109.112.215
68.109.59.152
68.11.20.245
68.11.231.35
68.110.193.49
68.110.233.209
68.111.111.21
68.111.114.197
68.111.142.202
68.111.227.235
68.112.157.153
68.112.237.76
68.112.41.132
68.112.62.74
68.112.95.217
68.113.116.229
68.114.210.200
68.115.187.234
68.115.29.29
68.115.30.218
68.117.154.162
68.117.173.26
68.117.22.95
68.117.38.11
68.117.95.121
68.118.129.55
68.12.121.62
68.12.247.212
68.125.87.202
68.13.251.234
68.144.233.139
68.146.118.63
68.146.243.2
68.147.143.109
68.166.243.84
68.168.94.149
68.170.17.36
68.170.181.167
68.184.176.94
68.185.188.71
68.185.197.137
68.186.232.171
68.186.66.7
68.187.130.183
68.190.187.201
68.190.193.38
68.191.112.60
68.191.167.13
68.192.84.91
68.192.91.148
68.2.146.130
68.2.152.187
68.2.42.253
68.2.62.45
68.204.159.112
68.216.86.218
68.224.59.153
68.225.201.103
68.226.106.73
68.226.111.123
68.226.115.34
68.226.177.26
68.226.239.60
68.227.186.212
68.227.241.174
68.228.251.128
68.229.167.54
68.230.122.66
68.231.195.220
68.232.246.172
68.233.220.107
68.233.252.115
68.235.202.221
68.237.200.40
68.252.32.138
68.3.254.32
68.3.44.3
68.34.220.187
68.35.103.160
68.35.121.2
68.35.224.139
68.36.232.127
68.37.169.47
68.39.46.56
68.4.132.83
68.4.141.91
68.44.88.77
68.47.231.161
68.53.48.42
68.54.230.26
68.57.198.31
68.59.154.1
68.6.144.228
68.6.147.151
68.66.185.120
68.67.237.226
68.68.11.214
68.68.234.206
68.68.62.207
68.68.89.75
68.69.36.178
68.7.10.127
68.7.236.131
68.7.81.58
68.70.159.61
68.70.223.96
68.71.178.246
68.71.49.106
68.74.0.199
68.8.235.18
68.82.50.111
68.86.78.110
68.93.142.163
68.95.8.238
68.96.223.162
68.97.129.68
68.97.142.228
68.97.173.250
68.98.112.181
68.98.227.165
68.99.215.211
68.99.249.177
69.1.37.189
69.10.112.107
69.110.157.161
69.111.16.229
69.136.225.26
69.139.77.172
69.14.104.57
69.144.12.133
69.144.149.52
69.145.209.32
69.145.5.96
69.148.181.109
69.162.48.40
69.162.96.67
69.164.155.152
69.166.213.52
69.167.108.94
69.22.120.32
69.6.166.59
69.60.233.135
69.70.69.182
69.73.3.176
69.75.9.43
69.81.7.189
69.91.20.103
80.179.200.104
80.179.219.132
80.179.65.245
80.179.68.229
80.218.158.253
80.230.249.213
80.232.135.3
80.236.115.113
81.198.131.233
81.202.79.224
81.56.53.160
82.140.134.77
82.166.167.26
82.166.89.229
82.36.67.41
82.67.116.34
83.130.228.36

Installation

When run, the worm installs itself into the Windows System directory as DIRECTS.EXE, for example

C:\WINNT\SYSTEM32\DIRECTS.EXE

The following Registry key is added:

HKEY_CURRENT\_USER\Software\windirects

The following Registry key is added to hook system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "directs.exe" = C:\WINNT\SYSTEM32\directs.exe

The worm uses the following icon to disguise itself:

This worm attempts to terminate the process of programs with the the following filenames:

CLEANER3.EXE
au.exe
d3dupdate.exe
CLEANPC.EXE
AVprotect9x.exe
CMGRDIAN.EXE
CMON016.EXE
CPF9X206.EXE
CPFNT206.EXE
CV.EXE
CWNB181.EXE
CWNTDWMO.EXE
ICSSUPPNT.EXE
DEFWATCH.EXE
DEPUTY.EXE
DPF.EXE
DPFSETUP.EXE
DRWATSON.EXE
ENT.EXE
ESCANH95.EXE
AVXQUAR.EXE
ESCANHNT.EXE
ESCANV95.EXE
AVPUPD.EXE
EXANTIVIRUS-CNET.EXE
FAST.EXE
FIREWALL.EXE
FLOWPROTECTOR.EXE
FP-WIN_TRIAL.EXE
FRW.EXE
FSAV.EXE
AUTODOWN.EXE
FSAV530STBYB.EXE
FSAV530WTBYB.EXE
FSAV95.EXE
GBMENU.EXE
GBPOLL.EXE
GUARD.EXE
GUARDDOG.EXE
HACKTRACERSETUP.EXE
HTLOG.EXE
HWPE.EXE
IAMAPP.EXE
IAMAPP.EXE
IAMSERV.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IFW2000.EXE
IPARMOR.EXE
IRIS.EXE
JAMMER.EXE
ATUPDATER.EXE
AUPDATE.EXE
KAVLITE40ENG.EXE
KAVPERS40ENG.EXE
KERIO-PF-213-EN-WIN.EXE
KERIO-WRL-421-EN-WIN.EXE
BORG2.EXE
BS120.EXE
CDP.EXE
CFGWIZ.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
AUTOUPDATE.EXE
CFINET.EXE
NAVAPW32.EXE
NAVDX.EXE
NAVSTUB.EXE
NAVW32.EXE
NC2000.EXE
NCINST4.EXE
AUTOTRACE.EXE
NDD32.EXE
NEOMONITOR.EXE
NETARMOR.EXE
NETINFO.EXE
NETMON.EXE
NETSCANPRO.EXE
NETSPYHUNTER-1.2.EXE
NETSTAT.EXE
NISSERV.EXE
NISUM.EXE
NMAIN.EXE
NORTON_INTERNET_SECU_3.0_407.EXE
NPF40_TW_98_NT_ME_2K.EXE
NPFMESSENGER.EXE
NPROTECT.EXE
NSCHED32.EXE
NTVDM.EXE
NVARCH16.EXE
KERIO-WRP-421-EN-WIN.EXE
KILLPROCESSSETUP161.EXE
LDPRO.EXE
LOCALNET.EXE
LOCKDOWN.EXE
LOCKDOWN2000.EXE
LSETUP.EXE
OUTPOST.EXE
CFIAUDIT.EXE
LUCOMSERVER.EXE
AGENTSVR.EXE
ANTI-TROJAN.EXE
ANTI-TROJAN.EXE
ANTIVIRUS.EXE
ANTS.EXE
APIMONITOR.EXE
APLICA32.EXE
APVXDWIN.EXE
ATCON.EXE
ATGUARD.EXE
ATRO55EN.EXE
ATWATCH.EXE
AVCONSOL.EXE
AVGSERV9.EXE
AVSYNMGR.EXE
BD_PROFESSIONAL.EXE
BIDEF.EXE
BIDSERVER.EXE
BIPCP.EXE
BIPCPEVALSETUP.EXE
BISP.EXE
BLACKD.EXE
BLACKICE.EXE
BOOTWARN.EXE
NWINST4.EXE
NWTOOL16.EXE
OSTRONET.EXE
OUTPOSTINSTALL.EXE
OUTPOSTPROINSTALL.EXE
PADMIN.EXE
PANIXK.EXE
PAVPROXY.EXE
DRWEBUPW.EXE
PCC2002S902.EXE
PCC2K_76_1436.EXE
PCCIOMON.EXE
PCDSETUP.EXE
PCFWALLICON.EXE
PCFWALLICON.EXE
PCIP10117_0.EXE
PDSETUP.EXE
PERISCOPE.EXE
PERSFW.EXE
PF2.EXE
AVLTMAIN.EXE
PFWADMIN.EXE
PINGSCAN.EXE
PLATIN.EXE
POPROXY.EXE
POPSCAN.EXE
PORTDETECTIVE.EXE
PPINUPDT.EXE
PPTBC.EXE
PPVSTOP.EXE
PROCEXPLORERV1.0.EXE
PROPORT.EXE
PROTECTX.EXE
PSPF.EXE
WGFE95.EXE
WHOSWATCHINGME.EXE
AVWUPD32.EXE
NUPGRADE.EXE
WHOSWATCHINGME.EXE
WINRECON.EXE
WNT.EXE
WRADMIN.EXE
WRCTRL.EXE
WSBGATE.EXE
WYVERNWORKSFIREWALL.EXE
XPF202EN.EXE
ZAPRO.EXE
ZAPSETUP3001.EXE
ZATUTOR.EXE
CFINET32.EXE
CLEAN.EXE
CLEANER.EXE
CLEANER3.EXE
CLEANPC.EXE
CMGRDIAN.EXE
CMON016.EXE
CPD.EXE
CFGWIZ.EXE
CFIADMIN.EXE
PURGE.EXE
PVIEW95.EXE
QCONSOLE.EXE
QSERVER.EXE
RAV8WIN32ENG.EXE
REGEDT32.EXE
REGEDIT.EXE
UPDATE.EXE
RESCUE.EXE
RESCUE32.EXE
RRGUARD.EXE
RSHELL.EXE
RTVSCN95.EXE
RULAUNCH.EXE
SAFEWEB.EXE
SBSERV.EXE
SD.EXE
SETUP_FLOWPROTECTOR_US.EXE
SETUPVAMEEVAL.EXE
SFC.EXE
SGSSFW32.EXE
SH.EXE
SHELLSPYINSTALL.EXE
SHN.EXE
SMC.EXE
SOFI.EXE
SPF.EXE
SPHINX.EXE
SPYXX.EXE
SS3EDIT.EXE
ST2.EXE
SUPFTRL.EXE
LUALL.EXE
SUPPORTER5.EXE
SYMPROXYSVC.EXE
SYSEDIT.EXE
TASKMON.EXE
TAUMON.EXE
TAUSCAN.EXE
TC.EXE
TCA.EXE
TCM.EXE
TDS2-98.EXE
TDS2-NT.EXE
TDS-3.EXE
TFAK5.EXE
TGBOB.EXE
TITANIN.EXE
TITANINXP.EXE
TRACERT.EXE
TRJSCAN.EXE
TRJSETUP.EXE
TROJANTRAP3.EXE
UNDOBOOT.EXE
VBCMSERV.EXE
VBCONS.EXE
VBUST.EXE
VBWIN9X.EXE
VBWINNTW.EXE
VCSETUP.EXE
VFSETUP.EXE
VIRUSMDPERSONALFIREWALL.EXE
VNLAN300.EXE
VNPC3000.EXE
VPC42.EXE
VPFW30S.EXE
VPTRAY.EXE
VSCENU6.02D30.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSISETUP.EXE
VSMAIN.EXE
VSMON.EXE
VSSTAT.EXE
VSWIN9XE.EXE
VSWINNTSE.EXE
VSWINPERSE.EXE
W32DSM89.EXE
W9X.EXE
WATCHDOG.EXE
WEBSCANX.EXE
CFIAUDIT.EXE
CFINET.EXE
ICSUPP95.EXE
MCUPDATE.EXE
CFINET32.EXE
CLEAN.EXE
CLEANER.EXE
LUINIT.EXE
MCAGENT.EXE
MCUPDATE.EXE
MFW2EN.EXE
MFWENG3.02D30.EXE
MGUI.EXE
MINILOG.EXE
MOOLIVE.EXE
MRFLUX.EXE
MSCONFIG.EXE
MSINFO32.EXE
MSSMMC32.EXE
MU0311AD.EXE
NAV80TRY.EXE
ZAUINST.EXE
ZONALM2601.EXE
ZONEALARM.EXE

Parasitic File Infection

The worm searches the local drives for *.EXE files and appends them with its own encrypted code. The infected file sizes increases by approximately 26KB. The date stamp for these files are updated as well.

After Dec 31, 2005, the worm deactivates itself by deleting its registry run key.

Symptoms

Outgoing messages matching the described characteristics
Files/Registry keys as described
Increase in filesize of .EXE files by approx. 45Kb
The worm opens the following TCP ports on the victim machine:
- 81
- 2556
Presence of the following files in the %SysDir% folder:
- directs.exe (25,600 bytes)
- directs.exeopen (26,807 bytes)

Method of Infection

Mail Propagation

This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:

.wab
.txt
.msg
.htm
.shtm
.stm
.xml
.dbx
.mbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.pl
.wsh
.adb
.tbb
.sht
.xls
.oft
.uin
.cgi
.mht
.dhtm
.jsp

The virus avoids sending itself to addresses containing the following strings:

@hotmail
@msn
@microsoft
rating@
f-secur
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
icrosoftsupport
ntivi
unix
bsd
linux
listserv
certific
sopho
@foo
@iana
free-av
@messagelabwinzip
google
winrar
samples
abuse
panda
cafee
spam
pgp
@avp.
noreply
local
root@
postmaster@

Peer-to-Peer propagation

Files are created in folders that contain the phrase shar :

Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe

Removal

All Users :
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Detection for the email message containing the exploit is included (for gateway products and the email scan plugins in point products) as W32/Bagle.eml!mso3-032 .

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

W32/Bagle.eml!ms03-032

Characteristics

Characteristics -

-- Update March 18th 2004 06:45 PST --
The majority of the 590 IP addresses seen have been closed down. At the time of writing 39 were still responding

This W32/Bagle variant bears the following characteristics:

contains its own SMTP engine to construct outgoing messages
This virus spreads by sending a seemingly blank email. This email uses a Microsoft vulnerability found in security bulletin MS03-032 to download the worm on port 81 without requiring user intervention/action
harvests email addresses from the victim machine
the From: address of messages is spoofed
contains a remote access component (notification is sent to hacker)
copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
encrypted polymorphic parasitic file infector

Proactive Detection

This virus is detected as a trojan or variant New Malware.b when scanning with the 4339 DATs or greater, with program heuristics and the scanning of compressed files enabled.

Parasitically infected files are detected as virus or variant W32/Bagle with the 4338 DATs (or greater).

The script components that are downloaded (via previewing the email message) are detected as VBS/Psyme with the 4306 DATs or greater.

Infection Mechansim

Emails are constructed to take advantage of the Object Tag vulnerability in Internet Explorer. Thus upon viewing an email, a remote HTML file is downloaded from port 81 of a remote machine.

The HTML file drops a VBS script (Q.VBS), which is responsible for downloading the worm (as SM.EXE ) from a remote machine (port 81). The script then runs SM.EXE.

Mail Propagation

The message-bodies are constructed very similarly to those for its predecessor, using several parts, to effectively customize the email, to make it appear to be a legitimate warning notification.

The details are as follows:

From : (the address may be spoofed, using the recipient's domain name and a user name taken from the following list, or another address found on the local system)

management@
administration@
staff@
noreply@
support@
antivirus@
antispam@

Subject:

Password: %s
Pass - %s
Password - %s
E-mail account security warning.
Notify about using the e-mail account.
Warning about your e-mail account.
Important notify about your e-mail account.
Email account utilization warning.
E-mail technical support message.
E-mail technical support warning.
Email report
Important notify
Account notify
E-mail warning
Notify from e-mail technical support.
Notify about your e-mail account utilization.
E-mail account disabling warning.
Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks :)
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
Re: Incoming Fax
Hidden message
Fax Message Received
Protected message
RE: Protected message
Forum notify
Request response
Site changes
Re: Hi
Encrypted document

Attachment: (no attachment)

12.202.237.159
12.215.146.21
12.216.112.116
12.216.240.162
12.217.207.113
12.219.25.124
12.220.67.12
12.221.150.192
12.221.192.229
12.221.80.25
12.222.118.236
12.222.216.56
12.222.223.242
12.222.81.119
129.107.101.93
129.81.227.184
129.81.239.139
129.81.75.32
130.160.206.10
134.193.180.26
134.50.87.32
137.165.219.59
138.87.144.111
138.87.209.62
138.87.210.7
140.112.241.234
140.112.251.34
140.112.251.51
140.113.138.95
143.248.22.233
147.46.120.105
155.230.106.164
161.45.171.210
161.45.198.133
161.45.198.45
161.45.199.50
161.45.215.114
161.45.234.125
161.45.234.98
161.45.244.66
161.45.250.216
161.45.250.223
161.45.251.88
163.180.61.70
163.25.105.29
165.134.174.100
165.134.175.146
165.134.187.102
165.134.30.63
166.104.223.58
168.115.122.139
169.230.73.208
169.233.34.17
169.233.42.189
171.64.213.173
172.143.140.211
172.196.216.67
172.197.45.246
172.197.69.221
172.200.104.47
172.203.155.47
198.248.37.116
198.68.133.112
199.89.229.122
200.101.91.212
200.104.204.116
200.104.53.10
200.106.79.77
200.141.160.239
200.198.90.156
200.207.166.42
200.90.107.104
200.95.37.195
200.97.29.200
202.173.152.26
203.144.159.170
203.219.71.118
203.231.71.197
203.234.156.71
203.240.148.136
203.242.178.110
203.249.87.7
203.253.16.44
203.45.29.117
203.88.49.225
204.210.188.229
205.251.211.14
208.180.134.153
208.180.218.171
209.121.80.213
209.184.177.157
209.34.41.11
210.118.250.163
210.183.30.212
210.6.164.134
210.6.227.251
210.98.252.110
211.108.217.117
211.110.113.191
211.118.218.66
211.119.23.91
211.172.200.60
211.173.187.106
211.181.1.68
211.183.53.227
211.187.219.40
211.212.208.181
211.232.110.5
211.232.133.37
211.232.21.22
211.232.62.42
211.235.15.144
211.238.196.72
211.238.255.228
211.238.34.233
211.239.146.171
211.242.155.146
211.28.70.2
211.41.226.61
211.53.97.155
211.61.219.190
212.179.117.105
212.179.123.227
212.186.190.35
212.199.219.202
213.245.10.105
213.61.149.46
216.194.46.105
217.132.15.130
217.132.67.18
217.132.96.143
218.144.174.55
218.154.213.158
218.190.180.211
218.237.249.200
218.239.156.233
218.50.182.87
218.76.5.84
219.15.112.80
219.251.73.78
221.153.61.232
24.1.58.14
24.10.136.202
24.100.74.92
24.108.113.7
24.108.129.22
24.108.132.127
24.108.5.170
24.108.56.176
24.108.86.144
24.112.235.36
24.116.169.77
24.116.90.197
24.118.56.142
24.126.155.29
24.126.173.31
24.127.40.168
24.128.95.254
24.13.109.43
24.13.183.226
24.13.59.97
24.136.216.177
24.140.15.74
24.141.7.244
24.141.73.22
24.143.7.15
24.144.27.24
24.145.164.9
24.151.169.217
24.158.12.215
24.158.137.74
24.159.124.119
24.16.92.57
24.161.209.227
24.164.64.122
24.167.26.11
24.169.251.65
24.17.34.241
24.170.46.177
24.171.136.45
24.175.21.96
24.175.229.21
24.175.69.29
24.176.237.71
24.18.242.25
24.18.95.76
24.19.162.244
24.192.223.75
24.196.122.147
24.197.136.125
24.198.88.152
24.199.114.218
24.2.83.15
24.20.149.122
24.200.102.240
24.205.176.236
24.205.69.15
24.206.67.189
24.208.68.178
24.209.101.61
24.211.189.223
24.214.104.3
24.214.134.51
24.217.143.14
24.220.189.61
24.221.14.188
24.222.194.255
24.222.206.245
24.224.236.131
24.229.92.78
24.231.156.251
24.231.202.33
24.239.210.203
24.240.149.119
24.241.201.198
24.243.229.252
24.247.174.252
24.27.129.115
24.27.133.249
24.28.137.137
24.3.166.162
24.30.126.179
24.31.122.240
24.36.28.176
24.37.5.17
24.4.224.28
24.4.232.3
24.43.61.0
24.44.197.9
24.49.135.147
24.5.193.106
24.5.4.197
24.50.137.152
24.50.29.51
24.53.19.250
24.54.12.106
24.55.225.61
24.57.46.14
24.6.169.94
24.6.197.40
24.6.210.51
24.6.249.209
24.64.159.239
24.64.84.125
24.64.92.129
24.65.11.109
24.65.16.117
24.67.188.215
24.68.56.236
24.7.147.3
24.7.172.139
24.7.189.204
24.77.134.52
24.77.64.27
24.77.72.167
24.78.141.182
24.78.149.10
24.78.164.182
24.79.172.120
24.8.177.96
24.80.196.225
24.81.159.145
24.82.133.226
24.82.50.69
24.84.218.164
24.99.22.178
35.11.176.84
4.10.74.131
4.11.105.135
4.12.35.57
4.12.7.76
4.13.73.34
4.34.197.197
4.40.36.41
4.42.98.96
4.43.153.130
4.46.131.126
4.46.64.9
4.47.121.110
4.5.128.188
4.5.57.133
4.5.70.191
4.60.187.66
4.61.145.14
4.62.78.87
4.63.180.225
4.65.12.31
4.65.54.16
4.65.60.210
4.8.132.136
4.8.164.62
4.8.204.152
4.8.227.139
4.8.40.57
61.102.189.120
61.105.239.10
61.106.201.149
61.250.126.203
61.33.146.212
61.33.146.213
61.33.200.42
61.34.187.178
61.37.174.163
61.37.174.199
61.40.0.235
61.40.158.237
61.59.189.62
61.93.167.227
61.97.114.91
61.97.116.142
61.97.116.199
61.99.86.117
62.215.83.153
63.203.156.220
63.205.32.83
64.160.201.183
65.100.122.132
65.165.186.160
65.167.185.189
65.167.185.90
65.28.19.47
65.29.98.241
65.33.202.194
65.33.90.68
65.37.55.128
65.38.16.127
65.50.143.163
65.68.100.34
65.69.84.202
65.71.33.251
65.73.134.209
65.94.151.100
66.112.231.113
66.131.140.145
66.131.25.57
66.169.229.186
66.169.239.220
66.169.99.119
66.171.141.72
66.176.82.39
66.183.208.158
66.186.231.62
66.188.120.91
66.188.128.55
66.188.89.69
66.189.203
66.189.243.51
66.190.21.77
66.190.248.234
66.191.112.44
66.205.114.167
66.214.142.6
66.214.189.27
66.214.195.108
66.229.45.187
66.233.129.107
66.233.155.49
66.233.165.201
66.233.191.250
66.233.213.161
66.233.95.30
66.237.50.87
66.244.94.156
66.26.169.4
66.27.228.114
66.42.182.72
66.69.123.222
66.74.198.156
66.75.155.232
66.75.17.32
66.75.24.158
66.75.37.186
66.75.59.118
66.76.163.129
66.76.164.90
66.76.170.157
66.76.232.136
66.76.93.246
67.121.104.43
67.124.198.68
67.127.159.47
67.160.147.136
67.160.195.8
67.160.198.206
67.162.155.185
67.164.60.106
67.165.246.134
67.166.112.180
67.166.116.241
67.167.220.130
67.168.218.238
67.168.68.197
67.169.13.236
67.169.173.204
67.169.96.37
67.170.102.147
67.170.234.126
67.170.75.107
67.171.157.22
67.171.230.94
67.171.232.77
67.173.189.14
67.21.120.2
67.21.121.138
67.22.58.130
67.23.100.10
67.38.163.3
67.85.50.79
68.1.129.228
68.1.230.192
68.1.50.140
68.101.79.59
68.104.209.10
68.104.56.100
68.105.33.166
68.105.85.123
68.107.106.192
68.107.117.224
68.107.160.181
68.107.23.153
68.108.221.107
68.108.244.137
68.108.38.85
68.108.71.199
68.108.86.222
68.108.87.23
68.109.112.215
68.109.59.152
68.11.20.245
68.11.231.35
68.110.193.49
68.110.233.209
68.111.111.21
68.111.114.197
68.111.142.202
68.111.227.235
68.112.157.153
68.112.237.76
68.112.41.132
68.112.62.74
68.112.95.217
68.113.116.229
68.114.210.200
68.115.187.234
68.115.29.29
68.115.30.218
68.117.154.162
68.117.173.26
68.117.22.95
68.117.38.11
68.117.95.121
68.118.129.55
68.12.121.62
68.12.247.212
68.125.87.202
68.13.251.234
68.144.233.139
68.146.118.63
68.146.243.2
68.147.143.109
68.166.243.84
68.168.94.149
68.170.17.36
68.170.181.167
68.184.176.94
68.185.188.71
68.185.197.137
68.186.232.171
68.186.66.7
68.187.130.183
68.190.187.201
68.190.193.38
68.191.112.60
68.191.167.13
68.192.84.91
68.192.91.148
68.2.146.130
68.2.152.187
68.2.42.253
68.2.62.45
68.204.159.112
68.216.86.218
68.224.59.153
68.225.201.103
68.226.106.73
68.226.111.123
68.226.115.34
68.226.177.26
68.226.239.60
68.227.186.212
68.227.241.174
68.228.251.128
68.229.167.54
68.230.122.66
68.231.195.220
68.232.246.172
68.233.220.107
68.233.252.115
68.235.202.221
68.237.200.40
68.252.32.138
68.3.254.32
68.3.44.3
68.34.220.187
68.35.103.160
68.35.121.2
68.35.224.139
68.36.232.127
68.37.169.47
68.39.46.56
68.4.132.83
68.4.141.91
68.44.88.77
68.47.231.161
68.53.48.42
68.54.230.26
68.57.198.31
68.59.154.1
68.6.144.228
68.6.147.151
68.66.185.120
68.67.237.226
68.68.11.214
68.68.234.206
68.68.62.207
68.68.89.75
68.69.36.178
68.7.10.127
68.7.236.131
68.7.81.58
68.70.159.61
68.70.223.96
68.71.178.246
68.71.49.106
68.74.0.199
68.8.235.18
68.82.50.111
68.86.78.110
68.93.142.163
68.95.8.238
68.96.223.162
68.97.129.68
68.97.142.228
68.97.173.250
68.98.112.181
68.98.227.165
68.99.215.211
68.99.249.177
69.1.37.189
69.10.112.107
69.110.157.161
69.111.16.229
69.136.225.26
69.139.77.172
69.14.104.57
69.144.12.133
69.144.149.52
69.145.209.32
69.145.5.96
69.148.181.109
69.162.48.40
69.162.96.67
69.164.155.152
69.166.213.52
69.167.108.94
69.22.120.32
69.6.166.59
69.60.233.135
69.70.69.182
69.73.3.176
69.75.9.43
69.81.7.189
69.91.20.103
80.179.200.104
80.179.219.132
80.179.65.245
80.179.68.229
80.218.158.253
80.230.249.213
80.232.135.3
80.236.115.113
81.198.131.233
81.202.79.224
81.56.53.160
82.140.134.77
82.166.167.26
82.166.89.229
82.36.67.41
82.67.116.34
83.130.228.36

Installation

When run, the worm installs itself into the Windows System directory as DIRECTS.EXE, for example

C:\WINNT\SYSTEM32\DIRECTS.EXE

The following Registry key is added:

HKEY_CURRENT\_USER\Software\windirects

The following Registry key is added to hook system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "directs.exe" = C:\WINNT\SYSTEM32\directs.exe

The worm uses the following icon to disguise itself:

This worm attempts to terminate the process of programs with the the following filenames:

CLEANER3.EXE
au.exe
d3dupdate.exe
CLEANPC.EXE
AVprotect9x.exe
CMGRDIAN.EXE
CMON016.EXE
CPF9X206.EXE
CPFNT206.EXE
CV.EXE
CWNB181.EXE
CWNTDWMO.EXE
ICSSUPPNT.EXE
DEFWATCH.EXE
DEPUTY.EXE
DPF.EXE
DPFSETUP.EXE
DRWATSON.EXE
ENT.EXE
ESCANH95.EXE
AVXQUAR.EXE
ESCANHNT.EXE
ESCANV95.EXE
AVPUPD.EXE
EXANTIVIRUS-CNET.EXE
FAST.EXE
FIREWALL.EXE
FLOWPROTECTOR.EXE
FP-WIN_TRIAL.EXE
FRW.EXE
FSAV.EXE
AUTODOWN.EXE
FSAV530STBYB.EXE
FSAV530WTBYB.EXE
FSAV95.EXE
GBMENU.EXE
GBPOLL.EXE
GUARD.EXE
GUARDDOG.EXE
HACKTRACERSETUP.EXE
HTLOG.EXE
HWPE.EXE
IAMAPP.EXE
IAMAPP.EXE
IAMSERV.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IFW2000.EXE
IPARMOR.EXE
IRIS.EXE
JAMMER.EXE
ATUPDATER.EXE
AUPDATE.EXE
KAVLITE40ENG.EXE
KAVPERS40ENG.EXE
KERIO-PF-213-EN-WIN.EXE
KERIO-WRL-421-EN-WIN.EXE
BORG2.EXE
BS120.EXE
CDP.EXE
CFGWIZ.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
AUTOUPDATE.EXE
CFINET.EXE
NAVAPW32.EXE
NAVDX.EXE
NAVSTUB.EXE
NAVW32.EXE
NC2000.EXE
NCINST4.EXE
AUTOTRACE.EXE
NDD32.EXE
NEOMONITOR.EXE
NETARMOR.EXE
NETINFO.EXE
NETMON.EXE
NETSCANPRO.EXE
NETSPYHUNTER-1.2.EXE
NETSTAT.EXE
NISSERV.EXE
NISUM.EXE
NMAIN.EXE
NORTON_INTERNET_SECU_3.0_407.EXE
NPF40_TW_98_NT_ME_2K.EXE
NPFMESSENGER.EXE
NPROTECT.EXE
NSCHED32.EXE
NTVDM.EXE
NVARCH16.EXE
KERIO-WRP-421-EN-WIN.EXE
KILLPROCESSSETUP161.EXE
LDPRO.EXE
LOCALNET.EXE
LOCKDOWN.EXE
LOCKDOWN2000.EXE
LSETUP.EXE
OUTPOST.EXE
CFIAUDIT.EXE
LUCOMSERVER.EXE
AGENTSVR.EXE
ANTI-TROJAN.EXE
ANTI-TROJAN.EXE
ANTIVIRUS.EXE
ANTS.EXE
APIMONITOR.EXE
APLICA32.EXE
APVXDWIN.EXE
ATCON.EXE
ATGUARD.EXE
ATRO55EN.EXE
ATWATCH.EXE
AVCONSOL.EXE
AVGSERV9.EXE
AVSYNMGR.EXE
BD_PROFESSIONAL.EXE
BIDEF.EXE
BIDSERVER.EXE
BIPCP.EXE
BIPCPEVALSETUP.EXE
BISP.EXE
BLACKD.EXE
BLACKICE.EXE
BOOTWARN.EXE
NWINST4.EXE
NWTOOL16.EXE
OSTRONET.EXE
OUTPOSTINSTALL.EXE
OUTPOSTPROINSTALL.EXE
PADMIN.EXE
PANIXK.EXE
PAVPROXY.EXE
DRWEBUPW.EXE
PCC2002S902.EXE
PCC2K_76_1436.EXE
PCCIOMON.EXE
PCDSETUP.EXE
PCFWALLICON.EXE
PCFWALLICON.EXE
PCIP10117_0.EXE
PDSETUP.EXE
PERISCOPE.EXE
PERSFW.EXE
PF2.EXE
AVLTMAIN.EXE
PFWADMIN.EXE
PINGSCAN.EXE
PLATIN.EXE
POPROXY.EXE
POPSCAN.EXE
PORTDETECTIVE.EXE
PPINUPDT.EXE
PPTBC.EXE
PPVSTOP.EXE
PROCEXPLORERV1.0.EXE
PROPORT.EXE
PROTECTX.EXE
PSPF.EXE
WGFE95.EXE
WHOSWATCHINGME.EXE
AVWUPD32.EXE
NUPGRADE.EXE
WHOSWATCHINGME.EXE
WINRECON.EXE
WNT.EXE
WRADMIN.EXE
WRCTRL.EXE
WSBGATE.EXE
WYVERNWORKSFIREWALL.EXE
XPF202EN.EXE
ZAPRO.EXE
ZAPSETUP3001.EXE
ZATUTOR.EXE
CFINET32.EXE
CLEAN.EXE
CLEANER.EXE
CLEANER3.EXE
CLEANPC.EXE
CMGRDIAN.EXE
CMON016.EXE
CPD.EXE
CFGWIZ.EXE
CFIADMIN.EXE
PURGE.EXE
PVIEW95.EXE
QCONSOLE.EXE
QSERVER.EXE
RAV8WIN32ENG.EXE
REGEDT32.EXE
REGEDIT.EXE
UPDATE.EXE
RESCUE.EXE
RESCUE32.EXE
RRGUARD.EXE
RSHELL.EXE
RTVSCN95.EXE
RULAUNCH.EXE
SAFEWEB.EXE
SBSERV.EXE
SD.EXE
SETUP_FLOWPROTECTOR_US.EXE
SETUPVAMEEVAL.EXE
SFC.EXE
SGSSFW32.EXE
SH.EXE
SHELLSPYINSTALL.EXE
SHN.EXE
SMC.EXE
SOFI.EXE
SPF.EXE
SPHINX.EXE
SPYXX.EXE
SS3EDIT.EXE
ST2.EXE
SUPFTRL.EXE
LUALL.EXE
SUPPORTER5.EXE
SYMPROXYSVC.EXE
SYSEDIT.EXE
TASKMON.EXE
TAUMON.EXE
TAUSCAN.EXE
TC.EXE
TCA.EXE
TCM.EXE
TDS2-98.EXE
TDS2-NT.EXE
TDS-3.EXE
TFAK5.EXE
TGBOB.EXE
TITANIN.EXE
TITANINXP.EXE
TRACERT.EXE
TRJSCAN.EXE
TRJSETUP.EXE
TROJANTRAP3.EXE
UNDOBOOT.EXE
VBCMSERV.EXE
VBCONS.EXE
VBUST.EXE
VBWIN9X.EXE
VBWINNTW.EXE
VCSETUP.EXE
VFSETUP.EXE
VIRUSMDPERSONALFIREWALL.EXE
VNLAN300.EXE
VNPC3000.EXE
VPC42.EXE
VPFW30S.EXE
VPTRAY.EXE
VSCENU6.02D30.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSISETUP.EXE
VSMAIN.EXE
VSMON.EXE
VSSTAT.EXE
VSWIN9XE.EXE
VSWINNTSE.EXE
VSWINPERSE.EXE
W32DSM89.EXE
W9X.EXE
WATCHDOG.EXE
WEBSCANX.EXE
CFIAUDIT.EXE
CFINET.EXE
ICSUPP95.EXE
MCUPDATE.EXE
CFINET32.EXE
CLEAN.EXE
CLEANER.EXE
LUINIT.EXE
MCAGENT.EXE
MCUPDATE.EXE
MFW2EN.EXE
MFWENG3.02D30.EXE
MGUI.EXE
MINILOG.EXE
MOOLIVE.EXE
MRFLUX.EXE
MSCONFIG.EXE
MSINFO32.EXE
MSSMMC32.EXE
MU0311AD.EXE
NAV80TRY.EXE
ZAUINST.EXE
ZONALM2601.EXE
ZONEALARM.EXE

Parasitic File Infection

After Dec 31, 2005, the worm deactivates itself by deleting its registry run key.

Symptoms

Symptoms -

Outgoing messages matching the described characteristics
Files/Registry keys as described
Increase in filesize of .EXE files by approx. 45Kb
The worm opens the following TCP ports on the victim machine:
- 81
- 2556
Presence of the following files in the %SysDir% folder:
- directs.exe (25,600 bytes)
- directs.exeopen (26,807 bytes)

Method of Infection

Method of Infection -

Mail Propagation

This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:

.wab
.txt
.msg
.htm
.shtm
.stm
.xml
.dbx
.mbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.pl
.wsh
.adb
.tbb
.sht
.xls
.oft
.uin
.cgi
.mht
.dhtm
.jsp

The virus avoids sending itself to addresses containing the following strings:

@hotmail
@msn
@microsoft
rating@
f-secur
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
icrosoftsupport
ntivi
unix
bsd
linux
listserv
certific
sopho
@foo
@iana
free-av
@messagelabwinzip
google
winrar
samples
abuse
panda
cafee
spam
pgp
@avp.
noreply
local
root@
postmaster@

Peer-to-Peer propagation

Files are created in folders that contain the phrase shar :

Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe

Removal -

All Users :
Use specified engine and DAT files for detection and removal.

Detection for the email message containing the exploit is included (for gateway products and the email scan plugins in point products) as W32/Bagle.eml!mso3-032 .

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A

McAfee > Theat Center > Virus Detail Page

Navigation

Utility Navigation

Global Sites

Need Help?

Threat Center

Segment Navigation

Section Navigation

Content

W32/Bagle.q@MM

Risk Assessment

Tab Navigation

Overview

Aliases

Characteristics

Symptoms

Method of Infection

Removal

Variants

Variants

All Information

Overview -

Aliases

Characteristics

Characteristics -

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

Variants

Variants -

Threat Resources

Footer