McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Bagle.af (AVP)

• W32.Beagle.AB@mm (NAV)

• W32/Bagle-AF (Sophos)

• W32/Bagle.AF.worm (Panda)

• Win32.Bagle.AB (CA)

• WORM_BAGLE.AF (Trend)

Characteristics

--Update 22nd July, 2004 --
The risk assessment was lowered to Medium due to a decrease in prevalence.

--

This is a mass-mailing worm with the following characteristics:

• contains its own SMTP engine to construct outgoing messages
• harvests email addresses from the victim machine
• the From: address of messages is spoofed
• attachment can be a password-protected zip file, with the password included in the message body.
• contains a remote access component (notification is sent to hacker)
• copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
• uses various mutex names selected from those W32/Netsky variants have used, in order to prevent those W32/Netsky variants running on infected machines
• terminates processes of security programs and other worms
• deletes registry entries of security programs and other worms

Mail Propagation

From : (address is spoofed)  
Attachment names are chosen from the following list:

The worm will use a different set of lists to choose subject and body text from, depending on whether the attachment is sent as a password-protected ZIP file. 

The details for non-ZIP files (.EXE, .SCR,.COM,.ZIP, .CPL) are as follows:

Subject :

• Re: Msg reply
• Re: Hello
• Re: Yahoo!
• Re: Thank you!
• Re: Thanks :)
• RE: Text message
• Re: Document
• Incoming message
• Re: Incoming Message
• RE: Incoming Msg
• RE: Message Notify
• Notification
• Changes..
• Update
• Fax Message
• Protected message
• RE: Protected message
• Forum notify
• Site changes
• Re: Hi
• Encrypted document  

Body Text:

• Read the attach.
• Your file is attached.
• More info is in attach
• See attach.
• Please, have a look at the attached file.
• Your document is attached.
• Please, read the document.
• Attach tells everything.
• Attached file tells everything.
• Check attached file for details.
• Check attached file.
• Pay attention at the attach.
• See the attached file for details.
• Message is in attach
• Here is the file.

Details for password-protected ZIP files are as follows:

Subject :

• Password:
• Pass -
• Password -

Body Text:

• For security reasons attached file is password protected. The password is <EMBEDDED image="" />
• For security purposes the attached file is password protected. Password -- <EMBEDDED image="" />
• Note: Use password <EMBEDDED image="" />to open archive.
  Attached file is protected with the password for security reasons. Password is <EMBEDDED image="" />
• In order to read the attach you have to use the following password: <EMBEDDED image="" />
• Archive password: <EMBEDDED image="" />
• Password - <EMBEDDED image="" />
• Password:

Password-protected ZIP files may also contain a second, randomly-named file with one of the following extensions:

• .ini
• .cfg
• .txt
• .vxd
• .def
• .dll

These files contain only random garbage-characters.<EMBEDDED image="" />

Installation

The virus copies itself into the Windows System directory as sysxp.exe. For example:

• C:\WINNT\SYSTEM32\sysxp.exe

It also creates other files in this directory to perform its functions:

• sysxp.exeopen
• sysxp.exeopenopen

The following Registry key is added to hook system startup:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "key" = "C:\WINNT\SYSTEM32\sysxp.exe"

A mutex is created to ensure only one instance of the worm is running at a time. One of the following mutex names is used in an attempt to stop particular variants of W32/Netsky running on the infected machine:

• ZonesCounterMutex
• ZonesCacheCounterMutex
• MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
• 'D'r'o'p'p'e'd'S'k'y'N'e't'
• _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
• [SkyNet.cz]SystemsMutex
• AdmSkynetJklS003
• ____--->>>>U<<<<--____
• _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
• RasPbFile

The worm opens port 1080  (TCP) on the victim machine and random UDP ports.

Symptoms

Method of Infection

Mail Propagation

This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:

• .wab
• .txt
• .msg
• .htm
• .shtm
• .stm
• .xml
• .dbx
• .mbx
• .mdx
• .eml
• .nch
• .mmf
• .ods
• .cfg
• .asp
• .php
• .pl
• .wsh
• .adb
• .tbb
• .sht
• .xls
• .oft
• .uin
• .cgi
• .mht
• .dhtm
• .jsp

The virus spoofs the sender address by using a harvested address in the From: field.

The worm will avoid sending itself to email addresses which contains the following strings:

• @hotmail
• @msn
• @microsoft
• rating@
• f-secur
• news
• update
• anyone@
• bugs@
• contract@
• feste
• gold-certs@
• help@
• info@
• nobody@
• noone@
• kasp
• admin
• icrosoft
• support
• ntivi
• unix
• bsd
• linux
• listserv
• certific
• sopho
• @foo
• @iana
• free-av
• @messagelab
• winzip
• google
• winrar
• samples
• abuse
• panda
• cafee
• spam
• pgp
• @avp.
• noreply
• local
• root@
• postmaster@

Peer To Peer Propagation

Files are created in folders that contain the phrase shar :

• Microsoft Office 2003 Crack, Working!.exe
• Microsoft Windows XP, WinXP Crack, working Keygen.exe
• Microsoft Office XP working Crack, Keygen.exe
• Porno, sex, oral, anal cool, awesome!!.exe
• Porno Screensaver.scr
• Serials.txt.exe
• KAV 5.0
• Kaspersky Antivirus 5.0
• Porno pics arhive, xxx.exe
• Windows Sourcecode update.doc.exe
• Ahead Nero 7.exe
• Windown Longhorn Beta Leak.exe
• Opera 8 New!.exe
• XXX hardcore images.exe
• WinAmp 6 New!.exe
• WinAmp 5 Pro Keygen Crack Update.exe
• Adobe Photoshop 9 full.exe
• Matrix 3 Revolution English Subtitles.exe
• ACDSee 9.exe

Process Killing

The worm kills processes matching the following list of file names, belonging to other worms and products which could be used to identify or interfere with its actions:

• OUTPOST.EXE
• NMAIN.EXE
• NORTON_INTERNET_SECU_3.0_407.EXE
• NPF40_TW_98_NT_ME_2K.EXE
• NPFMESSENGER.EXE
• NPROTECT.EXE
• NSCHED32.EXE
• NTVDM.EXE
• NVARCH16.EXE
• KERIO-WRP-421-EN-WIN.EXE
• KILLPROCESSSETUP161.EXE
• LDPRO.EXE
• LOCALNET.EXE
• LOCKDOWN.EXE
• LOCKDOWN2000.EXE
• LSETUP.EXE
• AVprotect9x.exe
• CMON016.EXE
• CPF9X206.EXE
• CPFNT206.EXE
• CV.EXE
• CWNB181.EXE
• CWNTDWMO.EXE
• ICSSUPPNT.EXE
• DEFWATCH.EXE
• DEPUTY.EXE
• DPF.EXE
• DPFSETUP.EXE
• DRWATSON.EXE
• ENT.EXE
• ESCANH95.EXE
• AVXQUAR.EXE
• ESCANHNT.EXE
• ESCANV95.EXE
• AVPUPD.EXE
• EXANTIVIRUS-CNET.EXE
• FAST.EXE
• FIREWALL.EXE
• FLOWPROTECTOR.EXE
• FP-WIN_TRIAL.EXE
• FRW.EXE
• FSAV.EXE
• AUTODOWN.EXE
• FSAV530STBYB.EXE
• FSAV530WTBYB.EXE
• FSAV95.EXE
• GBMENU.EXE
• GBPOLL.EXE
• GUARD.EXE
• GUARDDOG.EXE
• HACKTRACERSETUP.EXE
• HTLOG.EXE
• HWPE.EXE
• IAMSERV.EXE
• ICLOAD95.EXE
• ICLOADNT.EXE
• ICMON.EXE
• ICSUPP95.EXE
• ICSUPPNT.EXE
• IFW2000.EXE
• IPARMOR.EXE
• IRIS.EXE
• JAMMER.EXE
• ATUPDATER.EXE
• AUPDATE.EXE
• KAVLITE40ENG.EXE
• KAVPERS40ENG.EXE
• KERIO-PF-213-EN-WIN.EXE
• KERIO-WRL-421-EN-WIN.EXE
• BORG2.EXE
• BS120.EXE
• CDP.EXE
• CFGWIZ.EXE
• CFIADMIN.EXE
• AUTOUPDATE.EXE
• NAVAPW32.EXE
• NAVDX.EXE
• NAVSTUB.EXE
• NAVW32.EXE
• NC2000.EXE
• NCINST4.EXE
• AUTOTRACE.EXE
• NDD32.EXE
• NEOMONITOR.EXE
• NETARMOR.EXE
• NETINFO.EXE
• NETMON.EXE
• NETSCANPRO.EXE
• NETSPYHUNTER-1.2.EXE
• NETSTAT.EXE
• NISSERV.EXE
• NISUM.EXE
• CFIAUDIT.EXE
• LUCOMSERVER.EXE
• AGENTSVR.EXE
• ANTI-TROJAN.EXE
• ANTIVIRUS.EXE
• ANTS.EXE
• APIMONITOR.EXE
• APLICA32.EXE
• APVXDWIN.EXE
• ATCON.EXE
• ATGUARD.EXE
• ATRO55EN.EXE
• ATWATCH.EXE
• AVCONSOL.EXE
• AVGSERV9.EXE
• AVSYNMGR.EXE
• BD_PROFESSIONAL.EXE
• BIDEF.EXE
• BIDSERVER.EXE
• BIPCP.EXE
• BIPCPEVALSETUP.EXE
• BISP.EXE
• BLACKD.EXE
• BLACKICE.EXE
• BOOTWARN.EXE
• NWINST4.EXE
• NWTOOL16.EXE
• OSTRONET.EXE
• OUTPOSTINSTALL.EXE
• OUTPOSTPROINSTALL.EXE
• PADMIN.EXE
• PANIXK.EXE
• PAVPROXY.EXE
• DRWEBUPW.EXE
• PCC2002S902.EXE
• PCC2K_76_1436.EXE
• PCCIOMON.EXE
• PCDSETUP.EXE
• PCFWALLICON.EXE
• PCIP10117_0.EXE
• PDSETUP.EXE
• PERISCOPE.EXE
• PERSFW.EXE
• PF2.EXE
• AVLTMAIN.EXE
• PFWADMIN.EXE
• PINGSCAN.EXE
• PLATIN.EXE
• POPROXY.EXE
• POPSCAN.EXE
• PORTDETECTIVE.EXE
• PPINUPDT.EXE
• PPTBC.EXE
• PPVSTOP.EXE
• PROCEXPLORERV1.0.EXE
• PROPORT.EXE
• PROTECTX.EXE
• PSPF.EXE
• WGFE95.EXE
• WHOSWATCHINGME.EXE
• AVWUPD32.EXE
• NUPGRADE.EXE
• WINRECON.EXE
• WNT.EXE
• WRADMIN.EXE
• WRCTRL.EXE
• WSBGATE.EXE
• WYVERNWORKSFIREWALL.EXE
• XPF202EN.EXE
• ZAPRO.EXE
• ZAPSETUP3001.EXE
• ZATUTOR.EXE
• CFINET32.EXE
• CLEAN.EXE
• CLEANER.EXE
• CLEANER3.EXE
• CLEANPC.EXE
• CMGRDIAN.EXE
• CMON016.EXE
• CPD.EXE
• PURGE.EXE
• PVIEW95.EXE
• QCONSOLE.EXE
• QSERVER.EXE
• RAV8WIN32ENG.EXE
• REGEDT32.EXE
• REGEDIT.EXE
• UPDATE.EXE
• RESCUE.EXE
• RESCUE32.EXE
• RRGUARD.EXE
• RSHELL.EXE
• RTVSCN95.EXE
• RULAUNCH.EXE
• SAFEWEB.EXE
• SBSERV.EXE
• SD.EXE
• SETUP_FLOWPROTECTOR_US.EXE
• SETUPVAMEEVAL.EXE
• SFC.EXE
• SGSSFW32.EXE
• SH.EXE
• SHELLSPYINSTALL.EXE
• SHN.EXE
• SMC.EXE
• SOFI.EXE
• SPF.EXE
• SPHINX.EXE
• SPYXX.EXE
• SS3EDIT.EXE
• ST2.EXE
• SUPFTRL.EXE
• LUALL.EXE
• SUPPORTER5.EXE
• SYMPROXYSVC.EXE
• SYSEDIT.EXE
• TASKMON.EXE
• TAUMON.EXE
• TAUSCAN.EXE
• TC.EXE
• TCA.EXE
• TCM.EXE
• TDS2-98.EXE
• TDS2-NT.EXE
• TDS-3.EXE
• TFAK5.EXE
• TGBOB.EXE
• TITANIN.EXE
• TITANINXP.EXE
• TRACERT.EXE
• TRJSCAN.EXE
• TRJSETUP.EXE
• TROJANTRAP3.EXE
• UNDOBOOT.EXE
• VBCMSERV.EXE
• VBCONS.EXE
• VBUST.EXE
• VBWIN9X.EXE
• VBWINNTW.EXE
• VCSETUP.EXE
• VFSETUP.EXE
• VIRUSMDPERSONALFIREWALL.EXE
• VNLAN300.EXE
• VNPC3000.EXE
• VPC42.EXE
• VPFW30S.EXE
• VPTRAY.EXE
• VSCENU6.02D30.EXE
• VSECOMR.EXE
• VSHWIN32.EXE
• VSISETUP.EXE
• VSMAIN.EXE
• VSMON.EXE
• VSSTAT.EXE
• VSWIN9XE.EXE
• VSWINNTSE.EXE
• VSWINPERSE.EXE
• W32DSM89.EXE
• W9X.EXE
• WATCHDOG.EXE
• WEBSCANX.EXE
• CFINET.EXE
• ICSUPP95.EXE
• MCUPDATE.EXE
• LUINIT.EXE
• MCAGENT.EXE
• MFW2EN.EXE
• MFWENG3.02D30.EXE
• MGUI.EXE
• MINILOG.EXE
• MOOLIVE.EXE
• MRFLUX.EXE
• MSCONFIG.EXE
• MSINFO32.EXE
• MSSMMC32.EXE
• MU0311AD.EXE
• NAV80TRY.EXE
• ZAUINST.EXE
• ZONALM2601.EXE
• ZONEALARM.EXE

Registry entry removal

The following list of registry entries for security products and worms is deleted:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "My AV"
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "My AV"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "Zone Labs Client Ex"
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "Zone Labs Client Ex"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "9XHtProtect"
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "9XHtProtect"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "Antivirus"
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "Antivirus"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "Special Firewall Service"
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "Special Firewall Service"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "service"
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "service"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "Tiny AV"
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "Tiny AV"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "ICQNet"
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "ICQNet"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "HtProtect"
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "HtProtect"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "NetDy"
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "NetDy"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "Jammer2nd"
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "Jammer2nd"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "FirewallSvr"
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "FirewallSvr"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "MsInfo"
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "MsInfo"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "SysMonXP"
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "SysMonXP"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "EasyAV"
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "EasyAV"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "PandaAVEngine"
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "PandaAVEngine"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "Norton Antivirus AV"
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "Norton Antivirus AV"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "KasperskyAVEng"
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "KasperskyAVEng"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "SkynetsRevenge"
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "SkynetsRevenge"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "ICQ Net"
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "ICQ Net"

Remote Access Component

The virus listens on TCP port 1080 for remote connections. It attempts to notify the author that the infected system is ready to accept commands, by contacting various websites, calling a PHP script on the remote sites.

Removal

All Users :
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Stinger
Stinger has been updated to include detection and removal of this threat.

McAfee System Compliance Profiler:
Create a rule that matches a file
- Choose SYSTEM_DIR from the drop-down
- Type in SYSXP.EXE for the file name
- Choose "File does not exist" in the next drop-down

McAfee Desktop Firewall:
To prevent possibly remote access McAfee Desktop Firewall users can block incoming TCP ports 1080

McAfee Threatscan:
ThreatScan signatures that can detect the W32/Bagle.af virus are available from:

      -     Threatscan 2.5 - ftp.nai.com/pub/security/tsc25/updates/winnt
      -     Threatscan 2.1 - ftp.nai.com/pub/security/tsc20/updates/winnt

ThreatScan Signature version: 2004-07-16

ThreatScan users can detect the virus by running a ThreatScan task using the following settings:

      -     Select the "Remote Infection Detection" category and "Windows Virus Checks" template.
 -or-
      -     Select the "Other" category and "Scan All Vulnerabilities" template.

For additional information:

      -     Run the "ThreatScan Template Report"
      -     Look for module number #4078

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Bagle.af (AVP)

• W32.Beagle.AB@mm (NAV)

• W32/Bagle-AF (Sophos)

• W32/Bagle.AF.worm (Panda)

• Win32.Bagle.AB (CA)

• WORM_BAGLE.AF (Trend)

Characteristics

Characteristics -

--Update 22nd July, 2004 --
The risk assessment was lowered to Medium due to a decrease in prevalence.

--

This is a mass-mailing worm with the following characteristics:

• contains its own SMTP engine to construct outgoing messages
• harvests email addresses from the victim machine
• the From: address of messages is spoofed
• attachment can be a password-protected zip file, with the password included in the message body.
• contains a remote access component (notification is sent to hacker)
• copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
• uses various mutex names selected from those W32/Netsky variants have used, in order to prevent those W32/Netsky variants running on infected machines
• terminates processes of security programs and other worms
• deletes registry entries of security programs and other worms

Mail Propagation

From : (address is spoofed)  
Attachment names are chosen from the following list:

The worm will use a different set of lists to choose subject and body text from, depending on whether the attachment is sent as a password-protected ZIP file. 

The details for non-ZIP files (.EXE, .SCR,.COM,.ZIP, .CPL) are as follows:

Subject :

• Re: Msg reply
• Re: Hello
• Re: Yahoo!
• Re: Thank you!
• Re: Thanks :)
• RE: Text message
• Re: Document
• Incoming message
• Re: Incoming Message
• RE: Incoming Msg
• RE: Message Notify
• Notification
• Changes..
• Update
• Fax Message
• Protected message
• RE: Protected message
• Forum notify
• Site changes
• Re: Hi
• Encrypted document  

Body Text:

• Read the attach.
• Your file is attached.
• More info is in attach
• See attach.
• Please, have a look at the attached file.
• Your document is attached.
• Please, read the document.
• Attach tells everything.
• Attached file tells everything.
• Check attached file for details.
• Check attached file.
• Pay attention at the attach.
• See the attached file for details.
• Message is in attach
• Here is the file.

Details for password-protected ZIP files are as follows:

Subject :

• Password:
• Pass -
• Password -

Body Text:

• For security reasons attached file is password protected. The password is <EMBEDDED image="" />
• For security purposes the attached file is password protected. Password -- <EMBEDDED image="" />
• Note: Use password <EMBEDDED image="" />to open archive.
  Attached file is protected with the password for security reasons. Password is <EMBEDDED image="" />
• In order to read the attach you have to use the following password: <EMBEDDED image="" />
• Archive password: <EMBEDDED image="" />
• Password - <EMBEDDED image="" />
• Password:

Password-protected ZIP files may also contain a second, randomly-named file with one of the following extensions:

• .ini
• .cfg
• .txt
• .vxd
• .def
• .dll

These files contain only random garbage-characters.<EMBEDDED image="" />

Installation

The virus copies itself into the Windows System directory as sysxp.exe. For example:

• C:\WINNT\SYSTEM32\sysxp.exe

It also creates other files in this directory to perform its functions:

• sysxp.exeopen
• sysxp.exeopenopen

The following Registry key is added to hook system startup:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "key" = "C:\WINNT\SYSTEM32\sysxp.exe"

A mutex is created to ensure only one instance of the worm is running at a time. One of the following mutex names is used in an attempt to stop particular variants of W32/Netsky running on the infected machine:

• ZonesCounterMutex
• ZonesCacheCounterMutex
• MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
• 'D'r'o'p'p'e'd'S'k'y'N'e't'
• _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
• [SkyNet.cz]SystemsMutex
• AdmSkynetJklS003
• ____--->>>>U<<<<--____
• _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
• RasPbFile

The worm opens port 1080  (TCP) on the victim machine and random UDP ports.

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Mail Propagation

This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:

• .wab
• .txt
• .msg
• .htm
• .shtm
• .stm
• .xml
• .dbx
• .mbx
• .mdx
• .eml
• .nch
• .mmf
• .ods
• .cfg
• .asp
• .php
• .pl
• .wsh
• .adb
• .tbb
• .sht
• .xls
• .oft
• .uin
• .cgi
• .mht
• .dhtm
• .jsp

The virus spoofs the sender address by using a harvested address in the From: field.

The worm will avoid sending itself to email addresses which contains the following strings:

• @hotmail
• @msn
• @microsoft
• rating@
• f-secur
• news
• update
• anyone@
• bugs@
• contract@
• feste
• gold-certs@
• help@
• info@
• nobody@
• noone@
• kasp
• admin
• icrosoft
• support
• ntivi
• unix
• bsd
• linux
• listserv
• certific
• sopho
• @foo
• @iana
• free-av
• @messagelab
• winzip
• google
• winrar
• samples
• abuse
• panda
• cafee
• spam
• pgp
• @avp.
• noreply
• local
• root@
• postmaster@

Peer To Peer Propagation

Files are created in folders that contain the phrase shar :

• Microsoft Office 2003 Crack, Working!.exe
• Microsoft Windows XP, WinXP Crack, working Keygen.exe
• Microsoft Office XP working Crack, Keygen.exe
• Porno, sex, oral, anal cool, awesome!!.exe
• Porno Screensaver.scr
• Serials.txt.exe
• KAV 5.0
• Kaspersky Antivirus 5.0
• Porno pics arhive, xxx.exe
• Windows Sourcecode update.doc.exe
• Ahead Nero 7.exe
• Windown Longhorn Beta Leak.exe
• Opera 8 New!.exe
• XXX hardcore images.exe
• WinAmp 6 New!.exe
• WinAmp 5 Pro Keygen Crack Update.exe
• Adobe Photoshop 9 full.exe
• Matrix 3 Revolution English Subtitles.exe
• ACDSee 9.exe

Process Killing

The worm kills processes matching the following list of file names, belonging to other worms and products which could be used to identify or interfere with its actions:

• OUTPOST.EXE
• NMAIN.EXE
• NORTON_INTERNET_SECU_3.0_407.EXE
• NPF40_TW_98_NT_ME_2K.EXE
• NPFMESSENGER.EXE
• NPROTECT.EXE
• NSCHED32.EXE
• NTVDM.EXE
• NVARCH16.EXE
• KERIO-WRP-421-EN-WIN.EXE
• KILLPROCESSSETUP161.EXE
• LDPRO.EXE
• LOCALNET.EXE
• LOCKDOWN.EXE
• LOCKDOWN2000.EXE
• LSETUP.EXE
• AVprotect9x.exe
• CMON016.EXE
• CPF9X206.EXE
• CPFNT206.EXE
• CV.EXE
• CWNB181.EXE
• CWNTDWMO.EXE
• ICSSUPPNT.EXE
• DEFWATCH.EXE
• DEPUTY.EXE
• DPF.EXE
• DPFSETUP.EXE
• DRWATSON.EXE
• ENT.EXE
• ESCANH95.EXE
• AVXQUAR.EXE
• ESCANHNT.EXE
• ESCANV95.EXE
• AVPUPD.EXE
• EXANTIVIRUS-CNET.EXE
• FAST.EXE
• FIREWALL.EXE
• FLOWPROTECTOR.EXE
• FP-WIN_TRIAL.EXE
• FRW.EXE
• FSAV.EXE
• AUTODOWN.EXE
• FSAV530STBYB.EXE
• FSAV530WTBYB.EXE
• FSAV95.EXE
• GBMENU.EXE
• GBPOLL.EXE
• GUARD.EXE
• GUARDDOG.EXE
• HACKTRACERSETUP.EXE
• HTLOG.EXE
• HWPE.EXE
• IAMSERV.EXE
• ICLOAD95.EXE
• ICLOADNT.EXE
• ICMON.EXE
• ICSUPP95.EXE
• ICSUPPNT.EXE
• IFW2000.EXE
• IPARMOR.EXE
• IRIS.EXE
• JAMMER.EXE
• ATUPDATER.EXE
• AUPDATE.EXE
• KAVLITE40ENG.EXE
• KAVPERS40ENG.EXE
• KERIO-PF-213-EN-WIN.EXE
• KERIO-WRL-421-EN-WIN.EXE
• BORG2.EXE
• BS120.EXE
• CDP.EXE
• CFGWIZ.EXE
• CFIADMIN.EXE
• AUTOUPDATE.EXE
• NAVAPW32.EXE
• NAVDX.EXE
• NAVSTUB.EXE
• NAVW32.EXE
• NC2000.EXE
• NCINST4.EXE
• AUTOTRACE.EXE
• NDD32.EXE
• NEOMONITOR.EXE
• NETARMOR.EXE
• NETINFO.EXE
• NETMON.EXE
• NETSCANPRO.EXE
• NETSPYHUNTER-1.2.EXE
• NETSTAT.EXE
• NISSERV.EXE
• NISUM.EXE
• CFIAUDIT.EXE
• LUCOMSERVER.EXE
• AGENTSVR.EXE
• ANTI-TROJAN.EXE
• ANTIVIRUS.EXE
• ANTS.EXE
• APIMONITOR.EXE
• APLICA32.EXE
• APVXDWIN.EXE
• ATCON.EXE
• ATGUARD.EXE
• ATRO55EN.EXE
• ATWATCH.EXE
• AVCONSOL.EXE
• AVGSERV9.EXE
• AVSYNMGR.EXE
• BD_PROFESSIONAL.EXE
• BIDEF.EXE
• BIDSERVER.EXE
• BIPCP.EXE
• BIPCPEVALSETUP.EXE
• BISP.EXE
• BLACKD.EXE
• BLACKICE.EXE
• BOOTWARN.EXE
• NWINST4.EXE
• NWTOOL16.EXE
• OSTRONET.EXE
• OUTPOSTINSTALL.EXE
• OUTPOSTPROINSTALL.EXE
• PADMIN.EXE
• PANIXK.EXE
• PAVPROXY.EXE
• DRWEBUPW.EXE
• PCC2002S902.EXE
• PCC2K_76_1436.EXE
• PCCIOMON.EXE
• PCDSETUP.EXE
• PCFWALLICON.EXE
• PCIP10117_0.EXE
• PDSETUP.EXE
• PERISCOPE.EXE
• PERSFW.EXE
• PF2.EXE
• AVLTMAIN.EXE
• PFWADMIN.EXE
• PINGSCAN.EXE
• PLATIN.EXE
• POPROXY.EXE
• POPSCAN.EXE
• PORTDETECTIVE.EXE
• PPINUPDT.EXE
• PPTBC.EXE
• PPVSTOP.EXE
• PROCEXPLORERV1.0.EXE
• PROPORT.EXE
• PROTECTX.EXE
• PSPF.EXE
• WGFE95.EXE
• WHOSWATCHINGME.EXE
• AVWUPD32.EXE
• NUPGRADE.EXE
• WINRECON.EXE
• WNT.EXE
• WRADMIN.EXE
• WRCTRL.EXE
• WSBGATE.EXE
• WYVERNWORKSFIREWALL.EXE
• XPF202EN.EXE
• ZAPRO.EXE
• ZAPSETUP3001.EXE
• ZATUTOR.EXE
• CFINET32.EXE
• CLEAN.EXE
• CLEANER.EXE
• CLEANER3.EXE
• CLEANPC.EXE
• CMGRDIAN.EXE
• CMON016.EXE
• CPD.EXE
• PURGE.EXE
• PVIEW95.EXE
• QCONSOLE.EXE
• QSERVER.EXE
• RAV8WIN32ENG.EXE
• REGEDT32.EXE
• REGEDIT.EXE
• UPDATE.EXE
• RESCUE.EXE
• RESCUE32.EXE
• RRGUARD.EXE
• RSHELL.EXE
• RTVSCN95.EXE
• RULAUNCH.EXE
• SAFEWEB.EXE
• SBSERV.EXE
• SD.EXE
• SETUP_FLOWPROTECTOR_US.EXE
• SETUPVAMEEVAL.EXE
• SFC.EXE
• SGSSFW32.EXE
• SH.EXE
• SHELLSPYINSTALL.EXE
• SHN.EXE
• SMC.EXE
• SOFI.EXE
• SPF.EXE
• SPHINX.EXE
• SPYXX.EXE
• SS3EDIT.EXE
• ST2.EXE
• SUPFTRL.EXE
• LUALL.EXE
• SUPPORTER5.EXE
• SYMPROXYSVC.EXE
• SYSEDIT.EXE
• TASKMON.EXE
• TAUMON.EXE
• TAUSCAN.EXE
• TC.EXE
• TCA.EXE
• TCM.EXE
• TDS2-98.EXE
• TDS2-NT.EXE
• TDS-3.EXE
• TFAK5.EXE
• TGBOB.EXE
• TITANIN.EXE
• TITANINXP.EXE
• TRACERT.EXE
• TRJSCAN.EXE
• TRJSETUP.EXE
• TROJANTRAP3.EXE
• UNDOBOOT.EXE
• VBCMSERV.EXE
• VBCONS.EXE
• VBUST.EXE
• VBWIN9X.EXE
• VBWINNTW.EXE
• VCSETUP.EXE
• VFSETUP.EXE
• VIRUSMDPERSONALFIREWALL.EXE
• VNLAN300.EXE
• VNPC3000.EXE
• VPC42.EXE
• VPFW30S.EXE
• VPTRAY.EXE
• VSCENU6.02D30.EXE
• VSECOMR.EXE
• VSHWIN32.EXE
• VSISETUP.EXE
• VSMAIN.EXE
• VSMON.EXE
• VSSTAT.EXE
• VSWIN9XE.EXE
• VSWINNTSE.EXE
• VSWINPERSE.EXE
• W32DSM89.EXE
• W9X.EXE
• WATCHDOG.EXE
• WEBSCANX.EXE
• CFINET.EXE
• ICSUPP95.EXE
• MCUPDATE.EXE
• LUINIT.EXE
• MCAGENT.EXE
• MFW2EN.EXE
• MFWENG3.02D30.EXE
• MGUI.EXE
• MINILOG.EXE
• MOOLIVE.EXE
• MRFLUX.EXE
• MSCONFIG.EXE
• MSINFO32.EXE
• MSSMMC32.EXE
• MU0311AD.EXE
• NAV80TRY.EXE
• ZAUINST.EXE
• ZONALM2601.EXE
• ZONEALARM.EXE

Registry entry removal

The following list of registry entries for security products and worms is deleted:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "My AV"
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "My AV"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "Zone Labs Client Ex"
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "Zone Labs Client Ex"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "9XHtProtect"
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "9XHtProtect"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "Antivirus"
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "Antivirus"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "Special Firewall Service"
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "Special Firewall Service"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "service"
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "service"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "Tiny AV"
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "Tiny AV"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "ICQNet"
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "ICQNet"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "HtProtect"
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "HtProtect"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "NetDy"
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "NetDy"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "Jammer2nd"
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "Jammer2nd"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "FirewallSvr"
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "FirewallSvr"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "MsInfo"
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "MsInfo"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "SysMonXP"
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "SysMonXP"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "EasyAV"
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "EasyAV"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "PandaAVEngine"
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "PandaAVEngine"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "Norton Antivirus AV"
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "Norton Antivirus AV"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "KasperskyAVEng"
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "KasperskyAVEng"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "SkynetsRevenge"
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "SkynetsRevenge"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "ICQ Net"
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "ICQ Net"

Remote Access Component

The virus listens on TCP port 1080 for remote connections. It attempts to notify the author that the infected system is ready to accept commands, by contacting various websites, calling a PHP script on the remote sites.

Removal -

Removal -

All Users :
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Stinger
Stinger has been updated to include detection and removal of this threat.

McAfee System Compliance Profiler:
Create a rule that matches a file
- Choose SYSTEM_DIR from the drop-down
- Type in SYSXP.EXE for the file name
- Choose "File does not exist" in the next drop-down

McAfee Desktop Firewall:
To prevent possibly remote access McAfee Desktop Firewall users can block incoming TCP ports 1080

McAfee Threatscan:
ThreatScan signatures that can detect the W32/Bagle.af virus are available from:

      -     Threatscan 2.5 - ftp.nai.com/pub/security/tsc25/updates/winnt
      -     Threatscan 2.1 - ftp.nai.com/pub/security/tsc20/updates/winnt

ThreatScan Signature version: 2004-07-16

ThreatScan users can detect the virus by running a ThreatScan task using the following settings:

      -     Select the "Remote Infection Detection" category and "Windows Virus Checks" template.
 -or-
      -     Select the "Other" category and "Scan All Vulnerabilities" template.

For additional information:

      -     Run the "ThreatScan Template Report"
      -     Look for module number #4078

Variants

Variants -

N/A