Content

W32/Bagle.ag@MM

Type
Virus
SubType
E-mail worm
Discovery Date
07/17/2004
Length
varies
Minimum DAT
4378 (07/19/2004)
Updated DAT
4900 (11/20/2006)
Minimum Engine
5.1.00
Description Added
07/17/2004
Description Modified
08/16/2004 12:50 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update August 16th, 2004 --
 The risk assessment of this threat has been lowered to Low-Profiled due to decreased prevalence.
--

-- Update July 19, 2004 --
W32/Bagle.ag@MM was updated to Medium due to prevalence
--

If you think that you may be infected with this threat, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present. This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).

Note:
Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

This is a mass-mailing worm with the following characteristics:

  • contains its own SMTP engine to construct outgoing messages
  • harvests email addresses from the victim machine
  • the From: address of messages is spoofed
  • attachment can be a password-protected zip file, with the password included in the message body.
  • contains a remote access component (notification is sent to hacker)
  • copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
  • shuts down security programs

Mail Propagation

The details are as follows:

From : (address is spoofed)
Subject :

  • Password: %s
  • Pass - %s
  • Key - %s
  • Re:
  • Re:
  • foto3
  • fotogalary
  • fotoinfo
  • Lovely animals
  • Animals
  • Predators
  • The snake
  • Screen

Body Text:

  • (blank)

Attachment: (.EXE, .SCR, .COM, .ZIP, .CPL)    

  • foto3
  • foto2
  • foto1
  • Secret
  • Doll
  • Garry
  • Cat
  • Dog
  • Fish

Password-protected ZIP files may also contain a second, randomly-named file with one of the following extensions:

  • .ini
  • .cfg
  • .txt
  • .vxd
  • .def
  • .dll

These files contain only random garbage-characters.

The virus copies itself into the Windows System directory as sys_xp.exe . For example:

  • C:\WINNT\SYSTEM32\sys_xp.exe

It also creates other files in this directory to perform its functions:

  • sys_xp.exeopen
  • sys_xp.exeopenopen
     

The following Registry key is added to hook system startup:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "key " = "C:\WINNT\SYSTEM32\sys_xp.exe"

A mutex is created to ensure only one instance of the worm is running at a time. One of the following mutex names is used in an attempt to stop particular variants of W32/Netsky running on the infected machine:

  • {z4wMuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
  • 'D'r'o'p'p'e'd'S'k'y'N'e't'
  • _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
  • [SkyNet.cz]SystemsMutex
  • AdmSkynetJklS003
  • ____--->>>>U<<<<--____
  • _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

This worm attempts to terminate the process of security programs with the the following filenames:

  • AGENTSVR.EXE
  • ANTI-TROJAN.EXE
  • ANTI-TROJAN.EXE
  • ANTIVIRUS.EXE
  • ANTS.EXE
  • APIMONITOR.EXE
  • APLICA32.EXE
  • APVXDWIN.EXE
  • ATCON.EXE
  • ATGUARD.EXE
  • ATRO55EN.EXE
  • ATUPDATER.EXE
  • ATWATCH.EXE
  • AUPDATE.EXE
  • AUTODOWN.EXE
  • AUTOTRACE.EXE
  • AUTOUPDATE.EXE
  • AVCONSOL.EXE
  • AVGSERV9.EXE
  • AVLTMAIN.EXE
  • AVprotect9x.exe
  • AVPUPD.EXE
  • AVSYNMGR.EXE
  • AVWUPD32.EXE
  • AVXQUAR.EXE
  • BD_PROFESSIONAL.EXE
  • BIDEF.EXE
  • BIDSERVER.EXE
  • BIPCP.EXE
  • BIPCPEVALSETUP.EXE
  • BISP.EXE
  • BLACKD.EXE
  • BLACKICE.EXE
  • BOOTWARN.EXE
  • BORG2.EXE
  • BS120.EXE
  • CDP.EXE
  • CFGWIZ.EXE
  • CFGWIZ.EXE
  • CFIADMIN.EXE
  • CFIADMIN.EXE
  • CFIAUDIT.EXE
  • CFIAUDIT.EXE
  • CFIAUDIT.EXE
  • CFINET.EXE
  • CFINET.EXE
  • CFINET32.EXE
  • CFINET32.EXE
  • CLEAN.EXE
  • CLEAN.EXE
  • CLEANER.EXE
  • CLEANER.EXE
  • CLEANER3.EXE
  • CLEANPC.EXE
  • CLEANPC.EXE
  • CMGRDIAN.EXE
  • CMGRDIAN.EXE
  • CMON016.EXE
  • CMON016.EXE
  • CPD.EXE
  • CPF9X206.EXE
  • CPFNT206.EXE
  • CV.EXE
  • CWNB181.EXE
  • CWNTDWMO.EXE
  • DEFWATCH.EXE
  • DEPUTY.EXE
  • DPF.EXE
  • DPFSETUP.EXE
  • DRWATSON.EXE
  • DRWEBUPW.EXE
  • ENT.EXE
  • ESCANH95.EXE
  • ESCANHNT.EXE
  • ESCANV95.EXE
  • EXANTIVIRUS-CNET.EXE
  • FAST.EXE
  • FIREWALL.EXE
  • FLOWPROTECTOR.EXE
  • FP-WIN_TRIAL.EXE
  • FRW.EXE
  • FSAV.EXE
  • FSAV530STBYB.EXE
  • FSAV530WTBYB.EXE
  • FSAV95.EXE
  • GBMENU.EXE
  • GBPOLL.EXE
  • GUARD.EXE
  • GUARDDOG.EXE
  • HACKTRACERSETUP.EXE
  • HTLOG.EXE
  • HWPE.EXE
  • IAMAPP.EXE
  • IAMAPP.EXE
  • IAMSERV.EXE
  • ICLOAD95.EXE
  • ICLOADNT.EXE
  • ICMON.EXE
  • ICSSUPPNT.EXE
  • ICSUPP95.EXE
  • ICSUPP95.EXE
  • ICSUPPNT.EXE
  • IFW2000.EXE
  • IPARMOR.EXE
  • IRIS.EXE
  • JAMMER.EXE
  • KAVLITE40ENG.EXE
  • KAVPERS40ENG.EXE
  • KERIO-PF-213-EN-WIN.EXE
  • KERIO-WRL-421-EN-WIN.EXE
  • KERIO-WRP-421-EN-WIN.EXE
  • KILLPROCESSSETUP161.EXE
  • LDPRO.EXE
  • LOCALNET.EXE
  • LOCKDOWN.EXE
  • LOCKDOWN2000.EXE
  • LSETUP.EXE
  • LUALL.EXE
  • LUCOMSERVER.EXE
  • LUINIT.EXE
  • MCAGENT.EXE
  • MCUPDATE.EXE
  • MCUPDATE.EXE
  • MFW2EN.EXE
  • MFWENG3.02D30.EXE
  • MGUI.EXE
  • MINILOG.EXE
  • MOOLIVE.EXE
  • MRFLUX.EXE
  • MSCONFIG.EXE
  • MSINFO32.EXE
  • MSSMMC32.EXE
  • MU0311AD.EXE
  • NAV80TRY.EXE
  • NAVAPW32.EXE
  • NAVDX.EXE
  • NAVSTUB.EXE
  • NAVW32.EXE
  • NC2000.EXE
  • NCINST4.EXE
  • NDD32.EXE
  • NEOMONITOR.EXE
  • NETARMOR.EXE
  • NETINFO.EXE
  • NETMON.EXE
  • NETSCANPRO.EXE
  • NETSPYHUNTER-1.2.EXE
  • NETSTAT.EXE
  • NISSERV.EXE
  • NISUM.EXE
  • NMAIN.EXE
  • NORTON_INTERNET_SECU_3.0_407.EXE
  • NPF40_TW_98_NT_ME_2K.EXE
  • NPFMESSENGER.EXE
  • NPROTECT.EXE
  • NSCHED32.EXE
  • NTVDM.EXE
  • NUPGRADE.EXE
  • NVARCH16.EXE
  • NWINST4.EXE
  • NWTOOL16.EXE
  • OSTRONET.EXE
  • OUTPOST.EXE
  • OUTPOSTINSTALL.EXE
  • OUTPOSTPROINSTALL.EXE
  • PADMIN.EXE
  • PANIXK.EXE
  • PAVPROXY.EXE
  • PCC2002S902.EXE
  • PCC2K_76_1436.EXE
  • PCCIOMON.EXE
  • PCDSETUP.EXE
  • PCFWALLICON.EXE
  • PCFWALLICON.EXE
  • PCIP10117_0.EXE
  • PDSETUP.EXE
  • PERISCOPE.EXE
  • PERSFW.EXE
  • PF2.EXE
  • PFWADMIN.EXE
  • PINGSCAN.EXE
  • PLATIN.EXE
  • POPROXY.EXE
  • POPSCAN.EXE
  • PORTDETECTIVE.EXE
  • PPINUPDT.EXE
  • PPTBC.EXE
  • PPVSTOP.EXE
  • PROCEXPLORERV1.0.EXE
  • PROPORT.EXE
  • PROTECTX.EXE
  • PSPF.EXE
  • PURGE.EXE
  • PVIEW95.EXE
  • QCONSOLE.EXE
  • QSERVER.EXE
  • RAV8WIN32ENG.EXE
  • REGEDIT.EXE
  • REGEDT32.EXE
  • RESCUE.EXE
  • RESCUE32.EXE
  • RRGUARD.EXE
  • RSHELL.EXE
  • RTVSCN95.EXE
  • RULAUNCH.EXE
  • SAFEWEB.EXE
  • SBSERV.EXE
  • SD.EXE
  • SETUP_FLOWPROTECTOR_US.EXE
  • SETUPVAMEEVAL.EXE
  • SFC.EXE
  • SGSSFW32.EXE
  • SH.EXE
  • SHELLSPYINSTALL.EXE
  • SHN.EXE
  • SMC.EXE
  • SOFI.EXE
  • SPF.EXE
  • SPHINX.EXE
  • SPYXX.EXE
  • SS3EDIT.EXE
  • ST2.EXE
  • SUPFTRL.EXE
  • SUPPORTER5.EXE
  • SYMPROXYSVC.EXE
  • SYSEDIT.EXE
  • TASKMON.EXE
  • TAUMON.EXE
  • TAUSCAN.EXE
  • TC.EXE
  • TCA.EXE
  • TCM.EXE
  • TDS2-98.EXE
  • TDS2-NT.EXE
  • TDS-3.EXE
  • TFAK5.EXE
  • TGBOB.EXE
  • TITANIN.EXE
  • TITANINXP.EXE
  • TRACERT.EXE
  • TRJSCAN.EXE
  • TRJSETUP.EXE
  • TROJANTRAP3.EXE
  • UNDOBOOT.EXE
  • UPDATE.EXE
  • VBCMSERV.EXE
  • VBCONS.EXE
  • VBUST.EXE
  • VBWIN9X.EXE
  • VBWINNTW.EXE
  • VCSETUP.EXE
  • VFSETUP.EXE
  • VIRUSMDPERSONALFIREWALL.EXE
  • VNLAN300.EXE
  • VNPC3000.EXE
  • VPC42.EXE
  • VPFW30S.EXE
  • VPTRAY.EXE
  • VSCENU6.02D30.EXE
  • VSECOMR.EXE
  • VSHWIN32.EXE
  • VSISETUP.EXE
  • VSMAIN.EXE
  • VSMON.EXE
  • VSSTAT.EXE
  • VSWIN9XE.EXE
  • VSWINNTSE.EXE
  • VSWINPERSE.EXE
  • W32DSM89.EXE
  • W9X.EXE
  • WATCHDOG.EXE
  • WEBSCANX.EXE
  • WGFE95.EXE
  • WHOSWATCHINGME.EXE
  • WHOSWATCHINGME.EXE
  • WINRECON.EXE
  • WNT.EXE
  • WRADMIN.EXE
  • WRCTRL.EXE
  • WSBGATE.EXE
  • WYVERNWORKSFIREWALL.EXE
  • XPF202EN.EXE
  • ZAPRO.EXE
  • ZAPSETUP3001.EXE
  • ZATUTOR.EXE
  • ZAUINST.EXE
  • ZONALM2601.EXE
  • ZONEALARM.EXE

The worm opens port 1080(TCP) on the victim machine.

Symptoms

 

  • Port 1080 (TCP) open on the victim machine
  • Outgoing messages matching the described characteristics
  • Files/Registry keys as described

    • Method of Infection

    Mail Propagation

    This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:

    • .wab
    • .txt
    • .msg
    • .htm
    • .shtm
    • .stm
    • .xml
    • .dbx
    • .mbx
    • .mdx
    • .eml
    • .nch
    • .mmf
    • .ods
    • .cfg
    • .asp
    • .php
    • .pl
    • .wsh
    • .adb
    • .tbb
    • .sht
    • .xls
    • .oft
    • .uin
    • .cgi
    • .mht
    • .dhtm
    • .jsp

    The virus spoofs the sender address by using a harvested address in the From: field.

    The virus avoids sending itself to addresses containing the following:

    • @avp.
    • @foo
    • @iana
    • @messagelab
    • @microsoft
    • abuse
    • admin
    • anyone@
    • bsd
    • bugs@
    • cafee
    • certific
    • contract@
    • feste
    • free-av
    • f-secur
    • gold-certs@
    • google
    • help@
    • icrosoft
    • info@
    • kasp
    • linux
    • listserv
    • local
    • news
    • nobody@
    • noone@
    • noreply
    • ntivi
    • panda
    • pgp
    • postmaster@
    • rating@
    • root@
    • samples
    • sopho
    • spam
    • support
    • unix
    • update
    • winrar
    • winzip

    Peer To Peer Propagation

    Files are created in folders that contain the phrase shar :

    • Microsoft Office 2003 Crack, Working!.exe
    • Microsoft Windows XP, WinXP Crack, working Keygen.exe
    • Microsoft Office XP working Crack, Keygen.exe
    • Porno, sex, oral, anal cool, awesome!!.exe
    • Porno Screensaver.scr
    • Serials.txt.exe
    • KAV 5.0
    • Kaspersky Antivirus 5.0
    • Porno pics arhive, xxx.exe
    • Windows Sourcecode update.doc.exe
    • Ahead Nero 7.exe
    • Windown Longhorn Beta Leak.exe
    • Opera 8 New!.exe
    • XXX hardcore images.exe
    • WinAmp 6 New!.exe
    • WinAmp 5 Pro Keygen Crack Update.exe
    • Adobe Photoshop 9 full.exe
    • Matrix 3 Revolution English Subtitles.exe
    • ACDSee 9.exe

    Remote Access Component

    The virus listens on TCP port 1080 for remote connections. It attempts to notify the author that the infected system is ready to accept commands, by contacting various websites, calling a PHP script on the remote sites. At the time of this writing this script does not exist on any of these sites.

    • http://abtacha.wirebrain.de/o.php
    • http://begros.de/o.php
    • http://deepiceman.de/o.php
    • http://dfk-crew.clanintern.de/o.php
    • http://die-cliquee.de/o.php
    • http://edwinf.surfplanet.de/o.php
    • http://knecht.cs.uni-magdeburg.de/o.php
    • http://login.rz.fh-augsburg.de/o.php
    • http://niematec.de/o.php
    • http://obechmann.de/o.php
    • http://pe-data.de/o.php
    • http://people-ftp.freenet.de/o.php
    • http://people-ftp.freenet.de/o.php
    • http://people-ftp.freenet.de/o.php
    • http://ronnyackermann.de/o.php
    • http://sgi1.rz.rwth-aachen.de/o.php
    • http://symbit.de/o.php
    • http://tripod.de/o.php
    • http://web154.essen082.server4free.de/o.php
    • http://web216.berlin240.server4free.de/o.php
    • http://www.aachen.de/o.php
    • http://www.abacho.de/o.php
    • http://www.anwaltverein.de//o.php
    • http://www.aquarius.geomar.de/o.php
    • http://www.astronomie.de/o.php
    • http://www.atlantis-show.de/o.php
    • http://www.atlas-hannover.de/o.php
    • http://www.awi-bremerhaven.de/o.php
    • http://www.baden-wuerttemberg.de/o.php
    • http://www.bayerninfo.de/o.php
    • http://www.beck.de/o.php
    • http://www.berlinonline.de/o.php
    • http://www.bessy.de/o.php
    • http://www.bitburger.de/o.php
    • http://www.blk-bonn.de//o.php
    • http://www.bmgs.bund.de/o.php
    • http://www.brigitte.de/o.php
    • http://www.bundesliga.de/o.php
    • http://www.calistyler.de/o.php
    • http://www.citypopulation.de/o.php
    • http://www.dar-fantasy.de/o.php
    • http://www.dasding.de/o.php
    • http://www.degruyter.de/o.php
    • http://www.destatis.de/o.php
    • http://www.dortmund.de/o.php
    • http://www.duden.de/o.php
    • http://www.dwelle.de/o.php
    • http://www.empire-show.de/o.php
    • http://www.eumetsat.de/o.php
    • http://www.europarl.de/o.php
    • http://www.expo2000.de/o.php
    • http://www.fernuni-hagen.de/o.php
    • http://www.finanznachrichten.de/o.php
    • http://www.firstgate.de/o.php
    • http://www.frankfurt-airport.de/o.php
    • http://www.frankfurter-buchmesse.de/o.php
    • http://www.freiburg.de/o.php
    • http://www.gantke-net.de/o.php
    • http://www.gelbeseiten.de/o.php
    • http://www.gtz.de/o.php
    • http://www.gutenberg2000.de/o.php
    • http://www.hannobunz.de/o.php
    • http://www.heidelberg.de/o.php
    • http://www.helmholtz.de/o.php
    • http://www.hosteurope.de/o.php
    • http://www.h-p-i.de/o.php
    • http://www.immobilienscout24.de/o.php
    • http://www.jugendherberge.de/o.php
    • http://www.kabel1.de/o.php
    • http://www.kalenderblatt.de/o.php
    • http://www.karlsruhe.de/o.php
    • http://www.king-alp.de/o.php
    • http://www.king-alp.de/o.php
    • http://www.klug-suchen.de/o.php
    • http://www.kompetenznetze.de/o.php
    • http://www.kompetenzz.de/o.php
    • http://www.krebsinformation.de/o.php
    • http://www.lords-of-havoc.de/o.php
    • http://www.lufthansa.de/o.php
    • http://www.lupo18t.de/o.php
    • http://www.mathguide.de/o.php
    • http://www.math-net.de/o.php
    • http://www.mdirk.de/o.php
    • http://www.medicine-worldwide.de/o.php
    • http://www.meinestadt.de/o.php
    • http://www.messe-duesseldorf.de/o.php
    • http://www.messe-muenchen.de/o.php
    • http://www.mohr.de/o.php
    • http://www.monster.de/o.php
    • http://www.munich-airport.de/o.php
    • http://www.mupad.de/o.php
    • http://www.murczak.de/o.php
    • http://www.murczak.de/o.php
    • http://www.niedersachsen.de/o.php
    • http://www.nuernbergmesse.de/o.php
    • http://www.onlinereviewguide.com/o.php
    • http://www.pcwelt.de/o.php
    • http://www.photokina.de/o.php
    • http://www.rapz-records.de/o.php
    • http://www.regtp.de/o.php
    • http://www.renewables2004.de/o.php
    • http://www.ruhr-uni-bochum.de/o.php
    • http://www.saarbruecken.de/o.php
    • http://www.saarland.de/o.php
    • http://www.schaubuehne.de/o.php
    • http://www.schulen-ans-netz.de/o.php
    • http://www.slowfood.de/o.php
    • http://www.staedtetag.de/o.php
    • http://www.stellenmarkt.de/o.php
    • http://www.stepstone.de/o.php
    • http://www.stifterverband.de/o.php
    • http://www.stricker-doerpen.de/o.php
    • http://www.studentenwerke.de/o.php
    • http://www.stufenlos-regelbar.de/o.php
    • http://www.stuttgart.de/o.php
    • http://www.stuttgarter-zeitung.de/o.php
    • http://www.superstar-nord.de/o.php
    • http://www.sysserver1.de/o.php
    • http://www.szakos.de/o.php
    • http://www.szakos.de/o.php
    • http://www.testdaf.de/o.php
    • http://www.tu-darmstadt.de/o.php
    • http://www.tu-dresden.de/o.php
    • http://www.tu-muenchen.de/o.php
    • http://www.umweltbundesamt.de/o.php
    • http://www.uni-bremen.de/o.php
    • http://www.unibw-muenchen.de/o.php
    • http://www.uni-duesseldorf.de/o.php
    • http://www.uni-duisburg-essen.de/o.php
    • http://www.uni-frankfurt.de/o.php
    • http://www.uni-jena.de/o.php
    • http://www.uni-mannheim.de/o.php
    • http://www.uni-marburg.de/o.php
    • http://www.uni-osnabrueck.de/o.php
    • http://www.uni-tuebingen.de/o.php
    • http://www.urlaubstage.de/o.php
    • http://www.vwschubert.de/o.php
    • http://www.webhits.de/o.php
    • http://www.wiley-vch.de/o.php
    • http://www.wissenschaft-online.de/o.php
    • http://zeus05.de/o.php
    • http://zille.cs.uni-magdeburg.de/o.php

    Removal

    All Users :
    Use current     engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Stinger
         Stinger has been updated to include detection and removal of this threat. Download Stinger .

    McAfee System Compliance Profiler
         Create a rule that matches a file
     - Choose SYSTEM_DIR from the drop-down
     - Type in SYS_XP.EXE for the file name
     - Choose "File does not exist" in the next drop-down

    McAfee Desktop Firewall
         To prevent possibly remote access McAfee Desktop Firewall users can block incoming TCP ports 1080

    McAfee Threatscan
    ThreatScan signatures that can detect the W32/Bagle.ag virus are available from:

     - Threatscan 2.5 - ftp.nai.com/pub/security/tsc25/updates/winnt
     - Threatscan 2.1 - ftp.nai.com/pub/security/tsc20/updates/winnt

    ThreatScan Signature version: 2004-07-19

    ThreatScan users can detect the virus by running a ThreatScan task using the following settings:
     - Select the "Remote Infection Detection" category and "Windows Virus Checks" template.
     -or-
     - Select the "Other" category and "Scan All Vulnerabilities" template.

    For additional information:

     - Run the "ThreatScan Template Report"
     - Look for module number #4079

    Network General Sniffer
         A Network General Sniffer filter is available at http://www.networkgeneral.com/SnifferFilters_Details.aspx?Type=1

    Variants

    Variants

      N/A

    All Information

    Overview -

    This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

    Characteristics

    Characteristics -

    -- Update August 16th, 2004 --
     The risk assessment of this threat has been lowered to Low-Profiled due to decreased prevalence.
    --

    -- Update July 19, 2004 --
    W32/Bagle.ag@MM was updated to Medium due to prevalence
    --

    If you think that you may be infected with this threat, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present. This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).

    Note:
    Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

    This is a mass-mailing worm with the following characteristics:

    • contains its own SMTP engine to construct outgoing messages
    • harvests email addresses from the victim machine
    • the From: address of messages is spoofed
    • attachment can be a password-protected zip file, with the password included in the message body.
    • contains a remote access component (notification is sent to hacker)
    • copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
    • shuts down security programs

    Mail Propagation

    The details are as follows:

    From : (address is spoofed)
    Subject :

    • Password: %s
    • Pass - %s
    • Key - %s
    • Re:
    • Re:
    • foto3
    • fotogalary
    • fotoinfo
    • Lovely animals
    • Animals
    • Predators
    • The snake
    • Screen

    Body Text:

    • (blank)

    Attachment: (.EXE, .SCR, .COM, .ZIP, .CPL)    

    • foto3
    • foto2
    • foto1
    • Secret
    • Doll
    • Garry
    • Cat
    • Dog
    • Fish

    Password-protected ZIP files may also contain a second, randomly-named file with one of the following extensions:

    • .ini
    • .cfg
    • .txt
    • .vxd
    • .def
    • .dll

    These files contain only random garbage-characters.

    The virus copies itself into the Windows System directory as sys_xp.exe . For example:

    • C:\WINNT\SYSTEM32\sys_xp.exe

    It also creates other files in this directory to perform its functions:

    • sys_xp.exeopen
    • sys_xp.exeopenopen
       

    The following Registry key is added to hook system startup:

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\
      CurrentVersion\Run "key " = "C:\WINNT\SYSTEM32\sys_xp.exe"

    A mutex is created to ensure only one instance of the worm is running at a time. One of the following mutex names is used in an attempt to stop particular variants of W32/Netsky running on the infected machine:

    • {z4wMuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
    • 'D'r'o'p'p'e'd'S'k'y'N'e't'
    • _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
    • [SkyNet.cz]SystemsMutex
    • AdmSkynetJklS003
    • ____--->>>>U<<<<--____
    • _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

    This worm attempts to terminate the process of security programs with the the following filenames:

    • AGENTSVR.EXE
    • ANTI-TROJAN.EXE
    • ANTI-TROJAN.EXE
    • ANTIVIRUS.EXE
    • ANTS.EXE
    • APIMONITOR.EXE
    • APLICA32.EXE
    • APVXDWIN.EXE
    • ATCON.EXE
    • ATGUARD.EXE
    • ATRO55EN.EXE
    • ATUPDATER.EXE
    • ATWATCH.EXE
    • AUPDATE.EXE
    • AUTODOWN.EXE
    • AUTOTRACE.EXE
    • AUTOUPDATE.EXE
    • AVCONSOL.EXE
    • AVGSERV9.EXE
    • AVLTMAIN.EXE
    • AVprotect9x.exe
    • AVPUPD.EXE
    • AVSYNMGR.EXE
    • AVWUPD32.EXE
    • AVXQUAR.EXE
    • BD_PROFESSIONAL.EXE
    • BIDEF.EXE
    • BIDSERVER.EXE
    • BIPCP.EXE
    • BIPCPEVALSETUP.EXE
    • BISP.EXE
    • BLACKD.EXE
    • BLACKICE.EXE
    • BOOTWARN.EXE
    • BORG2.EXE
    • BS120.EXE
    • CDP.EXE
    • CFGWIZ.EXE
    • CFGWIZ.EXE
    • CFIADMIN.EXE
    • CFIADMIN.EXE
    • CFIAUDIT.EXE
    • CFIAUDIT.EXE
    • CFIAUDIT.EXE
    • CFINET.EXE
    • CFINET.EXE
    • CFINET32.EXE
    • CFINET32.EXE
    • CLEAN.EXE
    • CLEAN.EXE
    • CLEANER.EXE
    • CLEANER.EXE
    • CLEANER3.EXE
    • CLEANPC.EXE
    • CLEANPC.EXE
    • CMGRDIAN.EXE
    • CMGRDIAN.EXE
    • CMON016.EXE
    • CMON016.EXE
    • CPD.EXE
    • CPF9X206.EXE
    • CPFNT206.EXE
    • CV.EXE
    • CWNB181.EXE
    • CWNTDWMO.EXE
    • DEFWATCH.EXE
    • DEPUTY.EXE
    • DPF.EXE
    • DPFSETUP.EXE
    • DRWATSON.EXE
    • DRWEBUPW.EXE
    • ENT.EXE
    • ESCANH95.EXE
    • ESCANHNT.EXE
    • ESCANV95.EXE
    • EXANTIVIRUS-CNET.EXE
    • FAST.EXE
    • FIREWALL.EXE
    • FLOWPROTECTOR.EXE
    • FP-WIN_TRIAL.EXE
    • FRW.EXE
    • FSAV.EXE
    • FSAV530STBYB.EXE
    • FSAV530WTBYB.EXE
    • FSAV95.EXE
    • GBMENU.EXE
    • GBPOLL.EXE
    • GUARD.EXE
    • GUARDDOG.EXE
    • HACKTRACERSETUP.EXE
    • HTLOG.EXE
    • HWPE.EXE
    • IAMAPP.EXE
    • IAMAPP.EXE
    • IAMSERV.EXE
    • ICLOAD95.EXE
    • ICLOADNT.EXE
    • ICMON.EXE
    • ICSSUPPNT.EXE
    • ICSUPP95.EXE
    • ICSUPP95.EXE
    • ICSUPPNT.EXE
    • IFW2000.EXE
    • IPARMOR.EXE
    • IRIS.EXE
    • JAMMER.EXE
    • KAVLITE40ENG.EXE
    • KAVPERS40ENG.EXE
    • KERIO-PF-213-EN-WIN.EXE
    • KERIO-WRL-421-EN-WIN.EXE
    • KERIO-WRP-421-EN-WIN.EXE
    • KILLPROCESSSETUP161.EXE
    • LDPRO.EXE
    • LOCALNET.EXE
    • LOCKDOWN.EXE
    • LOCKDOWN2000.EXE
    • LSETUP.EXE
    • LUALL.EXE
    • LUCOMSERVER.EXE
    • LUINIT.EXE
    • MCAGENT.EXE
    • MCUPDATE.EXE
    • MCUPDATE.EXE
    • MFW2EN.EXE
    • MFWENG3.02D30.EXE
    • MGUI.EXE
    • MINILOG.EXE
    • MOOLIVE.EXE
    • MRFLUX.EXE
    • MSCONFIG.EXE
    • MSINFO32.EXE
    • MSSMMC32.EXE
    • MU0311AD.EXE
    • NAV80TRY.EXE
    • NAVAPW32.EXE
    • NAVDX.EXE
    • NAVSTUB.EXE
    • NAVW32.EXE
    • NC2000.EXE
    • NCINST4.EXE
    • NDD32.EXE
    • NEOMONITOR.EXE
    • NETARMOR.EXE
    • NETINFO.EXE
    • NETMON.EXE
    • NETSCANPRO.EXE
    • NETSPYHUNTER-1.2.EXE
    • NETSTAT.EXE
    • NISSERV.EXE
    • NISUM.EXE
    • NMAIN.EXE
    • NORTON_INTERNET_SECU_3.0_407.EXE
    • NPF40_TW_98_NT_ME_2K.EXE
    • NPFMESSENGER.EXE
    • NPROTECT.EXE
    • NSCHED32.EXE
    • NTVDM.EXE
    • NUPGRADE.EXE
    • NVARCH16.EXE
    • NWINST4.EXE
    • NWTOOL16.EXE
    • OSTRONET.EXE
    • OUTPOST.EXE
    • OUTPOSTINSTALL.EXE
    • OUTPOSTPROINSTALL.EXE
    • PADMIN.EXE
    • PANIXK.EXE
    • PAVPROXY.EXE
    • PCC2002S902.EXE
    • PCC2K_76_1436.EXE
    • PCCIOMON.EXE
    • PCDSETUP.EXE
    • PCFWALLICON.EXE
    • PCFWALLICON.EXE
    • PCIP10117_0.EXE
    • PDSETUP.EXE
    • PERISCOPE.EXE
    • PERSFW.EXE
    • PF2.EXE
    • PFWADMIN.EXE
    • PINGSCAN.EXE
    • PLATIN.EXE
    • POPROXY.EXE
    • POPSCAN.EXE
    • PORTDETECTIVE.EXE
    • PPINUPDT.EXE
    • PPTBC.EXE
    • PPVSTOP.EXE
    • PROCEXPLORERV1.0.EXE
    • PROPORT.EXE
    • PROTECTX.EXE
    • PSPF.EXE
    • PURGE.EXE
    • PVIEW95.EXE
    • QCONSOLE.EXE
    • QSERVER.EXE
    • RAV8WIN32ENG.EXE
    • REGEDIT.EXE
    • REGEDT32.EXE
    • RESCUE.EXE
    • RESCUE32.EXE
    • RRGUARD.EXE
    • RSHELL.EXE
    • RTVSCN95.EXE
    • RULAUNCH.EXE
    • SAFEWEB.EXE
    • SBSERV.EXE
    • SD.EXE
    • SETUP_FLOWPROTECTOR_US.EXE
    • SETUPVAMEEVAL.EXE
    • SFC.EXE
    • SGSSFW32.EXE
    • SH.EXE
    • SHELLSPYINSTALL.EXE
    • SHN.EXE
    • SMC.EXE
    • SOFI.EXE
    • SPF.EXE
    • SPHINX.EXE
    • SPYXX.EXE
    • SS3EDIT.EXE
    • ST2.EXE
    • SUPFTRL.EXE
    • SUPPORTER5.EXE
    • SYMPROXYSVC.EXE
    • SYSEDIT.EXE
    • TASKMON.EXE
    • TAUMON.EXE
    • TAUSCAN.EXE
    • TC.EXE
    • TCA.EXE
    • TCM.EXE
    • TDS2-98.EXE
    • TDS2-NT.EXE
    • TDS-3.EXE
    • TFAK5.EXE
    • TGBOB.EXE
    • TITANIN.EXE
    • TITANINXP.EXE
    • TRACERT.EXE
    • TRJSCAN.EXE
    • TRJSETUP.EXE
    • TROJANTRAP3.EXE
    • UNDOBOOT.EXE
    • UPDATE.EXE
    • VBCMSERV.EXE
    • VBCONS.EXE
    • VBUST.EXE
    • VBWIN9X.EXE
    • VBWINNTW.EXE
    • VCSETUP.EXE
    • VFSETUP.EXE
    • VIRUSMDPERSONALFIREWALL.EXE
    • VNLAN300.EXE
    • VNPC3000.EXE
    • VPC42.EXE
    • VPFW30S.EXE
    • VPTRAY.EXE
    • VSCENU6.02D30.EXE
    • VSECOMR.EXE
    • VSHWIN32.EXE
    • VSISETUP.EXE
    • VSMAIN.EXE
    • VSMON.EXE
    • VSSTAT.EXE
    • VSWIN9XE.EXE
    • VSWINNTSE.EXE
    • VSWINPERSE.EXE
    • W32DSM89.EXE
    • W9X.EXE
    • WATCHDOG.EXE
    • WEBSCANX.EXE
    • WGFE95.EXE
    • WHOSWATCHINGME.EXE
    • WHOSWATCHINGME.EXE
    • WINRECON.EXE
    • WNT.EXE
    • WRADMIN.EXE
    • WRCTRL.EXE
    • WSBGATE.EXE
    • WYVERNWORKSFIREWALL.EXE
    • XPF202EN.EXE
    • ZAPRO.EXE
    • ZAPSETUP3001.EXE
    • ZATUTOR.EXE
    • ZAUINST.EXE
    • ZONALM2601.EXE
    • ZONEALARM.EXE

    The worm opens port 1080(TCP) on the victim machine.

    Symptoms

    Symptoms -

     

  • Port 1080 (TCP) open on the victim machine
  • Outgoing messages matching the described characteristics
  • Files/Registry keys as described

    • Method of Infection

    Method of Infection -

    Mail Propagation

    This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:

    • .wab
    • .txt
    • .msg
    • .htm
    • .shtm
    • .stm
    • .xml
    • .dbx
    • .mbx
    • .mdx
    • .eml
    • .nch
    • .mmf
    • .ods
    • .cfg
    • .asp
    • .php
    • .pl
    • .wsh
    • .adb
    • .tbb
    • .sht
    • .xls
    • .oft
    • .uin
    • .cgi
    • .mht
    • .dhtm
    • .jsp

    The virus spoofs the sender address by using a harvested address in the From: field.

    The virus avoids sending itself to addresses containing the following:

    • @avp.
    • @foo
    • @iana
    • @messagelab
    • @microsoft
    • abuse
    • admin
    • anyone@
    • bsd
    • bugs@
    • cafee
    • certific
    • contract@
    • feste
    • free-av
    • f-secur
    • gold-certs@
    • google
    • help@
    • icrosoft
    • info@
    • kasp
    • linux
    • listserv
    • local
    • news
    • nobody@
    • noone@
    • noreply
    • ntivi
    • panda
    • pgp
    • postmaster@
    • rating@
    • root@
    • samples
    • sopho
    • spam
    • support
    • unix
    • update
    • winrar
    • winzip

    Peer To Peer Propagation

    Files are created in folders that contain the phrase shar :

    • Microsoft Office 2003 Crack, Working!.exe
    • Microsoft Windows XP, WinXP Crack, working Keygen.exe
    • Microsoft Office XP working Crack, Keygen.exe
    • Porno, sex, oral, anal cool, awesome!!.exe
    • Porno Screensaver.scr
    • Serials.txt.exe
    • KAV 5.0
    • Kaspersky Antivirus 5.0
    • Porno pics arhive, xxx.exe
    • Windows Sourcecode update.doc.exe
    • Ahead Nero 7.exe
    • Windown Longhorn Beta Leak.exe
    • Opera 8 New!.exe
    • XXX hardcore images.exe
    • WinAmp 6 New!.exe
    • WinAmp 5 Pro Keygen Crack Update.exe
    • Adobe Photoshop 9 full.exe
    • Matrix 3 Revolution English Subtitles.exe
    • ACDSee 9.exe

    Remote Access Component

    The virus listens on TCP port 1080 for remote connections. It attempts to notify the author that the infected system is ready to accept commands, by contacting various websites, calling a PHP script on the remote sites. At the time of this writing this script does not exist on any of these sites.

    • http://abtacha.wirebrain.de/o.php
    • http://begros.de/o.php
    • http://deepiceman.de/o.php
    • http://dfk-crew.clanintern.de/o.php
    • http://die-cliquee.de/o.php
    • http://edwinf.surfplanet.de/o.php
    • http://knecht.cs.uni-magdeburg.de/o.php
    • http://login.rz.fh-augsburg.de/o.php
    • http://niematec.de/o.php
    • http://obechmann.de/o.php
    • http://pe-data.de/o.php
    • http://people-ftp.freenet.de/o.php
    • http://people-ftp.freenet.de/o.php
    • http://people-ftp.freenet.de/o.php
    • http://ronnyackermann.de/o.php
    • http://sgi1.rz.rwth-aachen.de/o.php
    • http://symbit.de/o.php
    • http://tripod.de/o.php
    • http://web154.essen082.server4free.de/o.php
    • http://web216.berlin240.server4free.de/o.php
    • http://www.aachen.de/o.php
    • http://www.abacho.de/o.php
    • http://www.anwaltverein.de//o.php
    • http://www.aquarius.geomar.de/o.php
    • http://www.astronomie.de/o.php
    • http://www.atlantis-show.de/o.php
    • http://www.atlas-hannover.de/o.php
    • http://www.awi-bremerhaven.de/o.php
    • http://www.baden-wuerttemberg.de/o.php
    • http://www.bayerninfo.de/o.php
    • http://www.beck.de/o.php
    • http://www.berlinonline.de/o.php
    • http://www.bessy.de/o.php
    • http://www.bitburger.de/o.php
    • http://www.blk-bonn.de//o.php
    • http://www.bmgs.bund.de/o.php
    • http://www.brigitte.de/o.php
    • http://www.bundesliga.de/o.php
    • http://www.calistyler.de/o.php
    • http://www.citypopulation.de/o.php
    • http://www.dar-fantasy.de/o.php
    • http://www.dasding.de/o.php
    • http://www.degruyter.de/o.php
    • http://www.destatis.de/o.php
    • http://www.dortmund.de/o.php
    • http://www.duden.de/o.php
    • http://www.dwelle.de/o.php
    • http://www.empire-show.de/o.php
    • http://www.eumetsat.de/o.php
    • http://www.europarl.de/o.php
    • http://www.expo2000.de/o.php
    • http://www.fernuni-hagen.de/o.php
    • http://www.finanznachrichten.de/o.php
    • http://www.firstgate.de/o.php
    • http://www.frankfurt-airport.de/o.php
    • http://www.frankfurter-buchmesse.de/o.php
    • http://www.freiburg.de/o.php
    • http://www.gantke-net.de/o.php
    • http://www.gelbeseiten.de/o.php
    • http://www.gtz.de/o.php
    • http://www.gutenberg2000.de/o.php
    • http://www.hannobunz.de/o.php
    • http://www.heidelberg.de/o.php
    • http://www.helmholtz.de/o.php
    • http://www.hosteurope.de/o.php
    • http://www.h-p-i.de/o.php
    • http://www.immobilienscout24.de/o.php
    • http://www.jugendherberge.de/o.php
    • http://www.kabel1.de/o.php
    • http://www.kalenderblatt.de/o.php
    • http://www.karlsruhe.de/o.php
    • http://www.king-alp.de/o.php
    • http://www.king-alp.de/o.php
    • http://www.klug-suchen.de/o.php
    • http://www.kompetenznetze.de/o.php
    • http://www.kompetenzz.de/o.php
    • http://www.krebsinformation.de/o.php
    • http://www.lords-of-havoc.de/o.php
    • http://www.lufthansa.de/o.php
    • http://www.lupo18t.de/o.php
    • http://www.mathguide.de/o.php
    • http://www.math-net.de/o.php
    • http://www.mdirk.de/o.php
    • http://www.medicine-worldwide.de/o.php
    • http://www.meinestadt.de/o.php
    • http://www.messe-duesseldorf.de/o.php
    • http://www.messe-muenchen.de/o.php
    • http://www.mohr.de/o.php
    • http://www.monster.de/o.php
    • http://www.munich-airport.de/o.php
    • http://www.mupad.de/o.php
    • http://www.murczak.de/o.php
    • http://www.murczak.de/o.php
    • http://www.niedersachsen.de/o.php
    • http://www.nuernbergmesse.de/o.php
    • http://www.onlinereviewguide.com/o.php
    • http://www.pcwelt.de/o.php
    • http://www.photokina.de/o.php
    • http://www.rapz-records.de/o.php
    • http://www.regtp.de/o.php
    • http://www.renewables2004.de/o.php
    • http://www.ruhr-uni-bochum.de/o.php
    • http://www.saarbruecken.de/o.php
    • http://www.saarland.de/o.php
    • http://www.schaubuehne.de/o.php
    • http://www.schulen-ans-netz.de/o.php
    • http://www.slowfood.de/o.php
    • http://www.staedtetag.de/o.php
    • http://www.stellenmarkt.de/o.php
    • http://www.stepstone.de/o.php
    • http://www.stifterverband.de/o.php
    • http://www.stricker-doerpen.de/o.php
    • http://www.studentenwerke.de/o.php
    • http://www.stufenlos-regelbar.de/o.php
    • http://www.stuttgart.de/o.php
    • http://www.stuttgarter-zeitung.de/o.php
    • http://www.superstar-nord.de/o.php
    • http://www.sysserver1.de/o.php
    • http://www.szakos.de/o.php
    • http://www.szakos.de/o.php
    • http://www.testdaf.de/o.php
    • http://www.tu-darmstadt.de/o.php
    • http://www.tu-dresden.de/o.php
    • http://www.tu-muenchen.de/o.php
    • http://www.umweltbundesamt.de/o.php
    • http://www.uni-bremen.de/o.php
    • http://www.unibw-muenchen.de/o.php
    • http://www.uni-duesseldorf.de/o.php
    • http://www.uni-duisburg-essen.de/o.php
    • http://www.uni-frankfurt.de/o.php
    • http://www.uni-jena.de/o.php
    • http://www.uni-mannheim.de/o.php
    • http://www.uni-marburg.de/o.php
    • http://www.uni-osnabrueck.de/o.php
    • http://www.uni-tuebingen.de/o.php
    • http://www.urlaubstage.de/o.php
    • http://www.vwschubert.de/o.php
    • http://www.webhits.de/o.php
    • http://www.wiley-vch.de/o.php
    • http://www.wissenschaft-online.de/o.php
    • http://zeus05.de/o.php
    • http://zille.cs.uni-magdeburg.de/o.php

    Removal -

    Removal -

    All Users :
    Use current     engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Stinger
         Stinger has been updated to include detection and removal of this threat. Download Stinger .

    McAfee System Compliance Profiler
         Create a rule that matches a file
     - Choose SYSTEM_DIR from the drop-down
     - Type in SYS_XP.EXE for the file name
     - Choose "File does not exist" in the next drop-down

    McAfee Desktop Firewall
         To prevent possibly remote access McAfee Desktop Firewall users can block incoming TCP ports 1080

    McAfee Threatscan
    ThreatScan signatures that can detect the W32/Bagle.ag virus are available from:

     - Threatscan 2.5 - ftp.nai.com/pub/security/tsc25/updates/winnt
     - Threatscan 2.1 - ftp.nai.com/pub/security/tsc20/updates/winnt

    ThreatScan Signature version: 2004-07-19

    ThreatScan users can detect the virus by running a ThreatScan task using the following settings:
     - Select the "Remote Infection Detection" category and "Windows Virus Checks" template.
     -or-
     - Select the "Other" category and "Scan All Vulnerabilities" template.

    For additional information:

     - Run the "ThreatScan Template Report"
     - Look for module number #4079

    Network General Sniffer
         A Network General Sniffer filter is available at http://www.networkgeneral.com/SnifferFilters_Details.aspx?Type=1

    Variants

    Variants -

      N/A