McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

This variant is a repacked version of W32/Bagle.bk@MM variant.

This is a mass-mailing worm with the following characteristics:

• contains its own SMTP engine to construct outgoing messages
• harvests email addresses from the victim machine
• the From: address of messages is spoofed
• contains a remote access component (notification is sent to hacker)
• copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)

Mail Propagation

The details are as follows:

From : (address is spoofed)
Subject :

• Delivery service mail
• Delivery by mail
• Registration is accepted
• Is delivered mail
• You are made active

Body Text:

• Thanks for use of our software.
• Before use read the help

Attachment: (may be one of the following, with an extension of .exe, .scr, .com, or .cpl)

• wsd01
• viupd02
• siupd02
• guupd02
• zupd02
• upd02
• Jol03

The virus copies itself into the Windows System directory as sysformat.exe. For example:

• C:\WINNT\SYSTEM32\sysformat.exe

It also creates other files in this directory to perform its functions:

• C:\WINNT\SYSTEM32\sysformat.exeopen
• C:\WINNT\SYSTEM32\sysformat.exeopenopen

The following Registry key is added to hook system startup:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "sysformat" = C:\WINNT\SYSTEM32\sysformat.exe

Additionally, the following Registry keys are added:

• HKEY_CURRENT_USER\Software\Microsoft\Params "riga"

It deletes these values

• "My AV"
• "ICQ Net"

from the following Registry keys, if they are present:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run

A mutex is created to ensure only one instance of the worm is running at a time.  One of the following mutex names is used in an attempt to stop particular variants of W32/Netsky running on the infected machine:

• MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
• _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

This worm attempts to terminate the process of security programs with the the following filenames:

• mcagent.exe
• mcvsshld.exe
• mcshield.exe
• mcvsescn.exe
• mcvsrte.exe
• DefWatch.exe
• Rtvscan.exe
• ccEvtMgr.exe
• NISUM.exe
• ccPxySvc.exe
• navapsvc.exe
• NPROTECT.exe
• nopdb.exe
• ccApp.exe
• Avsynmgr.exe
• VsStat.exe
• Vshwin32.exe
• alogserv.exe
• RuLaunch.exe
• Avconsol.exe
• PavFires.exe
• FIREWALL.exe
• ATUPDATER.exe
• LUALL.exe
• DRWEBUPW.exe
• AUTODOWN.exe
• NUPGRADE.exe
• OUTPOST.exe
• ICSSUPPNT.exe
• ICSUPP95.exe
• ESCANH95.exe
• AVXQUAR.exe
• ESCANHNT.exe
• ATUPDATER.exe
• AUPDATE.exe
• AUTOTRACE.exe
• AUTOUPDATE.exe
• AVXQUAR.exe
• AVWUPD32.exe
• AVPUPD.exe
• CFIAUDIT.exe
• UPDATE.exe
• NUPGRADE.exe
• MCUPDATE.exe
• pavsrv50.exe
• AVENGINE.exe
• APVXDWIN.exe
• pavProxy.exe
• navapw32.exe
• navapsvc.exe
• ccProxy.exe
• navapsvc.exe
• NPROTECT.exe
• SAVScan.exe
• SNDSrvc.exe
• symlcsvc.exe
• LUCOMS~1.exe
• blackd.exe
• bawindo.exe
• FrameworkService.exe
• VsTskMgr.exe
• SHSTAT.exe
• UpdaterUI.exe

The worm opens random ports starting with 2339 (TCP) on the victim machine.

Symptoms

Method of Infection

  Mail Propagation

This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:

• .wab
• .txt
• .msg
• .htm
• .shtm
• .stm
• .xml
• .dbx
• .mbx
• .mdx
• .eml
• .nch
• .mmf
• .ods
• .cfg
• .asp
• .php
• .pl
• .wsh
• .adb
• .tbb
• .sht
• .xls
• .oft
• .uin
• .cgi
• .mht
• .dhtm
• .jsp

The virus spoofs the sender address by using a harvested address in the From: field.

The virus avoids sending itself to addresses containing the following:

• @microsoft
• rating@
• f-secur
• news
• update
• anyone@
• bugs@
• contract@
• feste
• gold-certs@
• help@
• info@
• nobody@
• noone@
• kasp
• admin
• icrosoft
• support
• ntivi
• unix
• bsd
• linux
• listserv
• certific
• sopho
• @foo
• @iana
• free-av
• @messagelab
• winzip
• google
• winrar
• samples
• abuse
• panda
• cafee
• spam
• pgp
• @avp.
• noreply
• local
• root@
• postmaster@

Peer To Peer Propagation

Files are created in folders that contain the phrase shar :

• 1.exe
• 2.exe
• 3.exe
• 4.exe
• 5.scr
• 6.exe
• 7.exe
• 8.exe
• 9.exe
• 10.exe
• Ahead Nero 7.exe
• Windown Longhorn Beta Leak.exe
• Opera 8 New!.exe
• XXX hardcore images.exe
• WinAmp 6 New!.exe
• WinAmp 5 Pro Keygen Crack Update.exe
• Adobe Photoshop 9 full.exe
• Matrix 3 Revolution English Subtitles.exe
• ACDSee 9.exe

Remote Access Component

The virus listens on random TCP ports, for remote connections. It attempts to notify the author that the infected system is ready to accept commands, by contacting various websites, calling a JPG file (error.jpg) on the remote sites.

• http://www.pyrlandia-boogie.pl
• http://www.kps4parents.com
• http://www.pipni.cz
• http://www.selu.edu
• http://www.travelchronic.de
• http://www.fleigutaetscher.ch
• http://www.irakli.org
• http://www.oboe-online.com
• http://www.pe-sh.com
• http://www.idb-group.net
• http://www.ceskyhosting.cz
• http://www.hartacorporation.com
• http://www.glass.la
• http://www.24-7-transportation.com
• http://www.fepese.ufsc.br
• http://www.ellarouge.com.au
• http://www.bbsh.org
• http://www.boneheadmusic.com
• http://www.sljinc.com
• http://www.tivogoddess.com
• http://www.fcpages.com
• http://www.szantomierz.art.pl
• http://www.elenalazar.com
• http://www.generationnow.net
• http://www.flashcorp.com
• http://www.kencorbett.com
• http://www.FritoPie.NET
• http://www.leonhendrix.com
• http://www.transportation.gov.bh
• http://www.jhaforpresident.7p.com
• http://www.DarrkSydebaby.com
• http://www.cntv.info
• http://www.sugardas.lt
• http://www.adhdtests.com
• http://www.argontech.net
• http://www.customloyal.com
• http://www.ohiolimo.com
• http://www.topko.sk
• http://www.ssmifc.ca
• http://www.reliance-yachts.com
• http://www.worest.com.ar
• http://www.kps4parents.com
• http://www.coolfreepages.com
• http://www.scanex-medical.fi
• http://www.jimvann.com
• http://www.orari.net
• http://www.himpsi.org
• http://www.mtfdesign.com
• http://www.jldr.ca
• http://www.relocationflorida.com
• http://www.rentalstation.com
• http://www.approved1stmortgage.com
• http://www.velezcourtesymanagement.com
• http://www.sunassetholdings.com
• http://www.compsolutionstore.com
• http://www.uhcc.com
• http://www.justrepublicans.com
• http://www.pfadfinder-leobersdorf.com
• http://www.featech.com
• http://www.vinirforge.com
• http://www.magicbottle.com.tw
• http://www.giantrevenue.com
• http://www.couponcapital.net
• http://www.crystalrose.ca
• http://www.bottombouncer.com
• http://www.anthonyflanagan.com
• http://www.bradster.com
• http://www.traverse.com
• http://www.ims-i.com
• http://www.realgps.com
• http://www.aviation-center.de
• http://www.gci-bln.de
• http://www.pankration.com
• http://www.jansenboiler.com
• http://www.corpsite.com
• http://www.everett.wednet.edu
• http://www.onepositiveplace.org
• http://www.raecoinc.com
• http://www.wwwebad.com
• http://www.corpsite.com
• http://www.wwwebmaster.com
• http://www.wwwebad.com
• http://www.dragcar.com
• http://www.wwwebad.com
• http://www.oohlala-kirkland.com
• http://www.calderwoodinn.com
• http://www.buddyboymusic.com
• http://www.smacgreetings.com
• http://www.tkd2xcell.com
• http://www.curtmarsh.com
• http://www.dontbeaweekendparent.com
• http://www.soloconsulting.com
• http://www.lasermach.com
• http://www.alupass.lu
• http://www.sigi.lu
• http://www.redlightpictures.com
• http://www.irinaswelt.de
• http://www.bueroservice-it.de
• http://www.kranenberg.de
• http://www.the-fabulous-lions.de
• http://www.mongolische-renner.de
• http://www.capri-frames.de
• http://www.aimcenter.net
• http://www.boneheadmusic.com
• http://www.fludir.is
• http://www.sljinc.com
• http://www.tivogoddess.com
• http://www.fcpages.com
• http://www.andara.com
• http://www.freeservers.com
• http://www.programmierung2000.de
• http://www.asianfestival.nl
• http://www.aviation-center.de
• http://www.gci-bln.de
• http://www.mass-i.kiev.ua
• http://www.jasnet.pl
• http://www.atlantisteste.hpg.com.br
• http://www.fludir.is
• http://www.rieraquadros.com.br
• http://www.metal.pl
• http://www.handsforhealth.com
• http://www.angelartsanctuary.com
• http://www.firstnightoceancounty.org
• http://www.chinasenfa.com
• http://www.ulpiano.org
• http://www.gamp.pl
• http://www.vikingpc.pl
• http://www.woundedshepherds.com
• http://www.cpc.adv.br
• http://www.velocityprint.com
• http://www.esperanzaparalafamilia.com
• http://www.celula.com.mx
• http://www.mexis.com
• http://www.wecompete.com
• http://www.vbw.info
• http://www.gfn.org
• http://www.aegee.org
• http://www.deadrobot.com
• http://www.cscliberec.cz
• http://www.ecofotos.com.br
• http://www.amanit.ru
• http://www.bga-gsm.ru
• http://www.innnewport.com
• http://www.knicks.nl
• http://www.srg-neuburg.de
• http://www.mepmh.de
• http://www.mepbisu.de
• http://www.kradtraining.de
• http://www.polizeimotorrad.de
• http://www.sea.bz.it
• http://www.uslungiarue.it
• http://www.gcnet.ru
• http://www.aimcenter.net
• http://www.vandermost.de
• http://www.szantomierz.art.pl
• http://www.immonaut.sk
• http://www.eurostavba.sk
• http://www.spadochron.pl

Removal

Detection is included in our BETA DAT files and will also be included in the next scheduled DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This variant is a repacked version of W32/Bagle.bk@MM variant.

This is a mass-mailing worm with the following characteristics:

• contains its own SMTP engine to construct outgoing messages
• harvests email addresses from the victim machine
• the From: address of messages is spoofed
• contains a remote access component (notification is sent to hacker)
• copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)

Mail Propagation

The details are as follows:

From : (address is spoofed)
Subject :

• Delivery service mail
• Delivery by mail
• Registration is accepted
• Is delivered mail
• You are made active

Body Text:

• Thanks for use of our software.
• Before use read the help

Attachment: (may be one of the following, with an extension of .exe, .scr, .com, or .cpl)

• wsd01
• viupd02
• siupd02
• guupd02
• zupd02
• upd02
• Jol03

The virus copies itself into the Windows System directory as sysformat.exe. For example:

• C:\WINNT\SYSTEM32\sysformat.exe

It also creates other files in this directory to perform its functions:

• C:\WINNT\SYSTEM32\sysformat.exeopen
• C:\WINNT\SYSTEM32\sysformat.exeopenopen

The following Registry key is added to hook system startup:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "sysformat" = C:\WINNT\SYSTEM32\sysformat.exe

Additionally, the following Registry keys are added:

• HKEY_CURRENT_USER\Software\Microsoft\Params "riga"

It deletes these values

• "My AV"
• "ICQ Net"

from the following Registry keys, if they are present:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run

A mutex is created to ensure only one instance of the worm is running at a time.  One of the following mutex names is used in an attempt to stop particular variants of W32/Netsky running on the infected machine:

• MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
• _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

This worm attempts to terminate the process of security programs with the the following filenames:

• mcagent.exe
• mcvsshld.exe
• mcshield.exe
• mcvsescn.exe
• mcvsrte.exe
• DefWatch.exe
• Rtvscan.exe
• ccEvtMgr.exe
• NISUM.exe
• ccPxySvc.exe
• navapsvc.exe
• NPROTECT.exe
• nopdb.exe
• ccApp.exe
• Avsynmgr.exe
• VsStat.exe
• Vshwin32.exe
• alogserv.exe
• RuLaunch.exe
• Avconsol.exe
• PavFires.exe
• FIREWALL.exe
• ATUPDATER.exe
• LUALL.exe
• DRWEBUPW.exe
• AUTODOWN.exe
• NUPGRADE.exe
• OUTPOST.exe
• ICSSUPPNT.exe
• ICSUPP95.exe
• ESCANH95.exe
• AVXQUAR.exe
• ESCANHNT.exe
• ATUPDATER.exe
• AUPDATE.exe
• AUTOTRACE.exe
• AUTOUPDATE.exe
• AVXQUAR.exe
• AVWUPD32.exe
• AVPUPD.exe
• CFIAUDIT.exe
• UPDATE.exe
• NUPGRADE.exe
• MCUPDATE.exe
• pavsrv50.exe
• AVENGINE.exe
• APVXDWIN.exe
• pavProxy.exe
• navapw32.exe
• navapsvc.exe
• ccProxy.exe
• navapsvc.exe
• NPROTECT.exe
• SAVScan.exe
• SNDSrvc.exe
• symlcsvc.exe
• LUCOMS~1.exe
• blackd.exe
• bawindo.exe
• FrameworkService.exe
• VsTskMgr.exe
• SHSTAT.exe
• UpdaterUI.exe

The worm opens random ports starting with 2339 (TCP) on the victim machine.

Symptoms

Symptoms -

Method of Infection

Method of Infection -

  Mail Propagation

This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:

• .wab
• .txt
• .msg
• .htm
• .shtm
• .stm
• .xml
• .dbx
• .mbx
• .mdx
• .eml
• .nch
• .mmf
• .ods
• .cfg
• .asp
• .php
• .pl
• .wsh
• .adb
• .tbb
• .sht
• .xls
• .oft
• .uin
• .cgi
• .mht
• .dhtm
• .jsp

The virus spoofs the sender address by using a harvested address in the From: field.

The virus avoids sending itself to addresses containing the following:

• @microsoft
• rating@
• f-secur
• news
• update
• anyone@
• bugs@
• contract@
• feste
• gold-certs@
• help@
• info@
• nobody@
• noone@
• kasp
• admin
• icrosoft
• support
• ntivi
• unix
• bsd
• linux
• listserv
• certific
• sopho
• @foo
• @iana
• free-av
• @messagelab
• winzip
• google
• winrar
• samples
• abuse
• panda
• cafee
• spam
• pgp
• @avp.
• noreply
• local
• root@
• postmaster@

Peer To Peer Propagation

Files are created in folders that contain the phrase shar :

• 1.exe
• 2.exe
• 3.exe
• 4.exe
• 5.scr
• 6.exe
• 7.exe
• 8.exe
• 9.exe
• 10.exe
• Ahead Nero 7.exe
• Windown Longhorn Beta Leak.exe
• Opera 8 New!.exe
• XXX hardcore images.exe
• WinAmp 6 New!.exe
• WinAmp 5 Pro Keygen Crack Update.exe
• Adobe Photoshop 9 full.exe
• Matrix 3 Revolution English Subtitles.exe
• ACDSee 9.exe

Remote Access Component

The virus listens on random TCP ports, for remote connections. It attempts to notify the author that the infected system is ready to accept commands, by contacting various websites, calling a JPG file (error.jpg) on the remote sites.

• http://www.pyrlandia-boogie.pl
• http://www.kps4parents.com
• http://www.pipni.cz
• http://www.selu.edu
• http://www.travelchronic.de
• http://www.fleigutaetscher.ch
• http://www.irakli.org
• http://www.oboe-online.com
• http://www.pe-sh.com
• http://www.idb-group.net
• http://www.ceskyhosting.cz
• http://www.hartacorporation.com
• http://www.glass.la
• http://www.24-7-transportation.com
• http://www.fepese.ufsc.br
• http://www.ellarouge.com.au
• http://www.bbsh.org
• http://www.boneheadmusic.com
• http://www.sljinc.com
• http://www.tivogoddess.com
• http://www.fcpages.com
• http://www.szantomierz.art.pl
• http://www.elenalazar.com
• http://www.generationnow.net
• http://www.flashcorp.com
• http://www.kencorbett.com
• http://www.FritoPie.NET
• http://www.leonhendrix.com
• http://www.transportation.gov.bh
• http://www.jhaforpresident.7p.com
• http://www.DarrkSydebaby.com
• http://www.cntv.info
• http://www.sugardas.lt
• http://www.adhdtests.com
• http://www.argontech.net
• http://www.customloyal.com
• http://www.ohiolimo.com
• http://www.topko.sk
• http://www.ssmifc.ca
• http://www.reliance-yachts.com
• http://www.worest.com.ar
• http://www.kps4parents.com
• http://www.coolfreepages.com
• http://www.scanex-medical.fi
• http://www.jimvann.com
• http://www.orari.net
• http://www.himpsi.org
• http://www.mtfdesign.com
• http://www.jldr.ca
• http://www.relocationflorida.com
• http://www.rentalstation.com
• http://www.approved1stmortgage.com
• http://www.velezcourtesymanagement.com
• http://www.sunassetholdings.com
• http://www.compsolutionstore.com
• http://www.uhcc.com
• http://www.justrepublicans.com
• http://www.pfadfinder-leobersdorf.com
• http://www.featech.com
• http://www.vinirforge.com
• http://www.magicbottle.com.tw
• http://www.giantrevenue.com
• http://www.couponcapital.net
• http://www.crystalrose.ca
• http://www.bottombouncer.com
• http://www.anthonyflanagan.com
• http://www.bradster.com
• http://www.traverse.com
• http://www.ims-i.com
• http://www.realgps.com
• http://www.aviation-center.de
• http://www.gci-bln.de
• http://www.pankration.com
• http://www.jansenboiler.com
• http://www.corpsite.com
• http://www.everett.wednet.edu
• http://www.onepositiveplace.org
• http://www.raecoinc.com
• http://www.wwwebad.com
• http://www.corpsite.com
• http://www.wwwebmaster.com
• http://www.wwwebad.com
• http://www.dragcar.com
• http://www.wwwebad.com
• http://www.oohlala-kirkland.com
• http://www.calderwoodinn.com
• http://www.buddyboymusic.com
• http://www.smacgreetings.com
• http://www.tkd2xcell.com
• http://www.curtmarsh.com
• http://www.dontbeaweekendparent.com
• http://www.soloconsulting.com
• http://www.lasermach.com
• http://www.alupass.lu
• http://www.sigi.lu
• http://www.redlightpictures.com
• http://www.irinaswelt.de
• http://www.bueroservice-it.de
• http://www.kranenberg.de
• http://www.the-fabulous-lions.de
• http://www.mongolische-renner.de
• http://www.capri-frames.de
• http://www.aimcenter.net
• http://www.boneheadmusic.com
• http://www.fludir.is
• http://www.sljinc.com
• http://www.tivogoddess.com
• http://www.fcpages.com
• http://www.andara.com
• http://www.freeservers.com
• http://www.programmierung2000.de
• http://www.asianfestival.nl
• http://www.aviation-center.de
• http://www.gci-bln.de
• http://www.mass-i.kiev.ua
• http://www.jasnet.pl
• http://www.atlantisteste.hpg.com.br
• http://www.fludir.is
• http://www.rieraquadros.com.br
• http://www.metal.pl
• http://www.handsforhealth.com
• http://www.angelartsanctuary.com
• http://www.firstnightoceancounty.org
• http://www.chinasenfa.com
• http://www.ulpiano.org
• http://www.gamp.pl
• http://www.vikingpc.pl
• http://www.woundedshepherds.com
• http://www.cpc.adv.br
• http://www.velocityprint.com
• http://www.esperanzaparalafamilia.com
• http://www.celula.com.mx
• http://www.mexis.com
• http://www.wecompete.com
• http://www.vbw.info
• http://www.gfn.org
• http://www.aegee.org
• http://www.deadrobot.com
• http://www.cscliberec.cz
• http://www.ecofotos.com.br
• http://www.amanit.ru
• http://www.bga-gsm.ru
• http://www.innnewport.com
• http://www.knicks.nl
• http://www.srg-neuburg.de
• http://www.mepmh.de
• http://www.mepbisu.de
• http://www.kradtraining.de
• http://www.polizeimotorrad.de
• http://www.sea.bz.it
• http://www.uslungiarue.it
• http://www.gcnet.ru
• http://www.aimcenter.net
• http://www.vandermost.de
• http://www.szantomierz.art.pl
• http://www.immonaut.sk
• http://www.eurostavba.sk
• http://www.spadochron.pl

Removal -

Removal -

Detection is included in our BETA DAT files and will also be included in the next scheduled DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A