McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.Beagle.Y@mm (Symantec)

• W32/Bagle.AD.worm (Panda)

• WORM_BAGLE.AD (Trend)

Characteristics

-- Update July 5th, 2004 --

The risk assessment of this threat has been upgraded to Medium due to it's prevalence. 

-- Update July 5th, 2004 --

The risk assessment of this threat has been upgraded to Low-Profiled due to media attention at:

http://news.zdnet.co.uk/internet/security/0,39020375,39159596,00.htm

--

This is a mass-mailing worm with the following characteristics:

• contains its own SMTP engine to construct outgoing messages
• harvests email addresses from the victim machine
• the From: address of messages is spoofed
• attachment can be a password-protected zip file, with the password included in the message body (as plaintext or within an image).
• contains a remote access component (notification is sent to hacker)
• copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
• uses various mutex names selected from those W32/Netsky variants have used, in order to prevent those W32/Netsky variants running on infected machines.
• the sample is packed with UPX runtime compressor.

Note: The worm carries its source code (assembler) in its body, encrypted. When mass-mailing itself, the worm may also include a copy of the source code (within a ZIP archive, SOURCES.ZIP). It is not unlikely therefore that we will see further trivial variants based on this source. Though various differences may be expected, the following parameters are most likely (easy) to be modified:

• port number used by backdoor
• backdoor password
• date of 'expiry'

Mail Propagation

The details are as follows:

From : (address is spoofed)
Subject :

• Re: Msg reply
• Re: Hello
• Re: Yahoo!
• Re: Thank you!
• Re: Thanks :)
• RE: Text message
• Re: Document
• Incoming message
• Re: Incoming Message
• RE: Incoming Msg
• RE: Message Notify
• Notification
• Changes..
• Update
• Fax Message
• Protected message
• RE: Protected message
• Forum notify
• Site changes
• Re: Hi
• Encrypted document,0

Body Text:

• Various message bodies are used, in some cases containing the password for an encrypted attachment (either in plaintext, or within an image).

Attachment:

• Information
• Details
• text_document
• Updates
• Readme
• Document
• Info
• Details
• MoreInfo
• Message

using one the following extensions:

• Script dropper - using one of the following file extensions:
• HTA
• VBS
• Executable, using one of the following file extensions:
• exe
• scr
• com
• cpl
• Executable dropper, CPL file with .CPL file extension.

If the attachment is a ZIP file, the archive may be encrpyted (password protected). The password is contained in the message body (plaintext or image).

Installation

The virus copies itself into the Windows System directory as LOADER_NAME.EXE. For example:

• C:\WINNT\SYSTEM32\loader_name.exe

It also creates copies of itself (with differing appended garbage) in this directory to perform its functions:

• loader_name.exeopen
• loader_name.exeopenopen

The following Registry key is added to hook system startup:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run
  "reg_key " = "C:\WINNT\System32\loader_name.exe"

A mutex is created to ensure only one instance of the worm is running at a time. One of the following mutex names is used in an attempt to stop particular variants of W32/Netsky running on the infected machine:

• MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
• 'D'r'o'p'p'e'd'S'k'y'N'e't'
• _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
• [SkyNet.cz]SystemsMutex
• AdmSkynetJklS003
• ____--->>>>U<<<<--____
• _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

This worm attempts to terminate the processes of various security programs (and other worms).

The worm opens port 1234 (TCP) on the victim machine.

Symptoms

Method of Infection

  Mail Propagation

This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:

• .wab
• .txt
• .msg
• .htm
• .shtm
• .stm
• .xml
• .dbx
• .mbx
• .mdx
• .eml
• .nch
• .mmf
• .ods
• .cfg
• .asp
• .php
• .pl
• .wsh
• .adb
• .tbb
• .sht
• .xls
• .oft
• .uin
• .cgi
• .mht
• .dhtm
• .jsp

The virus spoofs the sender address by using a harvested address in the From: field.

The virus avoids sending itself to addresses containing the following:

• @hotmail
• @msn
• @microsoft
• rating@
• f-secur
• news
• update
• anyone@
• bugs@
• contract@
• feste
• gold-certs@
• help@
• info@
• nobody@
• noone@
• kasp
• admin
• icrosoft
• support
• ntivi
• unix
• bsd
• linux
• listserv
• certific
• sopho
• @foo
• @iana
• free-av
• @messagelab
• winzip
• google
• winrar
• samples
• abuse
• panda
• cafee
• spam
• pgp
• @avp.
• noreply
• local
• root@
• postmaster

Peer To Peer Propagation

Files are created in folders that contain the phrase shar :

• Microsoft Office 2003 Crack, Working!.exe
• Microsoft Windows XP, WinXP Crack, working Keygen.exe
• Microsoft Office XP working Crack, Keygen.exe
• Porno, sex, oral, anal cool, awesome!!.exe
• Porno Screensaver.scr
• Serials.txt.exe
• KAV 5.0
• Kaspersky Antivirus 5.0
• Porno pics arhive, xxx.exe
• Windows Sourcecode update.doc.exe
• Ahead Nero 7.exe
• Windown Longhorn Beta Leak.exe
• Opera 8 New!.exe
• XXX hardcore images.exe
• WinAmp 6 New!.exe
• WinAmp 5 Pro Keygen Crack Update.exe
• Adobe Photoshop 9 full.exe
• Matrix 3 Revolution English Subtitles.exe
• ACDSee 9.exe,0

Remote Access Component

The virus listens on TCP port 1234 for remote connections. It attempts to notify the author that the infected system is ready to accept commands, by contacting various websites, calling a PHP script on the remote sites.

After 25th January, 2005 , this component of the worm is also deactivated.

Removal

All Users :
Use current engine and DAT files for detection and removal. Alternatively, the following extra.dat packages are available. (working with EXTRA.DAT files ).

EXTRA.DAT
SUPER EXTRA.DAT

This EXTRA.DAT package contains the following new detections:

• W32/Bagle.ad@MM
• W32/Bagle.ae@MM
• W32/Bagle.ad!src (archive containing assembler source)

The following detections have been enhanced:

• W32/Bagle.gen!pwdzip (for password-protected archive containing the worm)
• W32/Bagle.gen!vbs (script dropper)

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Stinger
Stinger has been updated to include detection and removal of this threat.

McAfee System Compliance Profiler
Please see SCP_Bagle_ad.txt for rule text to be copied into McAfee System Compliance Profiler.

McAfee Desktop Firewall
To prevent possibly remote access McAfee Desktop Firewall users can block incoming TCP port 1234.

McAfee Threatscan
ThreatScan signatures that can detect the W32/Bagle.ad virus are available from:

• Threatscan 2.5 - ftp.nai.com/pub/security/tsc25/updates/winnt
• Threatscan 2.1 - ftp.nai.com/pub/security/tsc20/updates/winnt

ThreatScan Signature version: 2004-07-05

ThreatScan users can detect the virus by running a ThreatScan task using the following settings:

• Select the "Remote Infection Detection" category and "Windows Virus Checks" template.
  -or-
• Select the "Other" category and "Scan All Vulnerabilities" template.

For additional information:

• Run the "ThreatScan Template Report"
• Look for module number #4077

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.Beagle.Y@mm (Symantec)

• W32/Bagle.AD.worm (Panda)

• WORM_BAGLE.AD (Trend)

Characteristics

Characteristics -

-- Update July 5th, 2004 --

The risk assessment of this threat has been upgraded to Medium due to it's prevalence. 

-- Update July 5th, 2004 --

The risk assessment of this threat has been upgraded to Low-Profiled due to media attention at:

http://news.zdnet.co.uk/internet/security/0,39020375,39159596,00.htm

--

This is a mass-mailing worm with the following characteristics:

• contains its own SMTP engine to construct outgoing messages
• harvests email addresses from the victim machine
• the From: address of messages is spoofed
• attachment can be a password-protected zip file, with the password included in the message body (as plaintext or within an image).
• contains a remote access component (notification is sent to hacker)
• copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
• uses various mutex names selected from those W32/Netsky variants have used, in order to prevent those W32/Netsky variants running on infected machines.
• the sample is packed with UPX runtime compressor.

Note: The worm carries its source code (assembler) in its body, encrypted. When mass-mailing itself, the worm may also include a copy of the source code (within a ZIP archive, SOURCES.ZIP). It is not unlikely therefore that we will see further trivial variants based on this source. Though various differences may be expected, the following parameters are most likely (easy) to be modified:

• port number used by backdoor
• backdoor password
• date of 'expiry'

Mail Propagation

The details are as follows:

From : (address is spoofed)
Subject :

• Re: Msg reply
• Re: Hello
• Re: Yahoo!
• Re: Thank you!
• Re: Thanks :)
• RE: Text message
• Re: Document
• Incoming message
• Re: Incoming Message
• RE: Incoming Msg
• RE: Message Notify
• Notification
• Changes..
• Update
• Fax Message
• Protected message
• RE: Protected message
• Forum notify
• Site changes
• Re: Hi
• Encrypted document,0

Body Text:

• Various message bodies are used, in some cases containing the password for an encrypted attachment (either in plaintext, or within an image).

Attachment:

• Information
• Details
• text_document
• Updates
• Readme
• Document
• Info
• Details
• MoreInfo
• Message

using one the following extensions:

• Script dropper - using one of the following file extensions:
• HTA
• VBS
• Executable, using one of the following file extensions:
• exe
• scr
• com
• cpl
• Executable dropper, CPL file with .CPL file extension.

If the attachment is a ZIP file, the archive may be encrpyted (password protected). The password is contained in the message body (plaintext or image).

Installation

The virus copies itself into the Windows System directory as LOADER_NAME.EXE. For example:

• C:\WINNT\SYSTEM32\loader_name.exe

It also creates copies of itself (with differing appended garbage) in this directory to perform its functions:

• loader_name.exeopen
• loader_name.exeopenopen

The following Registry key is added to hook system startup:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run
  "reg_key " = "C:\WINNT\System32\loader_name.exe"

A mutex is created to ensure only one instance of the worm is running at a time. One of the following mutex names is used in an attempt to stop particular variants of W32/Netsky running on the infected machine:

• MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
• 'D'r'o'p'p'e'd'S'k'y'N'e't'
• _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
• [SkyNet.cz]SystemsMutex
• AdmSkynetJklS003
• ____--->>>>U<<<<--____
• _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

This worm attempts to terminate the processes of various security programs (and other worms).

The worm opens port 1234 (TCP) on the victim machine.

Symptoms

Symptoms -

Method of Infection

Method of Infection -

  Mail Propagation

This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:

• .wab
• .txt
• .msg
• .htm
• .shtm
• .stm
• .xml
• .dbx
• .mbx
• .mdx
• .eml
• .nch
• .mmf
• .ods
• .cfg
• .asp
• .php
• .pl
• .wsh
• .adb
• .tbb
• .sht
• .xls
• .oft
• .uin
• .cgi
• .mht
• .dhtm
• .jsp

The virus spoofs the sender address by using a harvested address in the From: field.

The virus avoids sending itself to addresses containing the following:

• @hotmail
• @msn
• @microsoft
• rating@
• f-secur
• news
• update
• anyone@
• bugs@
• contract@
• feste
• gold-certs@
• help@
• info@
• nobody@
• noone@
• kasp
• admin
• icrosoft
• support
• ntivi
• unix
• bsd
• linux
• listserv
• certific
• sopho
• @foo
• @iana
• free-av
• @messagelab
• winzip
• google
• winrar
• samples
• abuse
• panda
• cafee
• spam
• pgp
• @avp.
• noreply
• local
• root@
• postmaster

Peer To Peer Propagation

Files are created in folders that contain the phrase shar :

• Microsoft Office 2003 Crack, Working!.exe
• Microsoft Windows XP, WinXP Crack, working Keygen.exe
• Microsoft Office XP working Crack, Keygen.exe
• Porno, sex, oral, anal cool, awesome!!.exe
• Porno Screensaver.scr
• Serials.txt.exe
• KAV 5.0
• Kaspersky Antivirus 5.0
• Porno pics arhive, xxx.exe
• Windows Sourcecode update.doc.exe
• Ahead Nero 7.exe
• Windown Longhorn Beta Leak.exe
• Opera 8 New!.exe
• XXX hardcore images.exe
• WinAmp 6 New!.exe
• WinAmp 5 Pro Keygen Crack Update.exe
• Adobe Photoshop 9 full.exe
• Matrix 3 Revolution English Subtitles.exe
• ACDSee 9.exe,0

Remote Access Component

The virus listens on TCP port 1234 for remote connections. It attempts to notify the author that the infected system is ready to accept commands, by contacting various websites, calling a PHP script on the remote sites.

After 25th January, 2005 , this component of the worm is also deactivated.

Removal -

Removal -

All Users :
Use current engine and DAT files for detection and removal. Alternatively, the following extra.dat packages are available. (working with EXTRA.DAT files ).

EXTRA.DAT
SUPER EXTRA.DAT

This EXTRA.DAT package contains the following new detections:

• W32/Bagle.ad@MM
• W32/Bagle.ae@MM
• W32/Bagle.ad!src (archive containing assembler source)

The following detections have been enhanced:

• W32/Bagle.gen!pwdzip (for password-protected archive containing the worm)
• W32/Bagle.gen!vbs (script dropper)

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Stinger
Stinger has been updated to include detection and removal of this threat.

McAfee System Compliance Profiler
Please see SCP_Bagle_ad.txt for rule text to be copied into McAfee System Compliance Profiler.

McAfee Desktop Firewall
To prevent possibly remote access McAfee Desktop Firewall users can block incoming TCP port 1234.

McAfee Threatscan
ThreatScan signatures that can detect the W32/Bagle.ad virus are available from:

• Threatscan 2.5 - ftp.nai.com/pub/security/tsc25/updates/winnt
• Threatscan 2.1 - ftp.nai.com/pub/security/tsc20/updates/winnt

ThreatScan Signature version: 2004-07-05

ThreatScan users can detect the virus by running a ThreatScan task using the following settings:

• Select the "Remote Infection Detection" category and "Windows Virus Checks" template.
  -or-
• Select the "Other" category and "Scan All Vulnerabilities" template.

For additional information:

• Run the "ThreatScan Template Report"
• Look for module number #4077

Variants

Variants -

N/A