Content

W32/Bagle.v@MM

Type
Virus
SubType
E-mail worm
Discovery Date
03/29/2004
Length
8,208 Bytes
Minimum DAT
4344 (03/26/2004)
Updated DAT
4344 (03/26/2004)
Minimum Engine
5.1.00
Description Added
03/29/2004
Description Modified
03/29/2004 9:45 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This threat is proactively detected as W32/Bagle.u@MM scanning compressed files (default option) with program heuristics enabled using the 4.2.40 scan engine (or higher) and 4344 DAT files (or higher).

This is a new variant of W32/Bagle@MM . It is packed with FSG.

Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

Mail Propagation

This variant mass-mails itself to recipients extracted from the victim  machine. Addresses are harvested from the following files:

  • .wab
  • .txt
  • .msg
  • .htm
  • .shtm
  • .stm
  • .xml
  • .dbx
  • .mbx
  • .mdx
  • .eml
  • .nch
  • .mmf
  • .ods
  • .cfg
  • .asp
  • .php
  • .pl
  • .wsh
  • .adb
  • .tbb
  • .sht
  • .xls
  • .oft
  • .uin
  • .cgi
  • .mht
  • .dhtm
  • .jsp

The mails are formatted as follows:

From: (spoofed - using one of the harvested email addresses)
Subject: (blank)
Body: (blank)
Attachment: game.exe

The worm does not mail itself to addresses containing the following:

  • @avp.
  • @microsoft

Remote Access Component

The worm also opens a port on the victim machine - TCP port 4751.

The worm sends notification via HTTP to a remote script (notification contains port number and ID number). Users should block outgoing HTTP traffic to the following domain:

Symptoms

  • Existence of the filenames and Registry keys detailed below.
  • TCP port 4751 open
  • outgoing HTTP traffic to the following domain:
  • Attempts to run DREDR.EXE (if present on victim machine) when the worm executes (unless executing as SYSINFO.EXE).

Method of Infection

The worm installs itself into %SysDir% as SYSINFO.EXE,  for example:

  • C:\WINNT\SYSTEM32\SYSINFO.EXE

The following Registry key is added to hook system startup:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run
    "sysinfo.exe" = %SysDir%\sysinfo.exe

(where %SysDir% is the Windows system directory, eg. C:\WINNT\SYSTEM32)

The following Registry key is created:

  • HKEY_CURRENT_USER\Software\Windows2005

Two values are stored within this key "fr1n" and "gsed".

The worm checks the system date when it is executed - if it is the 1st January 2005 or later, it terminates.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • W32/Bagle.gen.b@MM

Characteristics

Characteristics -

This threat is proactively detected as W32/Bagle.u@MM scanning compressed files (default option) with program heuristics enabled using the 4.2.40 scan engine (or higher) and 4344 DAT files (or higher).

This is a new variant of W32/Bagle@MM . It is packed with FSG.

Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

Mail Propagation

This variant mass-mails itself to recipients extracted from the victim  machine. Addresses are harvested from the following files:

  • .wab
  • .txt
  • .msg
  • .htm
  • .shtm
  • .stm
  • .xml
  • .dbx
  • .mbx
  • .mdx
  • .eml
  • .nch
  • .mmf
  • .ods
  • .cfg
  • .asp
  • .php
  • .pl
  • .wsh
  • .adb
  • .tbb
  • .sht
  • .xls
  • .oft
  • .uin
  • .cgi
  • .mht
  • .dhtm
  • .jsp

The mails are formatted as follows:

From: (spoofed - using one of the harvested email addresses)
Subject: (blank)
Body: (blank)
Attachment: game.exe

The worm does not mail itself to addresses containing the following:

  • @avp.
  • @microsoft

Remote Access Component

The worm also opens a port on the victim machine - TCP port 4751.

The worm sends notification via HTTP to a remote script (notification contains port number and ID number). Users should block outgoing HTTP traffic to the following domain:

Symptoms

Symptoms -

  • Existence of the filenames and Registry keys detailed below.
  • TCP port 4751 open
  • outgoing HTTP traffic to the following domain:
  • Attempts to run DREDR.EXE (if present on victim machine) when the worm executes (unless executing as SYSINFO.EXE).

Method of Infection

Method of Infection -

The worm installs itself into %SysDir% as SYSINFO.EXE,  for example:

  • C:\WINNT\SYSTEM32\SYSINFO.EXE

The following Registry key is added to hook system startup:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run
    "sysinfo.exe" = %SysDir%\sysinfo.exe

(where %SysDir% is the Windows system directory, eg. C:\WINNT\SYSTEM32)

The following Registry key is created:

  • HKEY_CURRENT_USER\Software\Windows2005

Two values are stored within this key "fr1n" and "gsed".

The worm checks the system date when it is executed - if it is the 1st January 2005 or later, it terminates.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A