Content

W32/Bagle.fb@MM

Type
Virus
SubType
E-mail worm
Discovery Date
06/20/2006
Length
Varies
Minimum DAT
4789 (06/20/2006)
Updated DAT
5301 (05/22/2008)
Minimum Engine
5.1.00
Description Added
06/20/2006
Description Modified
06/21/2006 9:16 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

- Update 6/20/2006 -
This Bagle variant has been discovered in packed and never-packed forms today. The never-packed version is proactively detected as W32/Bagle.dldr

This is a mass-mailing worm with the following characteristics:

  • contains its own SMTP engine to construct outgoing messages
  • harvests email addresses from the victim machine
  • the From: address of messages is spoofed
  • attachment is a password-protected zip file, with the password included in the message body.
  • disables security applications
  • drops a rootkit

Mail Propagation

The details are as follows:

From : (address is spoofed)
Subject :

  • Ales
  • Alice
  • Alyce
  • Alyce
  • Andrew
  • Androw
  • Androwe
  • Ann
  • Anna
  • Anna
  • Anne
  • Annes
  • Anthonie
  • Anthonie
  • Anthony
  • Anthonye
  • Avice
  • Avis
  • Bennet
  • Bennett
  • Christean
  • Christian
  • Constance
  • Cybil
  • Daniel
  • Danyell
  • Dorithie
  • Dorothee
  • Dorothy
  • Edmond
  • Edmonde
  • Edmund
  • Edward
  • Edwarde
  • Elizabeth
  • Elizabethe
  • Ellen
  • Ellyn
  • Emanual
  • Emanuell
  • Ester
  • Frances
  • Francis
  • Fraunces
  • Gabriell
  • Geoffraie
  • George
  • Grace
  • Harry
  • Harrye
  • Henrie
  • Henry
  • Henrye
  • Hughe
  • Humphrey
  • Humphrie
  • I love you
  • Isabel
  • Isabell
  • James
  • Jane
  • Jeames
  • Jeffrey
  • Jeffrye
  • Joane
  • Johen
  • John
  • Josias
  • Judeth
  • Judith
  • Judithe
  • Katherine
  • Katheryne
  • Leonard
  • Leonarde
  • Margaret
  • Margarett
  • Margerie
  • Margerye
  • Margret
  • Margrett
  • Marie
  • Martha
  • Mary
  • Marye
  • Michael
  • Mychaell
  • Nathaniel
  • Nathaniell
  • Nathanyell
  • Nicholas
  • Nicholaus
  • Nycholas
  • Peter
  • Ralph
  • Rebecka
  • Richard
  • Richarde
  • Robert
  • Robert
  • Roberte
  • Roger
  • Rose
  • Rycharde
  • Samuell
  • Sara
  • Sidney
  • Sindony
  • Stephen
  • Susan
  • Susanna
  • Suzanna
  • Sybyll
  • Syndony
  • Thomas
  • To the beloved
  • Valentyne
  • William
  • Winifred
  • Wynefrede
  • Wynefreed
  • Wynnefreede

Body Text:

  • The password is
  • Password --
  • Use password
  • Password is
  • Zip password:
  • archive password:
  • Password -
  • Password:

These are all followed by the image from the included GIF file.

It may also include one of the following two additional phrases, before the password:

  • To the beloved
  • I love you

Attachment: (will contain a randomly named EXE and GIF file)

  • Ales.zip
  • Alice.zip
  • Alyce.zip
  • Andrew.zip
  • Androw.zip
  • Androwe.zip
  • Ann.zip
  • Anna.zip
  • Anne.zip
  • Annes.zip
  • Anthonie.zip
  • Anthony.zip
  • Anthonye.zip
  • Avice.zip
  • Avis.zip
  • Avis.zip
  • Bennet.zip
  • Bennett.zip
  • Christean.zip
  • Christian.zip
  • Constance.zip
  • Cybil.zip
  • Daniel.zip
  • Danyell.zip
  • Dorithie.zip
  • Dorothee.zip
  • Dorothy.zip
  • Edmond.zip
  • Edmonde.zip
  • Edmund.zip
  • Edward.zip
  • Edwarde.zip
  • Elizabeth.zip
  • Elizabethe.zip
  • Ellen.zip
  • Ellyn.zip
  • Emanual.zip
  • Emanuel.zip
  • Emanuell.zip
  • Ester.zip
  • Frances.zip
  • Francis.zip
  • Fraunces.zip
  • Gabriell.zip
  • Geoffraie.zip
  • George.zip
  • Grace.zip
  • Harry.zip
  • Harrye.zip
  • Henrie.zip
  • Henry.zip
  • Henrye.zip
  • Hughe.zip
  • Humphrey.zip
  • Humphrie.zip
  • Isabel.zip
  • Isabell.zip
  • James.zip
  • Jane.zip
  • Jeames.zip
  • Jeffrey.zip
  • Jeffrye.zip
  • Joane.zip
  • Johen.zip
  • John.zip
  • Josias.zip
  • Judeth.zip
  • Judith.zip
  • Judithe.zip
  • Katherine.zip
  • Katheryne.zip
  • Leonard.zip
  • Leonarde.zip
  • Margaret.zip
  • Margarett.zip
  • Margerie.zip
  • Margerye.zip
  • Margret.zip
  • Margrett.zip
  • Marie.zip
  • Martha.zip
  • Mary.zip
  • Marye.zip
  • Michael.zip
  • Mychaell.zip
  • Nathaniel.zip
  • Nathaniell.zip
  • Nathanyell.zip
  • Nicholas.zip
  • Nicholaus.zip
  • Nycholas.zip
  • Peter.zip
  • Ralph.zip
  • Rebecka.zip
  • Richard.zip
  • Richarde.zip
  • Robert.zip
  • Roberte.zip
  • Roger.zip
  • Rose.zip
  • Rycharde.zip
  • Samuell.zip
  • Sara.zip
  • Sidney.zip
  • Sindony.zip
  • Stephen.zip
  • Susan.zip
  • Susanna.zip
  • Suzanna.zip
  • Sybell.zip
  • Sybyll.zip
  • Syndony.zip
  • Thomas.zip
  • Valentyne.zip
  • William.zip
  • Winifred.zip
  • Wynefrede.zip
  • Wynefreed.zip
  • Wynnefreede.zip

The virus copies itself as HIDN.EXE to the following directory:

  • C:\Documents and Settings\%User%\Application Data\hidn\hidn.exe

It also creates a rootkit to hide directories (and all files within them) which contain the word shared:

  • C:\Documents and Settings\%User%\Application Data\hidn\m_hook.sys ( 15360 bytes )

It also creates a copy of its ZIP file locally, and a fake error message:

  • C:\temp.zip
  • C:\error.gif

The error message appears as follows

A registry key is created to run itself again upon system startup:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
    \Run "drv_st_key" = C:\Documents and Settings\%User%\Application Data\hidn\hidn.exe

Additionally, the following Registry keys are added:

  • HKEY_CURRENT_USER\Software\firstruxzx\firstrun="1"

It deletes the following registry entry, to disable Safe Boot:

  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot

This worm attempts to terminate services of security programs with the the following filenames:

  • wuauserv
  • Aavmker4
  • ABVPN2K
  • ADBLOCK.DLL
  • ADFirewall
  • AFWMCL
  • Ahnlab task Scheduler
  • alerter
  • AlertManger
  • AntiVir Service
  • AntiyFirewall
  • ARP.DLL
  • aswMon2
  • aswRdr
  • aswTdi
  • aswUpdSv
  • Ati HotKey Poller
  • avast! Antivirus
  • avast! Mail Scanner
  • avast! Web Scanner
  • AVEService
  • AVExch32Service
  • AvFlt
  • Avg7Alrt
  • Avg7Core
  • Avg7RsW
  • Avg7RsXP
  • Avg7UpdSvc
  • AvgCore
  • AvgFsh
  • AVGFwSrv
  • AvgFwSvr
  • AvgServ
  • AvgTdi
  • AVIRAMailService
  • AVIRAService
  • avpcc
  • AVUPDService
  • AVWUpSrv
  • AvxIni
  • awhost32
  • backweb client - 4476822
  • BackWeb Client - 7681197
  • backweb client-4476822
  • Bdfndisf
  • bdftdif
  • bdss
  • BlackICE
  • BsFileSpy
  • BsFirewall
  • BsMailProxy
  • CAISafe
  • ccEvtMgr
  • ccPwdSvc
  • ccSetMgr
  • ccSetMgr.exe
  • CONTENT.DLL
  • DefWatch
  • DNSCACHE.DLL
  • drwebnet
  • dvpapi
  • dvpinit
  • ewido security suite control
  • ewido security suite driver
  • ewido security suite guard
  • F-Prot Antivirus Update Monitor
  • F-Secure Gatekeeper Handler Starter
  • firewall
  • fsbwsys
  • FSDFWD
  • FSFW
  • FSMA
  • FTPFILT.DLL
  • FwcAgent
  • fwdrv
  • Guard NT
  • HSnSFW
  • HSnSPro
  • HTMLFILT.DLL
  • HTTPFILT.DLL
  • IMAPFILT.DLL
  • InoRPC
  • InoRT
  • InoTask
  • Ip6Fw
  • Ip6FwHlp
  • KAVMonitorService
  • KAVSvc
  • KLBLMain
  • KPfwSvc
  • KWatch3
  • KWatchSvc
  • MAILFILT.DLL
  • McAfee Firewall
  • McAfeeFramework
  • McShield
  • McTaskManager
  • mcupdmgr.exe
  • MCVSRte
  • Microsoft NetWork FireWall Services
  • MonSvcNT
  • MpfService
  • navapsvc
  • Ndisuio
  • NDIS_RD
  • Network Associates Log Service
  • nipsvc
  • NISSERV
  • NISUM
  • NNTPFILT.DLL
  • NOD32ControlCenter
  • NOD32krn
  • NOD32Service
  • Norman NJeeves
  • Norman Type-R
  • Norman ZANDA
  • Norton AntiVirus Server
  • NPDriver
  • NPFMntor
  • NProtectService
  • NSCTOP
  • nvcoas
  • NVCScheduler
  • nwclntc
  • nwclntd
  • nwclnte
  • nwclntf
  • nwclntg
  • nwclnth
  • NWService
  • OfcPfwSvc
  • Outbreak Manager
  • Outpost Firewall
  • OutpostFirewall
  • PASSRV
  • PAVAGENTE
  • PavAtScheduler
  • PAVDRV
  • PAVFIRES
  • PAVFNSVR
  • Pavkre
  • PavProc
  • PavProt
  • PavPrSrv
  • PavReport
  • PAVSRV
  • PCCPFW
  • PCC_PFW
  • PersFW
  • Personal Firewall
  • POP3FILT.DLL
  • PREVSRV
  • PROTECT.DLL
  • PSIMSVC
  • qhwscsvc
  • wscsvc
  • Quick Heal Online Protection
  • ravmon8
  • RfwService
  • SAVFMSE
  • SAVScan
  • SBService
  • schscnt
  • SECRET.DLL
  • SharedAccess
  • SmcService
  • SNDSrvc
  • SPBBCSvc
  • SpiderNT
  • SweepNet
  • SWEEPSRV.SYS
  • Symantec AntiVirus Client
  • Symantec Core LC
  • The_Hacker_Antivirus
  • Tmntsrv
  • TmPfw
  • tmproxy
  • tmtdi
  • tm_cfw
  • T_H_S_M
  • V3MonNT
  • V3MonSvc
  • Vba32ECM
  • Vba32ifs
  • Vba32Ldr
  • Vba32PP3
  • VBCompManService
  • VexiraAntivirus
  • VFILT
  • VisNetic AntiVirus Plug-in
  • vrfwsvc
  • vsmon
  • VSSERV
  • WinAntivirus
  • WinRoute
  • wuauserv
  • xcomm

The worm uses the following list to stop running processes:

  • a2guard.exe
  • aavshield.exe
  • AckWin32.exe
  • ADVCHK.EXE
  • AhnSD.exe
  • airdefense.exe
  • ALERTSVC.EXE
  • ALMon.exe
  • ALOGSERV.EXE
  • ALsvc.exe
  • amon.exe
  • Anti-Trojan.exe
  • AntiVirScheduler
  • AntiVirService
  • ANTS.EXE
  • APVXDWIN.EXE
  • Armor2net.exe
  • ashAvast.exe
  • ashDisp.exe
  • ashEnhcd.exe
  • ashMaiSv.exe
  • ashPopWz.exe
  • ashServ.exe
  • ashSimpl.exe
  • ashSkPck.exe
  • ashWebSv.exe
  • aswUpdSv.exe
  • ATCON.EXE
  • ATUPDATER.EXE
  • ATWATCH.EXE
  • AUPDATE.EXE
  • AUTODOWN.EXE
  • AUTOTRACE.EXE
  • AUTOUPDATE.EXE
  • avciman.exe
  • Avconsol.exe
  • AVENGINE.EXE
  • avgamsvr.exe
  • avgcc.exe
  • AVGCC32.EXE
  • AVGCTRL.EXE
  • avgemc.exe
  • avgfwsrv.exe
  • AVGNT.EXE
  • avgntdd
  • avgntmgr
  • AVGSERV.EXE
  • AVGUARD.EXE
  • avgupsvc.exe
  • avinitnt.exe
  • AvkServ.exe
  • AVKService.exe
  • AVKWCtl.exe
  • AVP.EXE
  • AVP32.EXE
  • avpcc.exe
  • avpm.exe
  • AVPUPD.EXE
  • AVSCHED32.EXE
  • avsynmgr.exe
  • AVWUPD32.EXE
  • AVWUPSRV.EXE
  • AVXMONITOR9X.EXE
  • AVXMONITORNT.EXE
  • AVXQUAR.EXE
  • BackWeb-4476822.exe
  • bdmcon.exe
  • bdnews.exe
  • bdoesrv.exe
  • bdss.exe
  • bdsubmit.exe
  • bdswitch.exe
  • blackd.exe
  • blackice.exe
  • cafix.exe
  • ccApp.exe
  • ccEvtMgr.exe
  • ccProxy.exe
  • ccSetMgr.exe
  • CFIAUDIT.EXE
  • ClamTray.exe
  • ClamWin.exe
  • Claw95.exe
  • Claw95cf.exe
  • cleaner.exe
  • cleaner3.exe
  • CliSvc.exe
  • CMGrdian.exe
  • cpd.exe
  • DefWatch.exe
  • DOORS.EXE
  • DrVirus.exe
  • drwadins.exe
  • drweb32w.exe
  • drwebscd.exe
  • DRWEBUPW.EXE
  • ESCANH95.EXE
  • ESCANHNT.EXE
  • ewidoctrl.exe
  • EzAntivirusRegistrationCheck.exe
  • F-AGNT95.EXE
  • F-PROT95.EXE
  • F-Sched.exe
  • F-StopW.EXE
  • FAMEH32.EXE
  • FAST.EXE
  • FCH32.EXE
  • FireSvc.exe
  • FireTray.exe
  • FIREWALL.EXE
  • fpavupdm.exe
  • freshclam.exe
  • FRW.EXE
  • fsav32.exe
  • fsavgui.exe
  • fsbwsys.exe
  • fsdfwd.exe
  • FSGK32.EXE
  • fsgk32st.exe
  • fsguiexe.exe
  • FSM32.EXE
  • FSMA32.EXE
  • FSMB32.EXE
  • fspex.exe
  • fssm32.exe
  • gcasDtServ.exe
  • gcasServ.exe
  • GIANTAntiSpywareMain.exe
  • GIANTAntiSpywareUpdater.exe
  • GUARD.EXE
  • GUARDGUI.EXE
  • GuardNT.exe
  • HRegMon.exe
  • Hrres.exe
  • HSockPE.exe
  • HUpdate.EXE
  • iamapp.exe
  • iamserv.exe
  • ICLOAD95.EXE
  • ICLOADNT.EXE
  • ICMON.EXE
  • ICSSUPPNT.EXE
  • ICSUPP95.EXE
  • ICSUPPNT.EXE
  • IFACE.EXE
  • INETUPD.EXE
  • InocIT.exe
  • InoRpc.exe
  • InoRT.exe
  • InoTask.exe
  • InoUpTNG.exe
  • IOMON98.EXE
  • isafe.exe
  • ISATRAY.EXE
  • ISRV95.EXE
  • ISSVC.exe
  • JEDI.EXE
  • KAV.exe
  • kavmm.exe
  • KAVPF.exe
  • KavPFW.exe
  • KAVStart.exe
  • KAVSvc.exe
  • KAVSvcUI.EXE
  • KMailMon.EXE
  • KPfwSvc.EXE
  • KWatch.EXE
  • livesrv.exe
  • LOCKDOWN2000.EXE
  • LogWatNT.exe
  • lpfw.exe
  • LUALL.EXE
  • LUCOMSERVER.EXE
  • Luupdate.exe
  • MCAGENT.EXE
  • mcmnhdlr.exe
  • mcregwiz.exe
  • Mcshield.exe
  • MCUPDATE.EXE
  • mcvsshld.exe
  • MINILOG.EXE
  • MONITOR.EXE
  • MonSysNT.exe
  • MOOLIVE.EXE
  • MpEng.exe
  • mpssvc.exe
  • MSMPSVC.exe
  • myAgtSvc.exe
  • myagttry.exe
  • navapsvc.exe
  • NAVAPW32.EXE
  • NavLu32.exe
  • NAVW32.EXE
  • NDD32.EXE
  • NeoWatchLog.exe
  • NeoWatchTray.exe
  • NISSERV
  • NISUM.EXE
  • NMAIN.EXE
  • nod32.exe
  • nod32krn.exe
  • nod32kui.exe
  • NORMIST.EXE
  • notstart.exe
  • npavtray.exe
  • NPFMNTOR.EXE
  • npfmsg.exe
  • NPROTECT.EXE
  • NSCHED32.EXE
  • NSMdtr.exe
  • NssServ.exe
  • NssTray.exe
  • ntrtscan.exe
  • NTXconfig.exe
  • NUPGRADE.EXE
  • NVC95.EXE
  • Nvcod.exe
  • Nvcte.exe
  • Nvcut.exe
  • NWService.exe
  • OfcPfwSvc.exe
  • OUTPOST.EXE
  • PAV.EXE
  • PavFires.exe
  • PavFnSvr.exe
  • Pavkre.exe
  • PavProt.exe
  • pavProxy.exe
  • pavprsrv.exe
  • pavsrv51.exe
  • PAVSS.EXE
  • pccguide.exe
  • PCCIOMON.EXE
  • pccntmon.exe
  • PCCPFW.exe
  • PcCtlCom.exe
  • PCTAV.exe
  • PERSFW.EXE
  • pertsk.exe
  • PERVAC.EXE
  • PNMSRV.EXE
  • POP3TRAP.EXE
  • POPROXY.EXE
  • prevsrv.exe
  • PsImSvc.exe
  • QHM32.EXE
  • QHONLINE.EXE
  • QHONSVC.EXE
  • QHPF.EXE
  • qhwscsvc.exe
  • RavMon.exe
  • RavTimer.exe
  • Realmon.exe
  • REALMON95.EXE
  • Rescue.exe
  • rfwmain.exe
  • Rtvscan.exe
  • RTVSCN95.EXE
  • RuLaunch.exe
  • SAVAdminService.exe
  • SAVMain.exe
  • savprogress.exe
  • SAVScan.exe
  • SCAN32.EXE
  • ScanningProcess.exe
  • sched.exe
  • sdhelp.exe
  • SERVIC~1.EXE
  • SHSTAT.EXE
  • SiteCli.exe
  • smc.exe
  • SNDSrvc.exe
  • SPBBCSvc.exe
  • SPHINX.EXE
  • spiderml.exe
  • spidernt.exe
  • Spiderui.exe
  • SpybotSD.exe
  • SPYXX.EXE
  • SS3EDIT.EXE
  • stopsignav.exe
  • swAgent.exe
  • swdoctor.exe
  • SWNETSUP.EXE
  • symlcsvc.exe
  • SymProxySvc.exe
  • SymSPort.exe
  • SymWSC.exe
  • SYNMGR.EXE
  • TAUMON.EXE
  • TBMon.exe
  • TC.EXE
  • tca.exe
  • TCM.EXE
  • TDS-3.EXE
  • TeaTimer.exe
  • TFAK.EXE
  • THAV.EXE
  • THSM.EXE
  • Tmas.exe
  • tmlisten.exe
  • Tmntsrv.exe
  • TmPfw.exe
  • tmproxy.exe
  • TNBUtil.exe
  • TRJSCAN.EXE
  • Up2Date.exe
  • UPDATE.EXE
  • UpdaterUI.exe
  • upgrepl.exe
  • Vba32ECM.exe
  • Vba32ifs.exe
  • vba32ldr.exe
  • Vba32PP3.exe
  • VBSNTW.exe
  • vchk.exe
  • vcrmon.exe
  • VetTray.exe
  • VirusKeeper.exe
  • VPTRAY.EXE
  • vrfwsvc.exe
  • VRMONNT.EXE
  • vrmonsvc.exe
  • vrrw32.exe
  • VSECOMR.EXE
  • Vshwin32.exe
  • vsmon.exe
  • vsserv.exe
  • VsStat.exe
  • WATCHDOG.EXE
  • WebProxy.exe
  • Webscanx.exe
  • WEBTRAP.EXE
  • WGFE95.EXE
  • Winaw32.exe
  • winroute.exe
  • winss.exe
  • winssnotify.exe
  • WRADMIN.EXE
  • WRCTRL.EXE
  • xcommsvr.exe
  • zatutor.exe
  • ZAUINST.EXE
  • zlclient.exe
  • zonealarm.exe
  • _AVP32.EXE
  • _AVPCC.EXE
  • _AVPM.EXE

It also prevents the following list of files from running:

  • filtnt.sys
  • guardnt.sys
  • zonealarm.exe
  • zlclient.exe
  • zatutor.exe
  • VsStat.exe
  • Vshwin32.exe
  • Vba32PP3.exe
  • vba32ldr.exe
  • Vba32ifs.exe
  • Vba32ECM.exe
  • upgrepl.exe
  • Up2Date.exe
  • tmproxy.exe
  • TmPfw.exe
  • Tmntsrv.exe
  • symlcsvc.exe
  • spiderml.exe
  • SPBBCSvc.exe
  • SNDSrvc.exe
  • RuLaunch.exe
  • regedt32.exe
  • regedit.exe
  • Realmon.exe
  • QHPF.EXE
  • PcCtlCom.exe
  • pccguide.exe
  • outpost.exe
  • Nvcut.exe
  • Nvcte.exe
  • Nvcod.exe
  • npfmsg.exe
  • NPFMNTOR.EXE
  • nod32kui.exe
  • nod32.exe
  • NAVAPSVC.EXE
  • Mcshield.exe
  • Luupdate.exe
  • LUALL.EXE
  • KAVPF.exe
  • kavmm.exe
  • KAV.exe
  • isafe.exe
  • InoUpTNG.exe
  • InocIT.exe
  • INETUPD.EXE
  • GuardNT.exe
  • GUARDGUI.EXE
  • freshclam.exe
  • drwebupw.exe
  • drwebscd.exe
  • drweb32w.exe
  • drwadins.exe
  • CMGrdian.exe
  • ClamWin.exe
  • ClamTray.exe
  • CCSETMGR.EXE
  • CCEVTMGR.EXE
  • ccApp.exe
  • cafix.exe
  • bdswitch.exe
  • bdsubmit.exe
  • bdnews.exe
  • bdmcon.exe
  • AVWUPD32.EXE
  • Avsynmgr.exe
  • AVSCHED32.EXE
  • AVGNT.EXE
  • avgemc.exe
  • avgcc.exe
  • Avconsol.exe
  • AUPDATE.EXE
  • ashWebSv.exe
  • ashSkPck.exe
  • ashSimpl.exe
  • ashPopWz.exe
  • ashEnhcd.exe
  • ashDisp.exe
  • ashAvast.exe
  • kavsvc.exe
  • bdmcon.exe
  • vsserv.exe
  • bdnews.exe
  • livesrv.exe
  • mcupdate.exe
  • frameworkservice.exe
  • upgrader.exe
  • apvxdwin.exe
  • LuComServer_2_5.EXE
  • lucomserver_2_6.exe
  • drwebupw.exe
  • nod32krn.exe

Symptoms

  • Outgoing messages matching the described characteristics
  • Files/Registry keys as described

    • Method of Infection

    Mail Propagation

    This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:

    • .wab
    • .txt
    • .msg
    • .htm
    • .shtm
    • .stm
    • .xml
    • .dbx
    • .mbx
    • .mdx
    • .eml
    • .nch
    • .mmf
    • .ods
    • .cfg
    • .asp
    • .php
    • .pl
    • .wsh
    • .adb
    • .tbb
    • .sht
    • .xls
    • .oft
    • .uin
    • .cgi
    • .mht
    • .dhtm
    • .jsp

    The virus spoofs the sender address by using a harvested address in the From: field.

    The virus avoids sending itself to addresses containing the following:

    • rating@
    • f-secur
    • news
    • update
    • anyone@
    • bugs@
    • contract@
    • feste
    • gold-certs@
    • help@
    • info@
    • nobody@
    • noone@
    • kasp
    • admin
    • icrosoft
    • support
    • ntivi
    • unix
    • bsd
    • linux
    • listserv
    • certific
    • sopho
    • @foo
    • @iana
    • free-av
    • @messagelab
    • winzip
    • google
    • winrar
    • samples
    • abuse
    • panda
    • cafee
    • spam
    • pgp
    • @avp.
    • noreply
    • local
    • root@
    • postmaster@

    Email Adress Harvesting Component

    Email addresses harvested from infected machines are uploaded to a page at the following sites.

    • http://www.titanmotors.com/images/1/
    • http://veranmaisala.com/1/
    • http://wklight.nazwa.pl/1/
    • http://yongsan24.co.kr/1/
    • http://accesible.cl/1/
    • http://hotelesalba.com/1/
    • http://amdlady.com/1/
    • http://inca.dnetsolution.net/1/
    • http://www.auraura.com/1/
    • http://avataresgratis.com/1/
    • http://beyoglu.com.tr/1/
    • http://brandshock.com/1/
    • http://www.buydigital.co.kr/1/
    • http://camaramafra.sc.gov.br/1/
    • http://camposequipamentos.com.br/1/
    • http://cbradio.sos.pl/1/
    • http://c-d-c.com.au/1/
    • http://www.klanpl.com/1/
    • http://coparefrescos.stantonstreetgroup.com/1/
    • http://creainspire.com/1/
    • http://desenjoi.com.br/1/
    • http://www.inprofile.gr/1/
    • http://www.diem.cl/1/
    • http://www.discotecapuzzle.com/1/

    It also tries to download a file from the following list of sites:

    • http://ujscie.one.pl/
    • http://1point2.iae.nl/
    • http://appaloosa.no/
    • http://apromed.com/
    • http://arborfolia.com/
    • http://pawlacz.com/
    • http://areal-realt.ru/
    • http://bitel.ru/
    • http://yetii.no-ip.com/
    • http://art4u1.superhost.pl/
    • http://www.artbed.pl/
    • http://art-bizar.foxnet.pl/
    • http://www.jonogueira.com/
    • http://asdesign.cz/
    • http://ftp-dom.earthlink.net/
    • http://www.aureaorodeley.com/
    • http://www.autoekb.ru/
    • http://www.autovorota.ru/
    • http://avenue.ee/
    • http://www.avinpharma.ru/
    • http://ouarzazateservices.com/
    • http://stats-adf.altadis.com/
    • http://bartex-cit.com.pl/
    • http://bazarbekr.sk/
    • http://gnu.univ.gda.pl/
    • http://bid-usa.com/
    • http://biliskov.com/
    • http://biomedpel.cz/
    • http://blackbull.cz/
    • http://bohuminsko.cz/
    • http://bonsai-world.com.au/
    • http://bpsbillboards.com/
    • http://cadinformatics.com/
    • http://canecaecia.com/
    • http://www.castnetnultimedia.com/
    • http://compucel.com/
    • http://continentalcarbonindia.com/
    • http://ceramax.co.kr/
    • http://prime.gushi.org/
    • http://www.chapisteriadaniel.com/
    • http://charlesspaans.com/
    • http://chatsk.wz.cz/
    • http://www.chittychat.com/
    • http://checkalertusa.com/
    • http://cibernegocios.com.ar/
    • http://5050clothing.com/
    • http://cof666.shockonline.net/
    • http://comaxtechnologies.net/
    • http://concellodesandias.com/
    • http://www.cort.ru/
    • http://donchef.com/
    • http://www.crfj.com/
    • http://kremz.ru/
    • http://dev.jintek.com/
    • http://foxvcoin.com/
    • http://uwua132.org/
    • http://v-v-kopretiny.ic.cz/
    • http://erich-kaestner-schule-donaueschingen.de/
    • http://vanvakfi.com/
    • http://axelero.hu/
    • http://kisalfold.com/
    • http://vega-sps.com/
    • http://vidus.ru/
    • http://viralstrategies.com/
    • http://svatba.viskot.cz/
    • http://Vivamodelhobby.com/
    • http://vkinfotech.com/
    • http://vytukas.com/
    • http://waisenhaus-kenya.ch/
    • http://watsrisuphan.org/
    • http://www.ag.ohio-state.edu/
    • http://wbecanada.com/
    • http://calamarco.com/
    • http://vproinc.com/
    • http://grupdogus.de/
    • http://knickimbit.de/
    • http://dogoodesign.ch/
    • http://systemforex.de/
    • http://zebrachina.net/
    • http://www.walsch.de/
    • http://hotchillishop.de/
    • http://innovation.ojom.net/
    • http://massgroup.de/
    • http://web-comp.hu/
    • http://webfull.com/
    • http://welvo.com/
    • http://www.ag.ohio-state.edu/
    • http://poliklinika-vajnorska.sk/
    • http://wvpilots.org/
    • http://www.kersten.de/
    • http://www.kljbwadersloh.de/
    • http://www.voov.de/
    • http://www.wchat.cz/
    • http://www.wg-aufbau-bautzen.de/
    • http://www.wzhuate.com/
    • http://zsnabreznaknm.sk/
    • http://xotravel.ru/
    • http://ilikesimple.com/
    • http://yeniguntugla.com/

    Removal

    All Users:
    Use current engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Variants

    Variants

      N/A

    All Information

    Overview -

    -- Update June 21, 2006 --
    The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
    http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1195282,00.html

    This is a mass-mailing virus that spreads in a password protected zip file.  Along with the ZIP file, an image containing the password for the ZIP is also attached to infectious messages.  Users must take that password and use it to open the ZIP file and then manually execute the .EXE file within.  That EXE file is proactively detected as New Malware.b with released DAT files.  The same virus variant exists in packed form.  That package is proactively detected as W32/Bagle.dldr with released DAT files.

    Aliases

    • Email-Worm.Win32.Bagle.fy (Kaspersky)
    • W32.Beagle.FF@mm (Symantec)
    • W32/Bagle-KL (Sophos)
    • WORM_BAGLE.FN (Trend)

    Characteristics

    Characteristics -

    - Update 6/20/2006 -
    This Bagle variant has been discovered in packed and never-packed forms today. The never-packed version is proactively detected as W32/Bagle.dldr

    This is a mass-mailing worm with the following characteristics:

    • contains its own SMTP engine to construct outgoing messages
    • harvests email addresses from the victim machine
    • the From: address of messages is spoofed
    • attachment is a password-protected zip file, with the password included in the message body.
    • disables security applications
    • drops a rootkit

    Mail Propagation

    The details are as follows:

    From : (address is spoofed)
    Subject :

    • Ales
    • Alice
    • Alyce
    • Alyce
    • Andrew
    • Androw
    • Androwe
    • Ann
    • Anna
    • Anna
    • Anne
    • Annes
    • Anthonie
    • Anthonie
    • Anthony
    • Anthonye
    • Avice
    • Avis
    • Bennet
    • Bennett
    • Christean
    • Christian
    • Constance
    • Cybil
    • Daniel
    • Danyell
    • Dorithie
    • Dorothee
    • Dorothy
    • Edmond
    • Edmonde
    • Edmund
    • Edward
    • Edwarde
    • Elizabeth
    • Elizabethe
    • Ellen
    • Ellyn
    • Emanual
    • Emanuell
    • Ester
    • Frances
    • Francis
    • Fraunces
    • Gabriell
    • Geoffraie
    • George
    • Grace
    • Harry
    • Harrye
    • Henrie
    • Henry
    • Henrye
    • Hughe
    • Humphrey
    • Humphrie
    • I love you
    • Isabel
    • Isabell
    • James
    • Jane
    • Jeames
    • Jeffrey
    • Jeffrye
    • Joane
    • Johen
    • John
    • Josias
    • Judeth
    • Judith
    • Judithe
    • Katherine
    • Katheryne
    • Leonard
    • Leonarde
    • Margaret
    • Margarett
    • Margerie
    • Margerye
    • Margret
    • Margrett
    • Marie
    • Martha
    • Mary
    • Marye
    • Michael
    • Mychaell
    • Nathaniel
    • Nathaniell
    • Nathanyell
    • Nicholas
    • Nicholaus
    • Nycholas
    • Peter
    • Ralph
    • Rebecka
    • Richard
    • Richarde
    • Robert
    • Robert
    • Roberte
    • Roger
    • Rose
    • Rycharde
    • Samuell
    • Sara
    • Sidney
    • Sindony
    • Stephen
    • Susan
    • Susanna
    • Suzanna
    • Sybyll
    • Syndony
    • Thomas
    • To the beloved
    • Valentyne
    • William
    • Winifred
    • Wynefrede
    • Wynefreed
    • Wynnefreede

    Body Text:

    • The password is
    • Password --
    • Use password
    • Password is
    • Zip password:
    • archive password:
    • Password -
    • Password:

    These are all followed by the image from the included GIF file.

    It may also include one of the following two additional phrases, before the password:

    • To the beloved
    • I love you

    Attachment: (will contain a randomly named EXE and GIF file)

    • Ales.zip
    • Alice.zip
    • Alyce.zip
    • Andrew.zip
    • Androw.zip
    • Androwe.zip
    • Ann.zip
    • Anna.zip
    • Anne.zip
    • Annes.zip
    • Anthonie.zip
    • Anthony.zip
    • Anthonye.zip
    • Avice.zip
    • Avis.zip
    • Avis.zip
    • Bennet.zip
    • Bennett.zip
    • Christean.zip
    • Christian.zip
    • Constance.zip
    • Cybil.zip
    • Daniel.zip
    • Danyell.zip
    • Dorithie.zip
    • Dorothee.zip
    • Dorothy.zip
    • Edmond.zip
    • Edmonde.zip
    • Edmund.zip
    • Edward.zip
    • Edwarde.zip
    • Elizabeth.zip
    • Elizabethe.zip
    • Ellen.zip
    • Ellyn.zip
    • Emanual.zip
    • Emanuel.zip
    • Emanuell.zip
    • Ester.zip
    • Frances.zip
    • Francis.zip
    • Fraunces.zip
    • Gabriell.zip
    • Geoffraie.zip
    • George.zip
    • Grace.zip
    • Harry.zip
    • Harrye.zip
    • Henrie.zip
    • Henry.zip
    • Henrye.zip
    • Hughe.zip
    • Humphrey.zip
    • Humphrie.zip
    • Isabel.zip
    • Isabell.zip
    • James.zip
    • Jane.zip
    • Jeames.zip
    • Jeffrey.zip
    • Jeffrye.zip
    • Joane.zip
    • Johen.zip
    • John.zip
    • Josias.zip
    • Judeth.zip
    • Judith.zip
    • Judithe.zip
    • Katherine.zip
    • Katheryne.zip
    • Leonard.zip
    • Leonarde.zip
    • Margaret.zip
    • Margarett.zip
    • Margerie.zip
    • Margerye.zip
    • Margret.zip
    • Margrett.zip
    • Marie.zip
    • Martha.zip
    • Mary.zip
    • Marye.zip
    • Michael.zip
    • Mychaell.zip
    • Nathaniel.zip
    • Nathaniell.zip
    • Nathanyell.zip
    • Nicholas.zip
    • Nicholaus.zip
    • Nycholas.zip
    • Peter.zip
    • Ralph.zip
    • Rebecka.zip
    • Richard.zip
    • Richarde.zip
    • Robert.zip
    • Roberte.zip
    • Roger.zip
    • Rose.zip
    • Rycharde.zip
    • Samuell.zip
    • Sara.zip
    • Sidney.zip
    • Sindony.zip
    • Stephen.zip
    • Susan.zip
    • Susanna.zip
    • Suzanna.zip
    • Sybell.zip
    • Sybyll.zip
    • Syndony.zip
    • Thomas.zip
    • Valentyne.zip
    • William.zip
    • Winifred.zip
    • Wynefrede.zip
    • Wynefreed.zip
    • Wynnefreede.zip

    The virus copies itself as HIDN.EXE to the following directory:

    • C:\Documents and Settings\%User%\Application Data\hidn\hidn.exe

    It also creates a rootkit to hide directories (and all files within them) which contain the word shared:

    • C:\Documents and Settings\%User%\Application Data\hidn\m_hook.sys ( 15360 bytes )

    It also creates a copy of its ZIP file locally, and a fake error message:

    • C:\temp.zip
    • C:\error.gif

    The error message appears as follows

    A registry key is created to run itself again upon system startup:

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
      \Run "drv_st_key" = C:\Documents and Settings\%User%\Application Data\hidn\hidn.exe

    Additionally, the following Registry keys are added:

    • HKEY_CURRENT_USER\Software\firstruxzx\firstrun="1"

    It deletes the following registry entry, to disable Safe Boot:

    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot

    This worm attempts to terminate services of security programs with the the following filenames:

    • wuauserv
    • Aavmker4
    • ABVPN2K
    • ADBLOCK.DLL
    • ADFirewall
    • AFWMCL
    • Ahnlab task Scheduler
    • alerter
    • AlertManger
    • AntiVir Service
    • AntiyFirewall
    • ARP.DLL
    • aswMon2
    • aswRdr
    • aswTdi
    • aswUpdSv
    • Ati HotKey Poller
    • avast! Antivirus
    • avast! Mail Scanner
    • avast! Web Scanner
    • AVEService
    • AVExch32Service
    • AvFlt
    • Avg7Alrt
    • Avg7Core
    • Avg7RsW
    • Avg7RsXP
    • Avg7UpdSvc
    • AvgCore
    • AvgFsh
    • AVGFwSrv
    • AvgFwSvr
    • AvgServ
    • AvgTdi
    • AVIRAMailService
    • AVIRAService
    • avpcc
    • AVUPDService
    • AVWUpSrv
    • AvxIni
    • awhost32
    • backweb client - 4476822
    • BackWeb Client - 7681197
    • backweb client-4476822
    • Bdfndisf
    • bdftdif
    • bdss
    • BlackICE
    • BsFileSpy
    • BsFirewall
    • BsMailProxy
    • CAISafe
    • ccEvtMgr
    • ccPwdSvc
    • ccSetMgr
    • ccSetMgr.exe
    • CONTENT.DLL
    • DefWatch
    • DNSCACHE.DLL
    • drwebnet
    • dvpapi
    • dvpinit
    • ewido security suite control
    • ewido security suite driver
    • ewido security suite guard
    • F-Prot Antivirus Update Monitor
    • F-Secure Gatekeeper Handler Starter
    • firewall
    • fsbwsys
    • FSDFWD
    • FSFW
    • FSMA
    • FTPFILT.DLL
    • FwcAgent
    • fwdrv
    • Guard NT
    • HSnSFW
    • HSnSPro
    • HTMLFILT.DLL
    • HTTPFILT.DLL
    • IMAPFILT.DLL
    • InoRPC
    • InoRT
    • InoTask
    • Ip6Fw
    • Ip6FwHlp
    • KAVMonitorService
    • KAVSvc
    • KLBLMain
    • KPfwSvc
    • KWatch3
    • KWatchSvc
    • MAILFILT.DLL
    • McAfee Firewall
    • McAfeeFramework
    • McShield
    • McTaskManager
    • mcupdmgr.exe
    • MCVSRte
    • Microsoft NetWork FireWall Services
    • MonSvcNT
    • MpfService
    • navapsvc
    • Ndisuio
    • NDIS_RD
    • Network Associates Log Service
    • nipsvc
    • NISSERV
    • NISUM
    • NNTPFILT.DLL
    • NOD32ControlCenter
    • NOD32krn
    • NOD32Service
    • Norman NJeeves
    • Norman Type-R
    • Norman ZANDA
    • Norton AntiVirus Server
    • NPDriver
    • NPFMntor
    • NProtectService
    • NSCTOP
    • nvcoas
    • NVCScheduler
    • nwclntc
    • nwclntd
    • nwclnte
    • nwclntf
    • nwclntg
    • nwclnth
    • NWService
    • OfcPfwSvc
    • Outbreak Manager
    • Outpost Firewall
    • OutpostFirewall
    • PASSRV
    • PAVAGENTE
    • PavAtScheduler
    • PAVDRV
    • PAVFIRES
    • PAVFNSVR
    • Pavkre
    • PavProc
    • PavProt
    • PavPrSrv
    • PavReport
    • PAVSRV
    • PCCPFW
    • PCC_PFW
    • PersFW
    • Personal Firewall
    • POP3FILT.DLL
    • PREVSRV
    • PROTECT.DLL
    • PSIMSVC
    • qhwscsvc
    • wscsvc
    • Quick Heal Online Protection
    • ravmon8
    • RfwService
    • SAVFMSE
    • SAVScan
    • SBService
    • schscnt
    • SECRET.DLL
    • SharedAccess
    • SmcService
    • SNDSrvc
    • SPBBCSvc
    • SpiderNT
    • SweepNet
    • SWEEPSRV.SYS
    • Symantec AntiVirus Client
    • Symantec Core LC
    • The_Hacker_Antivirus
    • Tmntsrv
    • TmPfw
    • tmproxy
    • tmtdi
    • tm_cfw
    • T_H_S_M
    • V3MonNT
    • V3MonSvc
    • Vba32ECM
    • Vba32ifs
    • Vba32Ldr
    • Vba32PP3
    • VBCompManService
    • VexiraAntivirus
    • VFILT
    • VisNetic AntiVirus Plug-in
    • vrfwsvc
    • vsmon
    • VSSERV
    • WinAntivirus
    • WinRoute
    • wuauserv
    • xcomm

    The worm uses the following list to stop running processes:

    • a2guard.exe
    • aavshield.exe
    • AckWin32.exe
    • ADVCHK.EXE
    • AhnSD.exe
    • airdefense.exe
    • ALERTSVC.EXE
    • ALMon.exe
    • ALOGSERV.EXE
    • ALsvc.exe
    • amon.exe
    • Anti-Trojan.exe
    • AntiVirScheduler
    • AntiVirService
    • ANTS.EXE
    • APVXDWIN.EXE
    • Armor2net.exe
    • ashAvast.exe
    • ashDisp.exe
    • ashEnhcd.exe
    • ashMaiSv.exe
    • ashPopWz.exe
    • ashServ.exe
    • ashSimpl.exe
    • ashSkPck.exe
    • ashWebSv.exe
    • aswUpdSv.exe
    • ATCON.EXE
    • ATUPDATER.EXE
    • ATWATCH.EXE
    • AUPDATE.EXE
    • AUTODOWN.EXE
    • AUTOTRACE.EXE
    • AUTOUPDATE.EXE
    • avciman.exe
    • Avconsol.exe
    • AVENGINE.EXE
    • avgamsvr.exe
    • avgcc.exe
    • AVGCC32.EXE
    • AVGCTRL.EXE
    • avgemc.exe
    • avgfwsrv.exe
    • AVGNT.EXE
    • avgntdd
    • avgntmgr
    • AVGSERV.EXE
    • AVGUARD.EXE
    • avgupsvc.exe
    • avinitnt.exe
    • AvkServ.exe
    • AVKService.exe
    • AVKWCtl.exe
    • AVP.EXE
    • AVP32.EXE
    • avpcc.exe
    • avpm.exe
    • AVPUPD.EXE
    • AVSCHED32.EXE
    • avsynmgr.exe
    • AVWUPD32.EXE
    • AVWUPSRV.EXE
    • AVXMONITOR9X.EXE
    • AVXMONITORNT.EXE
    • AVXQUAR.EXE
    • BackWeb-4476822.exe
    • bdmcon.exe
    • bdnews.exe
    • bdoesrv.exe
    • bdss.exe
    • bdsubmit.exe
    • bdswitch.exe
    • blackd.exe
    • blackice.exe
    • cafix.exe
    • ccApp.exe
    • ccEvtMgr.exe
    • ccProxy.exe
    • ccSetMgr.exe
    • CFIAUDIT.EXE
    • ClamTray.exe
    • ClamWin.exe
    • Claw95.exe
    • Claw95cf.exe
    • cleaner.exe
    • cleaner3.exe
    • CliSvc.exe
    • CMGrdian.exe
    • cpd.exe
    • DefWatch.exe
    • DOORS.EXE
    • DrVirus.exe
    • drwadins.exe
    • drweb32w.exe
    • drwebscd.exe
    • DRWEBUPW.EXE
    • ESCANH95.EXE
    • ESCANHNT.EXE
    • ewidoctrl.exe
    • EzAntivirusRegistrationCheck.exe
    • F-AGNT95.EXE
    • F-PROT95.EXE
    • F-Sched.exe
    • F-StopW.EXE
    • FAMEH32.EXE
    • FAST.EXE
    • FCH32.EXE
    • FireSvc.exe
    • FireTray.exe
    • FIREWALL.EXE
    • fpavupdm.exe
    • freshclam.exe
    • FRW.EXE
    • fsav32.exe
    • fsavgui.exe
    • fsbwsys.exe
    • fsdfwd.exe
    • FSGK32.EXE
    • fsgk32st.exe
    • fsguiexe.exe
    • FSM32.EXE
    • FSMA32.EXE
    • FSMB32.EXE
    • fspex.exe
    • fssm32.exe
    • gcasDtServ.exe
    • gcasServ.exe
    • GIANTAntiSpywareMain.exe
    • GIANTAntiSpywareUpdater.exe
    • GUARD.EXE
    • GUARDGUI.EXE
    • GuardNT.exe
    • HRegMon.exe
    • Hrres.exe
    • HSockPE.exe
    • HUpdate.EXE
    • iamapp.exe
    • iamserv.exe
    • ICLOAD95.EXE
    • ICLOADNT.EXE
    • ICMON.EXE
    • ICSSUPPNT.EXE
    • ICSUPP95.EXE
    • ICSUPPNT.EXE
    • IFACE.EXE
    • INETUPD.EXE
    • InocIT.exe
    • InoRpc.exe
    • InoRT.exe
    • InoTask.exe
    • InoUpTNG.exe
    • IOMON98.EXE
    • isafe.exe
    • ISATRAY.EXE
    • ISRV95.EXE
    • ISSVC.exe
    • JEDI.EXE
    • KAV.exe
    • kavmm.exe
    • KAVPF.exe
    • KavPFW.exe
    • KAVStart.exe
    • KAVSvc.exe
    • KAVSvcUI.EXE
    • KMailMon.EXE
    • KPfwSvc.EXE
    • KWatch.EXE
    • livesrv.exe
    • LOCKDOWN2000.EXE
    • LogWatNT.exe
    • lpfw.exe
    • LUALL.EXE
    • LUCOMSERVER.EXE
    • Luupdate.exe
    • MCAGENT.EXE
    • mcmnhdlr.exe
    • mcregwiz.exe
    • Mcshield.exe
    • MCUPDATE.EXE
    • mcvsshld.exe
    • MINILOG.EXE
    • MONITOR.EXE
    • MonSysNT.exe
    • MOOLIVE.EXE
    • MpEng.exe
    • mpssvc.exe
    • MSMPSVC.exe
    • myAgtSvc.exe
    • myagttry.exe
    • navapsvc.exe
    • NAVAPW32.EXE
    • NavLu32.exe
    • NAVW32.EXE
    • NDD32.EXE
    • NeoWatchLog.exe
    • NeoWatchTray.exe
    • NISSERV
    • NISUM.EXE
    • NMAIN.EXE
    • nod32.exe
    • nod32krn.exe
    • nod32kui.exe
    • NORMIST.EXE
    • notstart.exe
    • npavtray.exe
    • NPFMNTOR.EXE
    • npfmsg.exe
    • NPROTECT.EXE
    • NSCHED32.EXE
    • NSMdtr.exe
    • NssServ.exe
    • NssTray.exe
    • ntrtscan.exe
    • NTXconfig.exe
    • NUPGRADE.EXE
    • NVC95.EXE
    • Nvcod.exe
    • Nvcte.exe
    • Nvcut.exe
    • NWService.exe
    • OfcPfwSvc.exe
    • OUTPOST.EXE
    • PAV.EXE
    • PavFires.exe
    • PavFnSvr.exe
    • Pavkre.exe
    • PavProt.exe
    • pavProxy.exe
    • pavprsrv.exe
    • pavsrv51.exe
    • PAVSS.EXE
    • pccguide.exe
    • PCCIOMON.EXE
    • pccntmon.exe
    • PCCPFW.exe
    • PcCtlCom.exe
    • PCTAV.exe
    • PERSFW.EXE
    • pertsk.exe
    • PERVAC.EXE
    • PNMSRV.EXE
    • POP3TRAP.EXE
    • POPROXY.EXE
    • prevsrv.exe
    • PsImSvc.exe
    • QHM32.EXE
    • QHONLINE.EXE
    • QHONSVC.EXE
    • QHPF.EXE
    • qhwscsvc.exe
    • RavMon.exe
    • RavTimer.exe
    • Realmon.exe
    • REALMON95.EXE
    • Rescue.exe
    • rfwmain.exe
    • Rtvscan.exe
    • RTVSCN95.EXE
    • RuLaunch.exe
    • SAVAdminService.exe
    • SAVMain.exe
    • savprogress.exe
    • SAVScan.exe
    • SCAN32.EXE
    • ScanningProcess.exe
    • sched.exe
    • sdhelp.exe
    • SERVIC~1.EXE
    • SHSTAT.EXE
    • SiteCli.exe
    • smc.exe
    • SNDSrvc.exe
    • SPBBCSvc.exe
    • SPHINX.EXE
    • spiderml.exe
    • spidernt.exe
    • Spiderui.exe
    • SpybotSD.exe
    • SPYXX.EXE
    • SS3EDIT.EXE
    • stopsignav.exe
    • swAgent.exe
    • swdoctor.exe
    • SWNETSUP.EXE
    • symlcsvc.exe
    • SymProxySvc.exe
    • SymSPort.exe
    • SymWSC.exe
    • SYNMGR.EXE
    • TAUMON.EXE
    • TBMon.exe
    • TC.EXE
    • tca.exe
    • TCM.EXE
    • TDS-3.EXE
    • TeaTimer.exe
    • TFAK.EXE
    • THAV.EXE
    • THSM.EXE
    • Tmas.exe
    • tmlisten.exe
    • Tmntsrv.exe
    • TmPfw.exe
    • tmproxy.exe
    • TNBUtil.exe
    • TRJSCAN.EXE
    • Up2Date.exe
    • UPDATE.EXE
    • UpdaterUI.exe
    • upgrepl.exe
    • Vba32ECM.exe
    • Vba32ifs.exe
    • vba32ldr.exe
    • Vba32PP3.exe
    • VBSNTW.exe
    • vchk.exe
    • vcrmon.exe
    • VetTray.exe
    • VirusKeeper.exe
    • VPTRAY.EXE
    • vrfwsvc.exe
    • VRMONNT.EXE
    • vrmonsvc.exe
    • vrrw32.exe
    • VSECOMR.EXE
    • Vshwin32.exe
    • vsmon.exe
    • vsserv.exe
    • VsStat.exe
    • WATCHDOG.EXE
    • WebProxy.exe
    • Webscanx.exe
    • WEBTRAP.EXE
    • WGFE95.EXE
    • Winaw32.exe
    • winroute.exe
    • winss.exe
    • winssnotify.exe
    • WRADMIN.EXE
    • WRCTRL.EXE
    • xcommsvr.exe
    • zatutor.exe
    • ZAUINST.EXE
    • zlclient.exe
    • zonealarm.exe
    • _AVP32.EXE
    • _AVPCC.EXE
    • _AVPM.EXE

    It also prevents the following list of files from running:

    • filtnt.sys
    • guardnt.sys
    • zonealarm.exe
    • zlclient.exe
    • zatutor.exe
    • VsStat.exe
    • Vshwin32.exe
    • Vba32PP3.exe
    • vba32ldr.exe
    • Vba32ifs.exe
    • Vba32ECM.exe
    • upgrepl.exe
    • Up2Date.exe
    • tmproxy.exe
    • TmPfw.exe
    • Tmntsrv.exe
    • symlcsvc.exe
    • spiderml.exe
    • SPBBCSvc.exe
    • SNDSrvc.exe
    • RuLaunch.exe
    • regedt32.exe
    • regedit.exe
    • Realmon.exe
    • QHPF.EXE
    • PcCtlCom.exe
    • pccguide.exe
    • outpost.exe
    • Nvcut.exe
    • Nvcte.exe
    • Nvcod.exe
    • npfmsg.exe
    • NPFMNTOR.EXE
    • nod32kui.exe
    • nod32.exe
    • NAVAPSVC.EXE
    • Mcshield.exe
    • Luupdate.exe
    • LUALL.EXE
    • KAVPF.exe
    • kavmm.exe
    • KAV.exe
    • isafe.exe
    • InoUpTNG.exe
    • InocIT.exe
    • INETUPD.EXE
    • GuardNT.exe
    • GUARDGUI.EXE
    • freshclam.exe
    • drwebupw.exe
    • drwebscd.exe
    • drweb32w.exe
    • drwadins.exe
    • CMGrdian.exe
    • ClamWin.exe
    • ClamTray.exe
    • CCSETMGR.EXE
    • CCEVTMGR.EXE
    • ccApp.exe
    • cafix.exe
    • bdswitch.exe
    • bdsubmit.exe
    • bdnews.exe
    • bdmcon.exe
    • AVWUPD32.EXE
    • Avsynmgr.exe
    • AVSCHED32.EXE
    • AVGNT.EXE
    • avgemc.exe
    • avgcc.exe
    • Avconsol.exe
    • AUPDATE.EXE
    • ashWebSv.exe
    • ashSkPck.exe
    • ashSimpl.exe
    • ashPopWz.exe
    • ashEnhcd.exe
    • ashDisp.exe
    • ashAvast.exe
    • kavsvc.exe
    • bdmcon.exe
    • vsserv.exe
    • bdnews.exe
    • livesrv.exe
    • mcupdate.exe
    • frameworkservice.exe
    • upgrader.exe
    • apvxdwin.exe
    • LuComServer_2_5.EXE
    • lucomserver_2_6.exe
    • drwebupw.exe
    • nod32krn.exe

    Symptoms

    Symptoms -

  • Outgoing messages matching the described characteristics
  • Files/Registry keys as described

    • Method of Infection

    Method of Infection -

    Mail Propagation

    This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:

    • .wab
    • .txt
    • .msg
    • .htm
    • .shtm
    • .stm
    • .xml
    • .dbx
    • .mbx
    • .mdx
    • .eml
    • .nch
    • .mmf
    • .ods
    • .cfg
    • .asp
    • .php
    • .pl
    • .wsh
    • .adb
    • .tbb
    • .sht
    • .xls
    • .oft
    • .uin
    • .cgi
    • .mht
    • .dhtm
    • .jsp

    The virus spoofs the sender address by using a harvested address in the From: field.

    The virus avoids sending itself to addresses containing the following:

    • rating@
    • f-secur
    • news
    • update
    • anyone@
    • bugs@
    • contract@
    • feste
    • gold-certs@
    • help@
    • info@
    • nobody@
    • noone@
    • kasp
    • admin
    • icrosoft
    • support
    • ntivi
    • unix
    • bsd
    • linux
    • listserv
    • certific
    • sopho
    • @foo
    • @iana
    • free-av
    • @messagelab
    • winzip
    • google
    • winrar
    • samples
    • abuse
    • panda
    • cafee
    • spam
    • pgp
    • @avp.
    • noreply
    • local
    • root@
    • postmaster@

    Email Adress Harvesting Component

    Email addresses harvested from infected machines are uploaded to a page at the following sites.

    • http://www.titanmotors.com/images/1/
    • http://veranmaisala.com/1/
    • http://wklight.nazwa.pl/1/
    • http://yongsan24.co.kr/1/
    • http://accesible.cl/1/
    • http://hotelesalba.com/1/
    • http://amdlady.com/1/
    • http://inca.dnetsolution.net/1/
    • http://www.auraura.com/1/
    • http://avataresgratis.com/1/
    • http://beyoglu.com.tr/1/
    • http://brandshock.com/1/
    • http://www.buydigital.co.kr/1/
    • http://camaramafra.sc.gov.br/1/
    • http://camposequipamentos.com.br/1/
    • http://cbradio.sos.pl/1/
    • http://c-d-c.com.au/1/
    • http://www.klanpl.com/1/
    • http://coparefrescos.stantonstreetgroup.com/1/
    • http://creainspire.com/1/
    • http://desenjoi.com.br/1/
    • http://www.inprofile.gr/1/
    • http://www.diem.cl/1/
    • http://www.discotecapuzzle.com/1/

    It also tries to download a file from the following list of sites:

    • http://ujscie.one.pl/
    • http://1point2.iae.nl/
    • http://appaloosa.no/
    • http://apromed.com/
    • http://arborfolia.com/
    • http://pawlacz.com/
    • http://areal-realt.ru/
    • http://bitel.ru/
    • http://yetii.no-ip.com/
    • http://art4u1.superhost.pl/
    • http://www.artbed.pl/
    • http://art-bizar.foxnet.pl/
    • http://www.jonogueira.com/
    • http://asdesign.cz/
    • http://ftp-dom.earthlink.net/
    • http://www.aureaorodeley.com/
    • http://www.autoekb.ru/
    • http://www.autovorota.ru/
    • http://avenue.ee/
    • http://www.avinpharma.ru/
    • http://ouarzazateservices.com/
    • http://stats-adf.altadis.com/
    • http://bartex-cit.com.pl/
    • http://bazarbekr.sk/
    • http://gnu.univ.gda.pl/
    • http://bid-usa.com/
    • http://biliskov.com/
    • http://biomedpel.cz/
    • http://blackbull.cz/
    • http://bohuminsko.cz/
    • http://bonsai-world.com.au/
    • http://bpsbillboards.com/
    • http://cadinformatics.com/
    • http://canecaecia.com/
    • http://www.castnetnultimedia.com/
    • http://compucel.com/
    • http://continentalcarbonindia.com/
    • http://ceramax.co.kr/
    • http://prime.gushi.org/
    • http://www.chapisteriadaniel.com/
    • http://charlesspaans.com/
    • http://chatsk.wz.cz/
    • http://www.chittychat.com/
    • http://checkalertusa.com/
    • http://cibernegocios.com.ar/
    • http://5050clothing.com/
    • http://cof666.shockonline.net/
    • http://comaxtechnologies.net/
    • http://concellodesandias.com/
    • http://www.cort.ru/
    • http://donchef.com/
    • http://www.crfj.com/
    • http://kremz.ru/
    • http://dev.jintek.com/
    • http://foxvcoin.com/
    • http://uwua132.org/
    • http://v-v-kopretiny.ic.cz/
    • http://erich-kaestner-schule-donaueschingen.de/
    • http://vanvakfi.com/
    • http://axelero.hu/
    • http://kisalfold.com/
    • http://vega-sps.com/
    • http://vidus.ru/
    • http://viralstrategies.com/
    • http://svatba.viskot.cz/
    • http://Vivamodelhobby.com/
    • http://vkinfotech.com/
    • http://vytukas.com/
    • http://waisenhaus-kenya.ch/
    • http://watsrisuphan.org/
    • http://www.ag.ohio-state.edu/
    • http://wbecanada.com/
    • http://calamarco.com/
    • http://vproinc.com/
    • http://grupdogus.de/
    • http://knickimbit.de/
    • http://dogoodesign.ch/
    • http://systemforex.de/
    • http://zebrachina.net/
    • http://www.walsch.de/
    • http://hotchillishop.de/
    • http://innovation.ojom.net/
    • http://massgroup.de/
    • http://web-comp.hu/
    • http://webfull.com/
    • http://welvo.com/
    • http://www.ag.ohio-state.edu/
    • http://poliklinika-vajnorska.sk/
    • http://wvpilots.org/
    • http://www.kersten.de/
    • http://www.kljbwadersloh.de/
    • http://www.voov.de/
    • http://www.wchat.cz/
    • http://www.wg-aufbau-bautzen.de/
    • http://www.wzhuate.com/
    • http://zsnabreznaknm.sk/
    • http://xotravel.ru/
    • http://ilikesimple.com/
    • http://yeniguntugla.com/

    Removal -

    Removal -

    All Users:
    Use current engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Variants

    Variants -

      N/A