McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

-- Update June 7, 2004 --
The assessment of this threat has been downgraded to Low-Profiled due to a decrease in prevalence.

-- Update May 10, 2004 --
Due to a increase in prevalence, the risk assessment of this threat has been raised to Medium.

This variant is a very minor change from W32/Bagle.aa@MM .  It is packed using UPX.  The ZIP files and the scripts within the messages created by this virus are picked up with 4354 and higher DATs as W32/Bagle.gen!pwdzip  and W32/Bagle.aa@MM  respectively.

This is a mass-mailing worm with the following characteristics:

• contains its own SMTP engine to construct outgoing messages
• harvests email addresses from the victim machine
• the From: address of messages is spoofed
• attachment can be a password-protected zip file, with the password included in the message body.
• contains a remote access component (notification is sent to hacker)
• copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)

When executed it will display a false message as follows:

Mail Propagation

The details are as follows:

From : (address is spoofed)

Subject:

• Re: Msg reply
• Re: Hello
• Re: Yahoo!
• Re: Thank you!
• Re: Thanks :)
• RE: Text message
• Re: Document
• Incoming message
• Re: Incoming Message
• RE: Incoming Msg
• RE: Message Notify
• Notification
• Changes..
• New changes
• Hidden message
• Fax Message Received
• Protected message
• RE: Protected message
• Forum notify
• Site changes
• Re: Hi
• Encrypted document

Body Text:

• Uses various constructed strings

Attachment: May be one of the follwing:

• Information
• Details
• text_document
• Readme
• Document
• Info
• the_message
• Details
• MoreInfo
• Message
• You_will_answer_to_me
• Half_Live
• Counter_strike
• Loves_money
• the_message
• Alive_condom
• Joke
• Toy
• Nervous_illnesses
• Manufacture
• You_are_dismissed
• Your_complaint
• Your_money
• Smoke
• I_search_for_you

using one the following extensions:

• Script dropper - using one of the following file extensions:
  • HTA
  • VBS
• Executable, using one of the following file extensions:
  • exe
  • scr
  • com
  • cpl
• Executable dropper, CPL file with .CPL file extension.

The executable uses the following icon:

The CPL file uses the following icon:

The virus copies itself into the Windows System directory as drvddll.exe. For example:

• C:\WINNT\SYSTEM32\drvddll.exe

It also creates other files in this directory to perform its functions:

• drvddll.exeopen (Copy of the worm)
• drvddll.exeopenopen  (Copy of the worm)

A file with the name of CPLSTUB.EXE is dropped into the %Windir% folder.  This is another copy of the worm.

The following Registry key is added to hook system startup:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "drvddll.exe" = C:\WINNT\SYSTEM32\drvddll.exe

This worm attempts to terminate the process of security programs with the the following filenames:

• AGENTSVR.EXE
• ANTI-TROJAN.EXE
• ANTIVIRUS.EXE
• ANTS.EXE
• APIMONITOR.EXE
• APLICA32.EXE
• APVXDWIN.EXE
• ATCON.EXE
• ATGUARD.EXE
• ATRO55EN.EXE
• ATUPDATER.EXE
• ATWATCH.EXE
• AUPDATE.EXE
• AUTODOWN.EXE
• AUTOTRACE.EXE
• AUTOUPDATE.EXE
• AVCONSOL.EXE
• AVGSERV9.EXE
• AVLTMAIN.EXE
• AVPUPD.EXE
• AVSYNMGR.EXE
• AVWUPD32.EXE
• AVXQUAR.EXE
• AVprotect9x.exe
• BD_PROFESSIONAL.EXE
• BIDEF.EXE
• BIDSERVER.EXE
• BIPCP.EXE
• BIPCPEVALSETUP.EXE
• BISP.EXE
• BLACKD.EXE
• BLACKICE.EXE
• BOOTWARN.EXE
• BORG2.EXE
• BS120.EXE
• CDP.EXE
• CFGWIZ.EXE
• CFIADMIN.EXE
• CFIAUDIT.EXE
• CFINET.EXE
• CFINET32.EXE
• CLEAN.EXE
• CLEANER.EXE
• CLEANER3.EXE
• CLEANPC.EXE
• CMGRDIAN.EXE
• CMON016.EXE
• CPD.EXE
• CPF9X206.EXE
• CPFNT206.EXE
• CV.EXE
• CWNB181.EXE
• CWNTDWMO.EXE
• DEFWATCH.EXE
• DEPUTY.EXE
• DPF.EXE
• DPFSETUP.EXE
• DRWATSON.EXE
• DRWEBUPW.EXE
• ENT.EXE
• ESCANH95.EXE
• ESCANHNT.EXE
• ESCANV95.EXE
• EXANTIVIRUS-CNET.EXE
• FAST.EXE
• FIREWALL.EXE
• FLOWPROTECTOR.EXE
• FP-WIN_TRIAL.EXE
• FRW.EXE
• FSAV.EXE
• FSAV530STBYB.EXE
• FSAV530WTBYB.EXE
• FSAV95.EXE
• GBMENU.EXE
• GBPOLL.EXE
• GUARD.EXE
• GUARDDOG.EXE
• HACKTRACERSETUP.EXE
• HTLOG.EXE
• HWPE.EXE
• IAMAPP.EXE
• IAMSERV.EXE
• ICLOAD95.EXE
• ICLOADNT.EXE
• ICMON.EXE
• ICSSUPPNT.EXE
• ICSUPP95.EXE
• ICSUPPNT.EXE
• IFW2000.EXE
• IPARMOR.EXE
• IRIS.EXE
• JAMMER.EXE
• KAVLITE40ENG.EXE
• KAVPERS40ENG.EXE
• KERIO-PF-213-EN-WIN.EXE
• KERIO-WRL-421-EN-WIN.EXE
• KERIO-WRP-421-EN-WIN.EXE
• KILLPROCESSSETUP161.EXE
• LDPRO.EXE
• LOCALNET.EXE
• LOCKDOWN.EXE
• LOCKDOWN2000.EXE
• LSETUP.EXE
• LUALL.EXE
• LUCOMSERVER.EXE
• LUINIT.EXE
• MCAGENT.EXE
• MCUPDATE.EXE
• MFW2EN.EXE
• MFWENG3.02D30.EXE
• MGUI.EXE
• MINILOG.EXE
• MOOLIVE.EXE
• MRFLUX.EXE
• MSCONFIG.EXE
• MSINFO32.EXE
• MSSMMC32.EXE
• MU0311AD.EXE
• NAV80TRY.EXE
• NAVAPW32.EXE
• NAVDX.EXE
• NAVSTUB.EXE
• NAVW32.EXE
• NC2000.EXE
• NCINST4.EXE
• NDD32.EXE
• NEOMONITOR.EXE
• NETARMOR.EXE
• NETINFO.EXE
• NETMON.EXE
• NETSCANPRO.EXE
• NETSPYHUNTER-1.2.EXE
• NETSTAT.EXE
• NISSERV.EXE
• NISUM.EXE
• NMAIN.EXE
• NORTON_INTERNET_SECU_3.0_407.EXE
• NPF40_TW_98_NT_ME_2K.EXE
• NPFMESSENGER.EXE
• NPROTECT.EXE
• NSCHED32.EXE
• NTVDM.EXE
• NUPGRADE.EXE
• NVARCH16.EXE
• NWINST4.EXE
• NWTOOL16.EXE
• OSTRONET.EXE
• OUTPOST.EXE
• OUTPOSTINSTALL.EXE
• OUTPOSTPROINSTALL.EXE
• PADMIN.EXE
• PANIXK.EXE
• PAVPROXY.EXE
• PCC2002S902.EXE
• PCC2K_76_1436.EXE
• PCCIOMON.EXE
• PCDSETUP.EXE
• PCFWALLICON.EXE
• PCIP10117_0.EXE
• PDSETUP.EXE
• PERISCOPE.EXE
• PERSFW.EXE
• PF2.EXE
• PFWADMIN.EXE
• PINGSCAN.EXE
• PLATIN.EXE
• POPROXY.EXE
• POPSCAN.EXE
• PORTDETECTIVE.EXE
• PPINUPDT.EXE
• PPTBC.EXE
• PPVSTOP.EXE
• PROCEXPLORERV1.0.EXE
• PROPORT.EXE
• PROTECTX.EXE
• PSPF.EXE
• PURGE.EXE
• PVIEW95.EXE
• QCONSOLE.EXE
• QSERVER.EXE
• RAV8WIN32ENG.EXE
• REGEDIT.EXE
• REGEDT32.EXE
• RESCUE.EXE
• RESCUE32.EXE
• RRGUARD.EXE
• RSHELL.EXE
• RTVSCN95.EXE
• RULAUNCH.EXE
• SAFEWEB.EXE
• SBSERV.EXE
• SD.EXE
• SETUPVAMEEVAL.EXE
• SETUP_FLOWPROTECTOR_US.EXE
• SFC.EXE
• SGSSFW32.EXE
• SH.EXE
• SHELLSPYINSTALL.EXE
• SHN.EXE
• SMC.EXE
• SOFI.EXE
• SPF.EXE
• SPHINX.EXE
• SPYXX.EXE
• SS3EDIT.EXE
• ST2.EXE
• SUPFTRL.EXE
• SUPPORTER5.EXE
• SYMPROXYSVC.EXE
• SYSEDIT.EXE
• TASKMON.EXE
• TAUMON.EXE
• TAUSCAN.EXE
• TC.EXE
• TCA.EXE
• TCM.EXE
• TDS-3.EXE
• TDS2-98.EXE
• TDS2-NT.EXE
• TFAK5.EXE
• TGBOB.EXE
• TITANIN.EXE
• TITANINXP.EXE
• TRACERT.EXE
• TRJSCAN.EXE
• TRJSETUP.EXE
• TROJANTRAP3.EXE
• UNDOBOOT.EXE
• UPDATE.EXE
• VBCMSERV.EXE
• VBCONS.EXE
• VBUST.EXE
• VBWIN9X.EXE
• VBWINNTW.EXE
• VCSETUP.EXE
• VFSETUP.EXE
• VIRUSMDPERSONALFIREWALL.EXE
• VNLAN300.EXE
• VNPC3000.EXE
• VPC42.EXE
• VPFW30S.EXE
• VPTRAY.EXE
• VSCENU6.02D30.EXE
• VSECOMR.EXE
• VSHWIN32.EXE
• VSISETUP.EXE
• VSMAIN.EXE
• VSMON.EXE
• VSSTAT.EXE
• VSWIN9XE.EXE
• VSWINNTSE.EXE
• VSWINPERSE.EXE
• W32DSM89.EXE
• W9X.EXE
• WATCHDOG.EXE
• WEBSCANX.EXE
• WGFE95.EXE
• WHOSWATCHINGME.EXE
• WINRECON.EXE
• WNT.EXE
• WRADMIN.EXE
• WRCTRL.EXE
• WSBGATE.EXE
• WYVERNWORKSFIREWALL.EXE
• XPF202EN.EXE
• ZAPRO.EXE
• ZAPSETUP3001.EXE
• ZATUTOR.EXE
• ZAUINST.EXE
• ZONALM2601.EXE
• ZONEALARM.EXE

The worm opens port 2535 (TCP) on the victim machine.

Symptoms

Method of Infection

Mail Propagation

This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:

• .wab
• .txt
• .msg
• .htm
• .shtm
• .stm
• .xml
• .dbx
• mbx
• .mdx
• .eml
• .nch
• .mmf
• .ods
• .cfg
• .asp
• .php
• .pl
• .wsh
• .adb
• .tbb
• .sht
• .xls
• .oft
• .uin
• .cgi
• .mht
• .dhtm
• .jsp

Remote Access Component

The virus listens on TCP port 2535 for remote connections. It attempts to notify the author that the infected system is ready to accept commands, by contacting various websites, calling a PHP script on the remote sites. At the time of this writing this script does not exist on any of these sites.

Removal

All Users :
Use the specified DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Stinger
Stinger   has been updated to assist in detecting and repairing this threat.

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
2. Delete the following files from your WINDOWS System directory (typically C:\Windows\System or C:\Winnt\System32)
   drvddll.exe
   drvddll.exeopen     
   drvddll.exeopenopen
   
3. Edit the registry
   • Delete the "drvddll.exe" value from
     • HKEY_CURRENT_USER\Software\Microsoft\
       Windows\CurrentVersion\Run
4. Reboot the system into Default Mode

McAfee Threatscan
ThreatScan signatures that can detect the W32/Bagle.ab@MM virus are available from:

      -Threatscan 2.5 - ftp.nai.com/pub/security/tsc25/updates/winnt
      -Threatscan 2.0/2.1 - ftp.nai.com/pub/security/tsc20/updates/winnt

ThreatScan Signature version: 2004-04-28
ThreatScan users can detect the virus by running a ThreatScan task using the following settings:

• Select the "Remote Infection Detection" category and "Windows Virus Checks" template.
  -or-
• Select the "Other" category and "Scan All Vulnerabilities" template.

For additional information:

• Run the "ThreatScan Template Report"
• Look for module number #4071

ThreatScan users can detect the remote access component by running a Resource Discovery Task using the following settings:

• Select TCP Port scan
• Enter port: 2535

McAfee Desktop Firewall
To prevent possible remote access McAfee Desktop Firewall users can block incoming TCP port 2535.

McAfee System Compliance Profiler
Create a rule that matches a file

• Choose SYSTEM_DIR from the drop-down
• Type in DRVDDLL.EXE for the file name
• Choose "File does not exist" in the next drop-down

Sniffer Customers
Filters have been developed that will look for Bagle traffic [Sniffer Distributed 4.1/4.2/4.3, Sniffer Portable 4.7/4.7.5, and Netasyst].

• W32_Bagle.ab@MM - Sniffer Filters.zip

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

-- Update June 7, 2004 --
The assessment of this threat has been downgraded to Low-Profiled due to a decrease in prevalence.

-- Update May 10, 2004 --
Due to a increase in prevalence, the risk assessment of this threat has been raised to Medium.

This variant is a very minor change from W32/Bagle.aa@MM .  It is packed using UPX.  The ZIP files and the scripts within the messages created by this virus are picked up with 4354 and higher DATs as W32/Bagle.gen!pwdzip  and W32/Bagle.aa@MM  respectively.

This is a mass-mailing worm with the following characteristics:

• contains its own SMTP engine to construct outgoing messages
• harvests email addresses from the victim machine
• the From: address of messages is spoofed
• attachment can be a password-protected zip file, with the password included in the message body.
• contains a remote access component (notification is sent to hacker)
• copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)

When executed it will display a false message as follows:

Mail Propagation

The details are as follows:

From : (address is spoofed)

Subject:

• Re: Msg reply
• Re: Hello
• Re: Yahoo!
• Re: Thank you!
• Re: Thanks :)
• RE: Text message
• Re: Document
• Incoming message
• Re: Incoming Message
• RE: Incoming Msg
• RE: Message Notify
• Notification
• Changes..
• New changes
• Hidden message
• Fax Message Received
• Protected message
• RE: Protected message
• Forum notify
• Site changes
• Re: Hi
• Encrypted document

Body Text:

• Uses various constructed strings

Attachment: May be one of the follwing:

• Information
• Details
• text_document
• Readme
• Document
• Info
• the_message
• Details
• MoreInfo
• Message
• You_will_answer_to_me
• Half_Live
• Counter_strike
• Loves_money
• the_message
• Alive_condom
• Joke
• Toy
• Nervous_illnesses
• Manufacture
• You_are_dismissed
• Your_complaint
• Your_money
• Smoke
• I_search_for_you

using one the following extensions:

• Script dropper - using one of the following file extensions:
  • HTA
  • VBS
• Executable, using one of the following file extensions:
  • exe
  • scr
  • com
  • cpl
• Executable dropper, CPL file with .CPL file extension.

The executable uses the following icon:

The CPL file uses the following icon:

The virus copies itself into the Windows System directory as drvddll.exe. For example:

• C:\WINNT\SYSTEM32\drvddll.exe

It also creates other files in this directory to perform its functions:

• drvddll.exeopen (Copy of the worm)
• drvddll.exeopenopen  (Copy of the worm)

A file with the name of CPLSTUB.EXE is dropped into the %Windir% folder.  This is another copy of the worm.

The following Registry key is added to hook system startup:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "drvddll.exe" = C:\WINNT\SYSTEM32\drvddll.exe

This worm attempts to terminate the process of security programs with the the following filenames:

• AGENTSVR.EXE
• ANTI-TROJAN.EXE
• ANTIVIRUS.EXE
• ANTS.EXE
• APIMONITOR.EXE
• APLICA32.EXE
• APVXDWIN.EXE
• ATCON.EXE
• ATGUARD.EXE
• ATRO55EN.EXE
• ATUPDATER.EXE
• ATWATCH.EXE
• AUPDATE.EXE
• AUTODOWN.EXE
• AUTOTRACE.EXE
• AUTOUPDATE.EXE
• AVCONSOL.EXE
• AVGSERV9.EXE
• AVLTMAIN.EXE
• AVPUPD.EXE
• AVSYNMGR.EXE
• AVWUPD32.EXE
• AVXQUAR.EXE
• AVprotect9x.exe
• BD_PROFESSIONAL.EXE
• BIDEF.EXE
• BIDSERVER.EXE
• BIPCP.EXE
• BIPCPEVALSETUP.EXE
• BISP.EXE
• BLACKD.EXE
• BLACKICE.EXE
• BOOTWARN.EXE
• BORG2.EXE
• BS120.EXE
• CDP.EXE
• CFGWIZ.EXE
• CFIADMIN.EXE
• CFIAUDIT.EXE
• CFINET.EXE
• CFINET32.EXE
• CLEAN.EXE
• CLEANER.EXE
• CLEANER3.EXE
• CLEANPC.EXE
• CMGRDIAN.EXE
• CMON016.EXE
• CPD.EXE
• CPF9X206.EXE
• CPFNT206.EXE
• CV.EXE
• CWNB181.EXE
• CWNTDWMO.EXE
• DEFWATCH.EXE
• DEPUTY.EXE
• DPF.EXE
• DPFSETUP.EXE
• DRWATSON.EXE
• DRWEBUPW.EXE
• ENT.EXE
• ESCANH95.EXE
• ESCANHNT.EXE
• ESCANV95.EXE
• EXANTIVIRUS-CNET.EXE
• FAST.EXE
• FIREWALL.EXE
• FLOWPROTECTOR.EXE
• FP-WIN_TRIAL.EXE
• FRW.EXE
• FSAV.EXE
• FSAV530STBYB.EXE
• FSAV530WTBYB.EXE
• FSAV95.EXE
• GBMENU.EXE
• GBPOLL.EXE
• GUARD.EXE
• GUARDDOG.EXE
• HACKTRACERSETUP.EXE
• HTLOG.EXE
• HWPE.EXE
• IAMAPP.EXE
• IAMSERV.EXE
• ICLOAD95.EXE
• ICLOADNT.EXE
• ICMON.EXE
• ICSSUPPNT.EXE
• ICSUPP95.EXE
• ICSUPPNT.EXE
• IFW2000.EXE
• IPARMOR.EXE
• IRIS.EXE
• JAMMER.EXE
• KAVLITE40ENG.EXE
• KAVPERS40ENG.EXE
• KERIO-PF-213-EN-WIN.EXE
• KERIO-WRL-421-EN-WIN.EXE
• KERIO-WRP-421-EN-WIN.EXE
• KILLPROCESSSETUP161.EXE
• LDPRO.EXE
• LOCALNET.EXE
• LOCKDOWN.EXE
• LOCKDOWN2000.EXE
• LSETUP.EXE
• LUALL.EXE
• LUCOMSERVER.EXE
• LUINIT.EXE
• MCAGENT.EXE
• MCUPDATE.EXE
• MFW2EN.EXE
• MFWENG3.02D30.EXE
• MGUI.EXE
• MINILOG.EXE
• MOOLIVE.EXE
• MRFLUX.EXE
• MSCONFIG.EXE
• MSINFO32.EXE
• MSSMMC32.EXE
• MU0311AD.EXE
• NAV80TRY.EXE
• NAVAPW32.EXE
• NAVDX.EXE
• NAVSTUB.EXE
• NAVW32.EXE
• NC2000.EXE
• NCINST4.EXE
• NDD32.EXE
• NEOMONITOR.EXE
• NETARMOR.EXE
• NETINFO.EXE
• NETMON.EXE
• NETSCANPRO.EXE
• NETSPYHUNTER-1.2.EXE
• NETSTAT.EXE
• NISSERV.EXE
• NISUM.EXE
• NMAIN.EXE
• NORTON_INTERNET_SECU_3.0_407.EXE
• NPF40_TW_98_NT_ME_2K.EXE
• NPFMESSENGER.EXE
• NPROTECT.EXE
• NSCHED32.EXE
• NTVDM.EXE
• NUPGRADE.EXE
• NVARCH16.EXE
• NWINST4.EXE
• NWTOOL16.EXE
• OSTRONET.EXE
• OUTPOST.EXE
• OUTPOSTINSTALL.EXE
• OUTPOSTPROINSTALL.EXE
• PADMIN.EXE
• PANIXK.EXE
• PAVPROXY.EXE
• PCC2002S902.EXE
• PCC2K_76_1436.EXE
• PCCIOMON.EXE
• PCDSETUP.EXE
• PCFWALLICON.EXE
• PCIP10117_0.EXE
• PDSETUP.EXE
• PERISCOPE.EXE
• PERSFW.EXE
• PF2.EXE
• PFWADMIN.EXE
• PINGSCAN.EXE
• PLATIN.EXE
• POPROXY.EXE
• POPSCAN.EXE
• PORTDETECTIVE.EXE
• PPINUPDT.EXE
• PPTBC.EXE
• PPVSTOP.EXE
• PROCEXPLORERV1.0.EXE
• PROPORT.EXE
• PROTECTX.EXE
• PSPF.EXE
• PURGE.EXE
• PVIEW95.EXE
• QCONSOLE.EXE
• QSERVER.EXE
• RAV8WIN32ENG.EXE
• REGEDIT.EXE
• REGEDT32.EXE
• RESCUE.EXE
• RESCUE32.EXE
• RRGUARD.EXE
• RSHELL.EXE
• RTVSCN95.EXE
• RULAUNCH.EXE
• SAFEWEB.EXE
• SBSERV.EXE
• SD.EXE
• SETUPVAMEEVAL.EXE
• SETUP_FLOWPROTECTOR_US.EXE
• SFC.EXE
• SGSSFW32.EXE
• SH.EXE
• SHELLSPYINSTALL.EXE
• SHN.EXE
• SMC.EXE
• SOFI.EXE
• SPF.EXE
• SPHINX.EXE
• SPYXX.EXE
• SS3EDIT.EXE
• ST2.EXE
• SUPFTRL.EXE
• SUPPORTER5.EXE
• SYMPROXYSVC.EXE
• SYSEDIT.EXE
• TASKMON.EXE
• TAUMON.EXE
• TAUSCAN.EXE
• TC.EXE
• TCA.EXE
• TCM.EXE
• TDS-3.EXE
• TDS2-98.EXE
• TDS2-NT.EXE
• TFAK5.EXE
• TGBOB.EXE
• TITANIN.EXE
• TITANINXP.EXE
• TRACERT.EXE
• TRJSCAN.EXE
• TRJSETUP.EXE
• TROJANTRAP3.EXE
• UNDOBOOT.EXE
• UPDATE.EXE
• VBCMSERV.EXE
• VBCONS.EXE
• VBUST.EXE
• VBWIN9X.EXE
• VBWINNTW.EXE
• VCSETUP.EXE
• VFSETUP.EXE
• VIRUSMDPERSONALFIREWALL.EXE
• VNLAN300.EXE
• VNPC3000.EXE
• VPC42.EXE
• VPFW30S.EXE
• VPTRAY.EXE
• VSCENU6.02D30.EXE
• VSECOMR.EXE
• VSHWIN32.EXE
• VSISETUP.EXE
• VSMAIN.EXE
• VSMON.EXE
• VSSTAT.EXE
• VSWIN9XE.EXE
• VSWINNTSE.EXE
• VSWINPERSE.EXE
• W32DSM89.EXE
• W9X.EXE
• WATCHDOG.EXE
• WEBSCANX.EXE
• WGFE95.EXE
• WHOSWATCHINGME.EXE
• WINRECON.EXE
• WNT.EXE
• WRADMIN.EXE
• WRCTRL.EXE
• WSBGATE.EXE
• WYVERNWORKSFIREWALL.EXE
• XPF202EN.EXE
• ZAPRO.EXE
• ZAPSETUP3001.EXE
• ZATUTOR.EXE
• ZAUINST.EXE
• ZONALM2601.EXE
• ZONEALARM.EXE

The worm opens port 2535 (TCP) on the victim machine.

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Mail Propagation

This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:

• .wab
• .txt
• .msg
• .htm
• .shtm
• .stm
• .xml
• .dbx
• mbx
• .mdx
• .eml
• .nch
• .mmf
• .ods
• .cfg
• .asp
• .php
• .pl
• .wsh
• .adb
• .tbb
• .sht
• .xls
• .oft
• .uin
• .cgi
• .mht
• .dhtm
• .jsp

Remote Access Component

The virus listens on TCP port 2535 for remote connections. It attempts to notify the author that the infected system is ready to accept commands, by contacting various websites, calling a PHP script on the remote sites. At the time of this writing this script does not exist on any of these sites.

Removal -

Removal -

All Users :
Use the specified DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Stinger
Stinger   has been updated to assist in detecting and repairing this threat.

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
2. Delete the following files from your WINDOWS System directory (typically C:\Windows\System or C:\Winnt\System32)
   drvddll.exe
   drvddll.exeopen     
   drvddll.exeopenopen
   
3. Edit the registry
   • Delete the "drvddll.exe" value from
     • HKEY_CURRENT_USER\Software\Microsoft\
       Windows\CurrentVersion\Run
4. Reboot the system into Default Mode

McAfee Threatscan
ThreatScan signatures that can detect the W32/Bagle.ab@MM virus are available from:

      -Threatscan 2.5 - ftp.nai.com/pub/security/tsc25/updates/winnt
      -Threatscan 2.0/2.1 - ftp.nai.com/pub/security/tsc20/updates/winnt

ThreatScan Signature version: 2004-04-28
ThreatScan users can detect the virus by running a ThreatScan task using the following settings:

• Select the "Remote Infection Detection" category and "Windows Virus Checks" template.
  -or-
• Select the "Other" category and "Scan All Vulnerabilities" template.

For additional information:

• Run the "ThreatScan Template Report"
• Look for module number #4071

ThreatScan users can detect the remote access component by running a Resource Discovery Task using the following settings:

• Select TCP Port scan
• Enter port: 2535

McAfee Desktop Firewall
To prevent possible remote access McAfee Desktop Firewall users can block incoming TCP port 2535.

McAfee System Compliance Profiler
Create a rule that matches a file

• Choose SYSTEM_DIR from the drop-down
• Type in DRVDDLL.EXE for the file name
• Choose "File does not exist" in the next drop-down

Sniffer Customers
Filters have been developed that will look for Bagle traffic [Sniffer Distributed 4.1/4.2/4.3, Sniffer Portable 4.7/4.7.5, and Netasyst].

• W32_Bagle.ab@MM - Sniffer Filters.zip

Variants

Variants -

N/A