Content

W32/Bagle.t@MM

Type
Virus
SubType
E-mail worm
Discovery Date
03/18/2004
Length
25,600 Bytes
Minimum DAT
4340 (03/22/2004)
Updated DAT
4727 (03/27/2006)
Minimum Engine
5.1.00
Description Added
03/18/2004
Description Modified
03/18/2004 1:58 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update March 18th 2004 13:55 PST --
This threat has been deemed Low-Profiled due to media attention at the following site: http://www.techweb.com/wire/story/TWB20040318S0009

--

This variant is very similar to W32/Bagle.q@MM

  • contains its own SMTP engine to construct outgoing messages
  • uses a Microsoft vulnerability found in security bulletin MS03-032  in order to download the worm on port 81 when the email is view, without requiring user intervention
  • harvests email addresses from the victim machine
  • the From: address of messages is spoofed
  • contains a remote access component (notification is sent to hacker)
  • copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
  • encrypted polymorphic parasitic file infector

    Please see the Removals Instructions section for a link to the EXTRA.DAT packages.

    • Symptoms

    Outgoing messages matching the described characteristics

    Registry keys created as described below:

    • HKEY_CURRENT\_USER\Software\windirects 
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\
      CurrentVersion\Ru1n "directs.exe" = C:\WINNT\SYSTEM32\directs.exe
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
      CurrentVersion\Ru1n "directs.exe" = C:\WINNT\SYSTEM32\directs.exe

    Increase in filesize of .EXE files by approx. 26Kb

    The worm opens TCP port 2556 on the victim machine

    Presence of the following files in the %Sysdir% folder:

    • directs.exe (25,600 bytes)
    • directs.exeopen (25,849 bytes

    Please see the description of W32/Bagle.q@MM  for further details.

    Method of Infection

    Please see the description of W32/Bagle.q@MM  for further details.

    Removal

    All Users :
    Use specified engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Detection for the email message containing the exploit is included (for gateway products and the email scan plugins in point products) as W32/Bagle.eml!mso3-032 .

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Variants

    Variants

      N/A

    All Information

    Overview -

    This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

    Characteristics

    Characteristics -

    -- Update March 18th 2004 13:55 PST --
    This threat has been deemed Low-Profiled due to media attention at the following site: http://www.techweb.com/wire/story/TWB20040318S0009

    --

    This variant is very similar to W32/Bagle.q@MM

  • contains its own SMTP engine to construct outgoing messages
  • uses a Microsoft vulnerability found in security bulletin MS03-032  in order to download the worm on port 81 when the email is view, without requiring user intervention
  • harvests email addresses from the victim machine
  • the From: address of messages is spoofed
  • contains a remote access component (notification is sent to hacker)
  • copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
  • encrypted polymorphic parasitic file infector

    Please see the Removals Instructions section for a link to the EXTRA.DAT packages.

    • Symptoms

    Symptoms -

    Outgoing messages matching the described characteristics

    Registry keys created as described below:

    • HKEY_CURRENT\_USER\Software\windirects 
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\
      CurrentVersion\Ru1n "directs.exe" = C:\WINNT\SYSTEM32\directs.exe
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
      CurrentVersion\Ru1n "directs.exe" = C:\WINNT\SYSTEM32\directs.exe

    Increase in filesize of .EXE files by approx. 26Kb

    The worm opens TCP port 2556 on the victim machine

    Presence of the following files in the %Sysdir% folder:

    • directs.exe (25,600 bytes)
    • directs.exeopen (25,849 bytes

    Please see the description of W32/Bagle.q@MM  for further details.

    Method of Infection

    Method of Infection -

    Please see the description of W32/Bagle.q@MM  for further details.

    Removal -

    Removal -

    All Users :
    Use specified engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Detection for the email message containing the exploit is included (for gateway products and the email scan plugins in point products) as W32/Bagle.eml!mso3-032 .

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Variants

    Variants -

      N/A