| TIP: Click on subject to list as thread! | ANSI |
| echo: | |
|---|---|
| to: | |
| from: | |
| date: | |
| subject: | News |
[cut-n-paste from sophos.com]
W32/Bagle-Zip
Aliases
Win32/Bagle.gen.zip
Type
Win32 worm
Detection
Sophos has received several reports of this worm from the wild.
Description
Sophos Anti-Virus detects as W32/Bagle-Zip the password-protected ZIP
files created by W32/Bagle-F, W32/Bagle-G, W32/Bagle-H, W32/Bagle-I,
W32/Bagle-J and W32/Bagle-K.
W32/Cissi-B
Aliases
Worm.Win32.Pinom.c, W32/Imbiat.worm, Win32/Pinom.C, W32.Cissi.A{at}mm
Type
Win32 worm
Detection
At the time of writing, Sophos has received just one report of this worm
from the wild.
Description
W32/Cissi-B is a worm which attempts to spread by emailing itself via
SMTP and by copying itself to network shares with weak passwords. The
worm allows unauthorised remote access to the computer via IRC channels.
The worm copies itself to the Windows system folder as PENIS.EXE and
changes the [boot] field within SYSTEM.INI (or WIN.INI under MS Win
NT/2000/XP) to run itself on system restart. Under Windows NT-based
systems the worm may change the following entry in the registry to run
the worm on system restart:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
W32/Cissi-B may attempt to email itself to email addresses gleaned from
files on the user's hard disk.
W32/Cissi-B attempts to copy itself to the Startup folder on remote
shared computers as !IMPORTANT!.EXE or SETUP.EXE.
Troj/HacDef-100
Aliases
Backdoor.HacDef.084, Win32/HacDef.084, Backdoor.HackDefender
Type
Trojan
Detection
At the time of writing, Sophos has received just one report of this
Trojan from the wild.
Description
Troj/HacDef-100 is backdoor Trojan that is targeted at NT/2000/XP
operating systems. As well as allowing unauthorised remote access to the
victim's computer, this Trojan is also able to hide information about
the victim's system including files, folders, processes, services and
registry entries.
Troj/Ranck-K
Aliases
TrojanProxy.Win32.Ranky.a, Proxy-FBSR.gen
Type
Trojan
Detection
At the time of writing, Sophos has received just one report of this
Trojan from the wild.
Description
Troj/Ranck-K is an HTTP proxy Trojan that allows a remote intruder to
route HTTP traffic through the computer.
Troj/Ranck-K sets the following registry entry so as to run itself on
system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft
Troj/Ranck-K runs continuously in the background listening on a port.
W32/Bagle-K
Aliases
I-Worm.Bagle.j, W32.Beagle.A{at}mm, WORM_BAGLE.GEN
Type
Win32 worm
Detection
Sophos has received many reports of this worm from the wild.
Description
W32/Bagle-K is an email worm which sends itself via its own SMTP engine
to addresses harvested from your hard disk. The worm searches for files
with the extensions WAB, TXT, HTM, XML, DBX, MDX, EML, NCH, MMF, ODS,
CFG, ASP, PHP, PL, ADB, TBB and SHT.
When run the worm opens copies itself to the Windows system folder as
winsys.exe and creates the following files in the same folder:
W32/Bagle-K adds the value ssate.exe = \winsys.exe to the
registry entry HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
This means that W32/Bagle-K runs every time you logon to your computer.
Emails have the following characteristics:
Sender: One of -
management{at}
administration{at}
staff{at}
noreply{at}
support{at}
Subject lines:
E-mail account security warning
Notify about using the e-mail account.
Warning about your e-mail account.
Important notify about your e-mail account.
Email account utilization warning.
Notify about your e-mail account utilization.
E-mail account disabling warning.
Message text: Randomly combined by taking one string from each of the
following paragraphs:
Dear user of
Dear user of e-mail server gateway,
Dear user of e-mail server ",
Hello user of e-mail server,
Dear user of " mailing system,
Dear user, the management of mailing system
wants to let you know that,
and
Your e-mail account has been temporary disabled because of unauthorized
access. Our main mailing server will be temporary unavaible for next two
days, to continue receiving mail in these days you have to configure our
free auto-forwarding service.
Your e-mail account will be disabled because of improper using in next
three days, if you are still wishing to use it, please, resign your
account information.
We warn you about some attacks on your e-mail account. Your computer may
contain viruses, in order to keep your computer and e-mail account safe,
please, follow the instructions.
Our antivirus software has detected a large ammount of viruses outgoing
from your email account, you may use our free anti-virus tool to clean
up your computer software.
Some of our clients complained about the spam (negative e-mail content)
outgoing from your e-mail account. Probably, you have been infected by a
proxy-relay trojan server. In order to keep your computer safe, follow
the instructions.
and
For more information see the attached file.
Further details can be obtained from attached file.
Advanced details can be found in attached file.
For details see the attach.
For details see the attached file.
For further details see the attach.
Please, read the attach for further details.
Pay attention on attached file.
and
For security reasons attached file is password protected. The password
is "".
For security purposes the attached file is password protected. Password
is "".
Attached file is protected with the password for security reasons.
Password is ".
In order to read the attach you have to use the following password:
".
and
The Management,
Sincerely,
Best wishes,
Have a good day,
Cheers,
Kind regards,
and
The team
http://www.;
Attached file: a randomly named ZIP archive. The name is chosen from:
Attach
Information
Readme
Document
Info
TextDocument
Text
MoreInfo
Message
As an example, here is how the worm could appear if your company's
domain name was XYZCORP.COM:
An example of the kind of email which can be sent by the Bagle-K worm
W32/Bagle-K opens up a backdoor on port 2745 and listens for connections.
If it receives the appropriate command it attempts to download and
execute a file. W32/Bagle-K also makes a web connection to a remote URL,
thus reporting the location and open port of infected computers.
W32/Bagle-K attempts to terminate several anti-virus and
security-related processes:
ATUPDATER.EXE
AVWUPD32.EXE
AVPUPD.EXE
LUALL.EXE
DRWEBUPW.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
UPDATE.EXE
NUPGRADE.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
MCUPDATE.EXE
NUPGRADE.EXE
OUTPOST.EXE
AVLTMAIN.EXE
W32/Bagle-K searches the mapped drives for the folders containing the
string "shar" in the folder name. If such folder is found, the worm
copies itself to the folder using the following names:
ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Opera 8 New!.exe
Porno Screensaver.scr
Porno pics arhive, xxx.exe
Porno, sex, oral, anal cool, awesome!!.exe
Serials.txt.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XX hardcore images.exe
If the date is after 25 April 2005, W32/Bagle-K terminates itself and
deletes all the registry entries it created.
W32/Bagle-K contains the following text hidden inside its code, which is
not displayed:
Hey, NetSky, fuck off you bitch!
W32/Agobot-DG
Type
Win32 worm
Detection
At the time of writing, Sophos has received just one report of this worm
from the wild.
Description
W32/Agobot-DG is a network worm which also allows unauthorised remote
access to the computer via IRC channels.
W32/Agobot-DG copies itself to network shares with weak passwords and
attempts to spread to computers using the DCOM RPC and the RPC locator
vulnerabilities.
These vulnerabilities allow the worm to execute its code on target
computers with System level privileges. For further information on these
vulnerabilities and for details on how to protect/patch the computer
against such attacks please see Microsoft security bulletins MS03-001
and MS03-026. MS03-026 has been superseded by Microsoft security
bulletin MS03-039.
W32/Agobot-DG drops a copy of itself to the Windows system folder as
SRCHOST.EXE and creates the following registry entries to run itself on
startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\Generic Service Process
HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\Generic Service Process
W32/Agobot-DG attempts to terminate various processes related to
anti-virus and security software (e.g. SWEEP95.EXE, BLACKICE.EXE and
ZONEALARM.EXE).
W32/Agobot-DG collects system information and registration keys of
popular games that are installed on the computer.
W32/Bagle-J
Aliases
W32/Bagle.j{at}mm
Type
Win32 worm
Detection
Sophos has received many reports of this worm from the wild.
Description
W32/Bagle-J is an email worm which sends itself via its own SMTP engine
to addresses harvested from your hard disk. The worm searches for files
with the extensions WAB, TXT, MSG, HTM, XML, DBX, MDX, EML, NCH, MMF,
ODS, CFG, ASP, PHP, PL, ADB, TBB, SHT, UIN and CGI.
The worm copies itself to the Windows system folder as IRUN4.EXE and
creates the file IRUN4.EXEOPEN (a copy of the worm in a password
protected ZIP format) in the same folder.
W32/Bagle-J adds the value:
ssate.exe = \irun4.exe
to the registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
This means that W32/Bagle-J runs every time you logon to your computer.
Emails have the following characteristics:
Subject lines:
E-mail account security warning.
Notify about using the e-mail account.
Warning about your e-mail account.
Important notify about your e-mail account.
Email account utilization warning.
Notify about your e-mail account utilization.
E-mail account disabling warning.
Message texts (constructed from a choice of the following):
"Dear user of ,"
"Dear user of gateway e-mail server,"
"Dear user of e-mail server "<domain name>","
"Hello user of e-mail server,"
"Dear user of "" mailing system,"
"Dear user, the management of mailing system wants to let
you know that,"
and
"Your e-mail account has been temporary disabled because of unauthorized
access."
"Our main mailing server will be temporary unavaible for next two days,
to continue receiving mail in these days you have to configure our free
auto-forwarding service."
"Your e-mail account will be disabled because of improper using in next
three days, if you are still wishing to use it, please, resign your
account information."
"We warn you about some attacks on your e-mail account. Your computer
may contain viruses, in order to keep your computer and e-mail account
safe, please, follow the instructions."
"Our antivirus software has detected a large ammount of viruses outgoing
from your email account, you may use our free anti-virus tool to clean
up your computer software."
"Some of our clients complained about the spam (negative e-mail content)
outgoing from your e-mail account. Probably, you have been infected by
a proxy-relay trojan server. In order to keep your computer safe,
follow the instructions."
and
"For more information see the attached file."
"Further details can be obtained from attached file."
"Advanced details can be found in attached file."
"For details see the attach."
"For details see the attached file."
"For further details see the attach."
"Please, read the attach for further details."
"Pay attention on attached file."
and
"For security reasons attached file is password protected. The password
is ""."
"For security purposes the attached file is password protected. Password
is ""."
"Attached file protected with the password for security reasons.
Password is ."
"In order to read the attach you have to use the following password:
."
and
"Sincerely,"
"Best wishes,"
"Have a good day,"
"Cheers,"
"Kind regards,"
"The Management,"
and
"The team, "" target="new">http://www."
Attached file (a password protected ZIP archive):
Attach
Information
Readme
Document
TextDocument
TextFile
MoreInfo
Message
W32/Bagle-J opens up a backdoor on port 2745 and listens for connections.
If it receives the appropriate command it attempts to download and
execute a file. W32/Bagle-J also makes a web connection to a remote URL,
thus reporting the location and open port of infected computers.
W32/Bagle-J attempts to terminate several Anti-Virus and security
related processes:
ATUPDATER.EXE
AVWUPD32.EXE
AVPUPD.EXE
LUALL.EXE
DRWEBUPW.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
UPDATE.EXE
NUPGRADE.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
MCUPDATE.EXE
NUPGRADE.EXE
OUTPOST.EXE
AVLTMAIN.EXE
W32/Bagle-J searches the mapped drives for folders containing the string
"shar" in the folder name. If such a folder is found, the worm copies
itself to the folder using the following filenames:
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Porno Screensaver.scr
Porno, sex, oral, anal cool, awesome!!.exe
Porno pics arhive, xxx.exe
Serials.txt.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe
Opera 8 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Matrix 3 Revolution English Subtitles.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
ACDSee 9.exe
If the date is after 25 April 2005, W32/Bagle-J terminates itself and
deletes all the registry entries it created when it first ran.
Hidden inside the Bagle-J worm's code is the following text, which is
never displayed:
Hey,NetSky, fuck off you bitch, don't ruine our bussiness, wanna start a
war?
W32/Bagle-I
Aliases
I-Worm.Bagle.h
Type
Win32 worm
Detection
Sophos has received several reports of this worm from the wild.
Description
W32/Bagle-I is an email worm which sends itself via its own SMTP engine
to addresses harvested from your hard disk. The worm searches for files
with the extensions WAB, TXT, HTM, XML, DBX, MDX, EML, NCH, MMF, ODS,
CFG, ASP, PHP, PL, ADB, TBB and SHT.
When run the worm opens copies itself to the Windows system folder as
i11r54n4.exe and creates the following files in the same folder:
* go154o.exe - the main DLL component of the worm
* i1i5n1j4.exe - a DLL plugin used to load go154o.exe
* i11r54n4.EXEOPEN - a copy of the worm in a password protected ZIP format
W32/Bagle-I adds the value rate.exe = \i11r54n4.exe to the
registry key
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
This means that W32/Bagle-I runs every time you logon to your computer.
Emails have the following characteristics:
Subject lines:
Hokki =)
Weah, hello! :-)
Weeeeee! :)))
Hi! :-)
:-)
:)
ello! =))
Hey, ya! =))
^_^ meay-meay!
^_^ mew-mew (-:
Hey, dude, it's me ^_^ :P
Message text: Randomly constructed from one of -
Argh, i don't like the plaintext :)
You have won!!!
The access is open !!!
and
archive password:
password:
password --
pass:
-- archive password
...btw, is a password for archive
password for archive:
The attached file is a randomly named ZIP archive with a name chosen
from the following list:
Attach
TextDocument
Readme
Msg
MsgInfo
Document
Info
AttachedFile
AttachedDocument
TextDocument
Text
TextFile
Letter
MoreInfo
Message
W32/Bagle-I opens up a backdoor on port 2745 and listens for connections.
If it receives the appropriate command it attempts to download and
execute a file. W32/Bagle-I also makes a web connection to a remote URL,
thus reporting the location and open port of infected computers.
W32/Bagle-I attempts to terminate several anti-virus and
security-related processes:
ATUPDATER.EXE
AVWUPD32.EXE
AVPUPD.EXE
LUALL.EXE
DRWEBUPW.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
UPDATE.EXE
NUPGRADE.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
MCUPDATE.EXE
NUPGRADE.EXE
OUTPOST.EXE
AVLTMAIN.EXE
W32/Bagle-I searches mapped drives for folders containing the string
"shar" in the folder name. If such folder is found, the worm copies
itself to the folder using the following names:
ACDSee 9.exe win-pe
Adobe Photoshop 9 full.exe win-pe
Ahead Nero 7.exe win-pe
Matrix 3 Revolution English Subtitles.exe win-pe
Microsoft Office 2003 Crack, Working!.exe win-pe
Microsoft Office XP working Crack, Keygen.exe win-pe
Microsoft Windows XP, WinXP Crack, working Keygen.exe win-pe
Opera 8 New!.exe win-pe
Porno Screensaver.scr win-pe
Porno pics arhive, xxx.exe win-pe
Porno, sex, oral, anal cool, awesome!!.exe win-pe
Serials.txt.exe win-pe
WinAmp 5 Pro Keygen Crack Update.exe win-pe
WinAmp 6 New!.exe win-pe
Windown Longhorn Beta Leak.exe win-pe
Windows Sourcecode update.doc.exe win-pe
XXX hardcore images.exe win-pe
If the date is after 25 March 2005, W32/Bagle-I terminates itself and
deletes all the registry entries it created.
W32/Netsky-D
Aliases
W32/Netsky.c{at}MM, I-Worm.NetSky.d, Win32/Netsky.D, WORM_NETSKY.D
Type
Win32 worm
Detection
Sophos has received many reports of this worm from the wild.
Description
W32/Netsky-D is a worm that spreads via email and by copying itself to
the root folders of available network drives. When sending itself via
email the worm can forge the sender's email address.
W32/Netsky-D may arrive in an email with the following characteristics:
Subject line: chosen from -
Re: Approved
Re: Details
Re: Document
Re: Excel file
Re: Hello
Re: Here
Re: Here is the document
Re: Hi
Re: My details
Re: Re: Document
Re: Re: Message
Re: Re: Re: Your document
Re: Re: Thanks!
Re: Thanks!
Re: Word file
Re: Your archive
Re: Your bill
Re: Your details
Re: Your document
Re: Your letter
Re: Your music
Re: Your picture
Re: Your product
Re: Your software
Re: Your text
Re: Your website
Message text: chosen from -
Your file is attached.
Please read the attached file.
Please have a look at the attached file.
See the attached file for details.
Here is the file.
Your document is attached.
Attached file: chosen from -
all_document.pif
application.pif
document.pif
document_4351.pif
document_excel.pif
document_full.pif
document_word.pif
message_details.pif
message_part2.pif
mp3music.pif
my_details.pif
your_archive.pif
your_bill.pif
your_details.pif
your_document.pif
your_file.pif
your_letter.pif
your_picture.pif
your_product.pif
your_text.pif
your_website.pif
yours.pif
When first run W32/Netsky-D copies itself to the Windows folder as
winlogon.exe and creates the following registry entry so that
winlogon.exe is run automatically each time Windows is started:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ICQ Net
= \winlogon.exe -stealth
W32/Netsky-D searches all mapped drives for files with the following
extensions in order to find email adresses: MSG, OFT, SHT, DBX, TBB, ADB,
DOC, WAB, ASP, UIN, RTF, VBS, HTML, HTM, PL, PHP, TXT and EML
W32/Netsky-D attempts to delete the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\au.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\d3dupdate.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Explorer
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\KasperskyAv
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OLE
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Taskmon
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DELETE ME
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KasperskyAv
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msgsvr32
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sentry
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskmon
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\system
HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
W32/Netsky-D queries for the following IP addresses:
62.155.255.16
145.253.2.171
151.189.13.35
193.193.158.10
193.193.144.12
193.189.244.205
193.141.40.42
194.25.2.129
194.25.2.130
194.25.2.131
194.25.2.132
194.25.2.133
194.25.2.134
195.185.185.195
195.20.224.234
212.185.252.136
212.7.128.162
212.7.128.165
212.185.253.70
212.185.252.73
212.44.160.8
213.191.74.19
217.5.97.137
W32/Netsky-D is programmed to not forward itself via email if the
recipient email address contains the following strings:
messagelabs
abuse
fbi
orton
f-pro
aspersky
cafee
orman
itdefender
f-secur
avp
spam
ymantec
antivi
icrosoft
W32/Netsky-D attempts to delete some registry entries including ones
related to the W32/MyDoom-A and W32/MyDoom-B worms in a similar way to
previous variants.
When the worm is run on 2 March 2004 between 06:00 and 08:59 it may
cause the computer to beep sporadically.
W32/Bagle-H
Aliases
W32/Bagle-H{at}mm, I-Worm.Bagle.h
Type
Win32 worm
Detection
Sophos has received many reports of this worm from the wild.
Description
W32/Bagle-H is an email worm which sends itself via its own SMTP engine
to addresses harvested from your hard disk. The worm searches for files
with the extensions WAB, TXT, HTM, XML, DBX, MDX, EML, NCH, MMF, ODS,
CFG, ASP, PHP, PL, ADB, TBB and SHT and uses the files to extract the
recipient and the sender email addresses (therefore the sender email
address is spoofed) .
When run the worm copies itself to the Windows system folder as
i11r54n4.exe and creates the following files in the same folder:
i1i5n1j4.exe - a DLL plugin used to load go154o.exe
go154o.exe - the main DLL component of the worm
i11r54n4.EXEOPEN - a copy of the worm in a password protected ZIP format
W32/Bagle-H adds the value:
rate.exe = \i11r54n4.exe
to the registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
This means that W32/Bagle-H runs every time you logon to your computer.
Emails have the following characteristics:
Subject lines:
Hokki =)
Weah, hello! :-)
Weeeeee! :)))
Hi! :-)
:-)
:)
ello! =))
Hey, ya! =))
^_^ meay-meay!
^_^ mew-mew (-:
Hey, dude, it's me ^_^ :P
Message text:
Randomly constructed from one of the following sentences:
Argh, i don't like the plaintext :)
I don't bite, weah!
Looking forward for a response :P
and
archive password:
password:
password --
pass:
-- archive password
...btw, "" is a password for
archive
password for archive:
Attached file (extension ZIP):
Attach
TextDocument
Readme
Msg
MsgInfo
Document
Info
AttachedFile
AttachedDocument
TextDocument
Text
TextFile
Letter
MoreInfo
Message
W32/Bagle-H opens up a backdoor on port 2745 and listens for connections.
If an appropriate command is received the worm attempts to download and
execute a file. W32/Bagle-H also makes a web connection to a remote URL,
thus reporting the location and open port of infected computers.
W32/Bagle-H attempts to terminate several anti-virus and security
related processes:
ATUPDATER.EXE
AVWUPD32.EXE
AVPUPD.EXE
LUALL.EXE
DRWEBUPW.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
UPDATE.EXE
NUPGRADE.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
MCUPDATE.EXE
NUPGRADE.EXE
OUTPOST.EXE
AVLTMAIN.EXE
W32/Bagle-H searches the mapped drives for the folders containing the
string "shar" in the folder name. If such a folder is found, the worm
copies itself to the folder using the following filenames:
ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Opera 8 New!.exe
Porno Screensaver.scr
Porno pics arhive, xxx.exe
Porno, sex, oral, anal cool, awesome!!.exe
Serials.txt.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe
If the date is after 25 March 2005, W32/Bagle-H terminates itself and
deletes all the registry entries it created when it first ran.
W32/Bagle-G
Type
Win32 worm
Detection
Sophos has received many reports of this worm from the wild.
Description
W32/Bagle-G is an email worm which sends itself via its own SMTP engine
to addresses harvested from your hard disk.
W32/Bagle-G also spreads via peer-to-peer shared folders.
The worm copies itself to the Windows system folder as I1RU54N.EXE and
creates the following files in the same folder:
II5NJ4.EXE - a DLL plugin used to load GO54O.EXE
GO54O.EXE - the main DLL component of the worm
I1RU54N4.EXEOPEN - an exact copy of the worm or a copy of the worm in
ZIP format (the ZIP may be password protected)
II5NJ4.EXE is detected by Sophos as W32/Bagle-F.
W32/Bagle-G adds the value:
rate.exe = \i1ru54n4.exe
to the registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
This means that W32/Bagle-G runs every time you logon to your computer.
W32/Bagle-G also creates the following registry entry:
HKCU\Software\winword\frun=1
Emails have the following characteristics:
Subject lines:
Hokki =)
Weah, hello! :-)
Weeeeee! :)))
Hi! :-)
My Name is Frenk
groom
Fotograf
Photoalbum
My photoalbum
Myphotos
My photos
My beautiful person
beautiful
Wau... beautiful (-:
Gallery photos
caroline
Katrina
kleopatra
Caitie
Mary-Anne
Lisa
Bad girl
Julie
Aline
Anna
Barbi
Katrina
Juli
Mary
Mandy
Sara
rebecca
Jammie
kate
Audra
stacy
Rena
Kelley
Tammy
ello! =))
Hey, ya! =))
^_^ meay-meay!
^_^ meay-meay!
^_^ mew-mew (-:
Hey, dude, it's me ^_^ :P
Message texts:
Argh, i don't like the plaintext :)
Fell free to chat with me I accept all ages. Don't worry I don't
bite........
hope to hear from you soon!
If you are going to make me cry, at least be there to wipe away the tears
*Right now the worst thing for you to tell me that I can find someone
better
thanyou, especially when you are all I want
You don't know what youÆve got till it's gone *You hurt me more than I
deserve, how can you be so cruel? I love you more thanyou deserve, how
can I be such a fool?
I sit with elders of a gentle race, whose world is seldom seen.Who sit
and talk of days for which they wait, when all will be revealed. These
are song lyrics.
I'm a social butterfly and a natural flirt. Very hard to get my complete
attention. Very open and will answer almost anything. But please don't
piss me off.I can be sweet and cuddly or a whatever mood I am in that
day so everyday
Love the outdoors, literature, writing, and athletics
When The Trust is Gone So Is The Love That Fades Like the Rain Washing
Away All The Sorrows Of Yesterday Why I Ask Myself Must It End Like This
Tomorrow, I Tell Myself, I'll Be Okay For Now, I'll Just Live In The
Memories Of Our Life Together
I enjoy clean conversations but am open to conversing with women and men
with little ones as well. I am very open-minded. All authorization
requests will be denied if I don't receive messages and get to know you
first.
I love camping, dirt track racing, going for walks, and I have 2 cats -
HotRod and Deebo (named from the movie 'Friday' and he lives up to it!).
Life is ever changing, never always easy...
i love to chat to just about anyone!!
If I'm online, it problably means I'm pretty bored....so feel free to
message me and say hi or whatever else comes to mind at the moment.
Hey people whats goin on? If there is anything you want to know about me
ask me... I am pretty easygoing I won't bite....not at first anywayz
hahaa..... one thing I will say on here tho I am not into the Cyber
thing so don't even ask.....Ciao...
Hi! My name is Shreya and I am a goof off!!! So,If you love the outdoors,
travelling, books, music, movies, laffing, teasingand/or can poke fun at
yourself... please come a hollerin'!!
I love to dance, read poetry, make people laugh, and hug as many people
a day as i can.
Single Mom of 3,Full time college student, Graduate in December with an
Associates of Applied Science in Computer Information Systems Love the
internet.
My hobbies include crochet, sewing, painting lead figures and playing
AD&D. Favorite activities include fishing and camping. I love cats,
unicorns(go figure), and fantasy in general.
I like to be in a company of smart, delicate, and with a good sense of
humor people. I am Bulgarian, currently getting my Master's in
International Business in USA. Favorite actor: Michael Dudikoff
i'm tall and skiny I'm studying in Pharm. D program in FL. i like music,
movie, dancing, sports, SCUBA diving, traveling and make a lot friends.
Nice friends, nice men, nice sex and feeling great. I don't mind the odd
bout of cybersex as I love to use my imagination when I masterbate.
Hey, guys! by the way, I have no problems with my sexual life, soit's
absolutly useless try to have icq sex or things like that. Thanks
I'm an open minded person and enjoy chatting w/ other people.I'm free
and willing to chat about anything.So feel free to Imed me if you wanna
chat.
I love meeting new people and making new friends. I am a Mary Kay Beauty
Consultant. I am married to a wonderful man. We have no children, exept
for a minature schnauzer that thinks he is a child. Looking forward to
meeting you.
I am from Taiwan but I study in Camden, New Jersey now. I like to know
people from different places .
I'm married and I stay at home. And I don't do cyber sex so leave me the
fuck alone
Looking forward for a response :P
Note, if the attached file is a password protected ZIP the message text
can end with one of the following:
archive password:
password:
pass:
password for archive:
Attached file (extension EXE, SCR or ZIP):
Picture, caroline, Katrina, kleopatra, Caitie, Mary-Anne, Lisa, Bad girl,
Julie, Aline, Anna, Barbi, Katrina, Juli, Mary, Mandy, Sara, rebecca,
Jammie, kate, Audra, stacy, Rena, Kelley, Tammy, myfotos, Gallery, It_I,
Photoalbum, Photomontage
W32/Bagle-G copies itself to folders containing the text 'shar', for
example C:\Program files\Common files\Microsoft shared, as the following
filenames:
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Porno Screensaver.scr
Porno, sex, oral, anal cool, awesome!!.exe
Porno pics arhive, xxx.exe
Serials.txt.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe
Opera 8 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Matrix 3 Revolution English Subtitles.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
ACDSee 9.exe
W32/Bagle-G opens up a backdoor on port 2745 and listens for connections.
If it receives the appropriate command it attempts to download and
execute a file. The worm also makes a web connection to a remote URL,
thus reporting the location and open port of infected computers.
W32/Bagle-G terminates processes with the following names:
ATUPDATER.EXE
AVWUPD32.EXE
AVPUPD.EXE
LUALL.EXE
DRWEBUPW.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
UPDATE.EXE
NUPGRADE.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
MCUPDATE.EXE
NUPGRADE.EXE
OUTPOST.EXE
AVLTMAIN.EXE
If the date is after 25 March 2005, W32/Bagle-G terminates itself and
deletes all the registry entries it created when it first ran.
W32/Bagle-F
Aliases
I-Worm.Bagle.f
Type
Win32 worm
Detection
Sophos has received many reports of this worm from the wild.
Description
W32/Bagle-F is an email worm which sends itself via its own SMTP engine
to addresses harvested from your hard disk.
W32/Bagle-F also spreads via peer-to-peer shared folders.
The worm copies itself to the Windows system folder as I1RU54N.EXE and
creates the following files in the same folder:
II5NJ4.EXE - a DLL plugin used to load GO54O.EXE
GO54O.EXE - the main DLL component of the worm
I1RU54N4.EXEOPEN - an exact copy of the worm or a copy of the worm in
ZIP format (the ZIP may be password protected)
W32/Bagle-F adds the value:
rate.exe = \i1ru54n4.exe
to the registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
This means that W32/Bagle-F runs every time you logon to your computer.
W32/Bagle-F also creates the following registry entry:
HKCU\Software\winword\frun=1
Emails have the following characteristics:
Subject lines:
Hokki =)
Weah, hello! :-)
Weeeeee! :)))
Hi! :-)
My Name is Frenk
groom
Fotograf
Photoalbum
My photoalbum
Myphotos
My photos
My beautiful person
beautiful
Wau... beautiful (-:
Gallery photos
caroline
Katrina
kleopatra
Caitie
Mary-Anne
Lisa
Bad girl
Julie
Aline
Anna
Barbi
Katrina
Juli
Mary
Mandy
Sara
rebecca
Jammie
kate
Audra
stacy
Rena
Kelley
Tammy
ello! =))
Hey, ya! =))
^_^ meay-meay!
^_^ meay-meay!
^_^ mew-mew (-:
Hey, dude, it's me ^_^ :P
Message texts:
Argh, i don't like the plaintext :)
Fell free to chat with me I accept all ages. Don't worry I don't
bite........
hope to hear from you soon!
If you are going to make me cry, at least be there to wipe away the tears
*Right now the worst thing for you to tell me that I can find someone
better thanyou, especially when you are all I want
You don't know what youÆve got till it's gone *You hurt me more than I
deserve, how can you be so cruel? I love you more thanyou deserve, how
can I be such a fool?
I sit with elders of a gentle race, whose world is seldom seen.Who sit
and talk of days for which they wait, when all will be revealed. These
are song lyrics.
I'm a social butterfly and a natural flirt. Very hard to get my complete
attention. Very open and will answer almost anything. But please don't
piss me off.I can be sweet and cuddly or a whatever mood I am in that
day so everyday
Love the outdoors, literature, writing, and athletics
When The Trust is Gone So Is The Love That Fades Like the Rain Washing
Away All The Sorrows Of Yesterday Why I Ask Myself Must It End Like This
Tomorrow, I Tell Myself, I'll Be Okay For Now, I'll Just Live In The
Memories Of Our Life Together
I enjoy clean conversations but am open to conversing with women and men
with little ones as well. I am very open-minded. All authorization
requests will be denied if I don't receive messages and get to know you
first.
I love camping, dirt track racing, going for walks, and I have 2 cats -
HotRod and Deebo (named from the movie 'Friday' and he lives up to it!).
Life is ever changing, never always easy...
i love to chat to just about anyone!!
If I'm online, it problably means I'm pretty bored....so feel free to
message me and say hi or whatever else comes to mind at the moment.
Hey people whats goin on? If there is anything you want to know about me
ask me... I am pretty easygoing I won't bite....not at first anywayz
hahaa..... one thing I will say on here tho I am not into the Cyber
thing so don't even ask.....Ciao...
Hi! My name is Shreya and I am a goof off!!! So,If you love the outdoors,
travelling, books, music, movies, laffing, teasingand/or can poke fun at
yourself... please come a hollerin'!!
I love to dance, read poetry, make people laugh, and hug as many people
a day as i can.
Single Mom of 3,Full time college student, Graduate in December with an
Associates of Applied Science in Computer Information Systems Love the
internet.
My hobbies include crochet, sewing, painting lead figures and playing
AD&D. Favorite activities include fishing and camping. I love cats,
unicorns(go figure), and fantasy in general.
I like to be in a company of smart, delicate, and with a good sense of
humor people. I am Bulgarian, currently getting my Master's in
International Business in USA. Favorite actor: Michael Dudikoff
i'm tall and skiny I'm studying in Pharm. D program in FL. i like music,
movie, dancing, sports, SCUBA diving, traveling and make a lot friends.
Nice friends, nice men, nice sex and feeling great. I don't mind the odd
bout of cybersex as I love to use my imagination when I masterbate.
Hey, guys! by the way, I have no problems with my sexual life, soit's
absolutly useless try to have icq sex or things like that. Thanks
I'm an open minded person and enjoy chatting w/ other people.I'm free
and willing to chat about anything.So feel free to Imed me if you wanna
chat.
I love meeting new people and making new friends. I am a Mary Kay Beauty
Consultant. I am married to a wonderful man. We have no children, exept
for a minature schnauzer that thinks he is a child. Looking forward to
meeting you.
I am from Taiwan but I study in Camden, New Jersey now. I like to know
people from different places .
I'm married and I stay at home. And I don't do cyber sex so leave me the
fuck alone
Looking forward for a response :P
Note, if the attached file is a password protected ZIP the message text
can end with one of the following:
archive password:
password:
pass:
password for archive:
Attached file (extension EXE, SCR or ZIP):
Picture, caroline, Katrina, kleopatra, Caitie, Mary-Anne, Lisa, Bad girl,
Julie, Aline, Anna, Barbi, Katrina, Juli, Mary, Mandy, Sara, rebecca,
Jammie, kate, Audra, stacy, Rena, Kelley, Tammy, myfotos, Gallery, It_I,
Photoalbum, Photomontage
W32/Bagle-F copies itself to folders containing the text 'shar', for
example C:\Program files\Common files\Microsoft shared, as the following
filenames:
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Porno Screensaver.scr
Porno, sex, oral, anal cool, awesome!!.exe
Porno pics arhive, xxx.exe
Serials.txt.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe
Opera 8 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Matrix 3 Revolution English Subtitles.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
ACDSee 9.exe
W32/Bagle-F opens up a backdoor on port 2745 and listens for connections.
If it receives the appropriate command it attempts to download and
execute a file. The worm also makes a web connection to a remote URL,
thus reporting the location and open port of infected computers.
W32/Bagle-F terminates processes with the following names:
ATUPDATER.EXE
AVWUPD32.EXE
AVPUPD.EXE
LUALL.EXE
DRWEBUPW.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
UPDATE.EXE
NUPGRADE.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
MCUPDATE.EXE
NUPGRADE.EXE
OUTPOST.EXE
AVLTMAIN.EXE
If the date is after 25 March 2005, W32/Bagle-F terminates itself and
deletes all the registry entries it created when it first ran.
W32/Bagle-D
Type
Win32 worm
Detection
Sophos has received many reports of this worm from the wild.
Description
W32/Bagle-D is an email worm which sends itself via its own SMTP engine
to addresses harvested from your hard disk.
When run the worm opens NOTEPAD.EXE, copies itself to the Windows system
folder as README.EXE and creates the following files in the same folder:
DOC.EXE - a DLL plugin used to load ONDE.EXE
ONDE.EXE - the main DLL component of the worm
README.EXEOPEN - a copy of the worm in ZIP format
W32/Bagle-D adds the value:
gouday.exe = \readme.exe
to the registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
This means that W32/Bagle-D runs every time you logon to your computer.
W32/Bagle-D also creates the following registry entries:
HKCU\Software\DateTime3\frun=1
HKCU\Software\DateTime3\port=2745
HKCU\Software\DateTime3\uid=
Emails have the following characteristics:
Subject lines:
Price
New Price-list
Hardware devices price-list
Weekly activity report
Daily activity report
Maria
Jenny
Jessica
Registration confirmation
USA government abolishes the capital punishment
Freedom for everyone
Flayers among us
From Hair-cutter
Melissa
Camila
Price-list
Pricelist
Price list
Hello my friend
Hi!
Well...
Greet the day
The account
Looking for the report
You really love me? he he
You are dismissed
Accounts department
From me
Monthly incomings summary
The summary
Proclivity to servitude
Ahtung!
The employee
There is no message text.
Attached file: a randomly named ZIP archive
W32/Bagle-D opens up a backdoor on port 2745 and listens for connections.
If it receives the appropriate command it attempts to download and
execute a file. W32/Bagle-D also makes a web connection to a remote URL,
thus reporting the location and open port of infected computers.
The worm terminates processes with the following names:
ATUPDATER.EXE
AVWUPD32.EXE
AVPUPD.EXE
LUALL.EXE
DRWEBUPW.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
UPDATE.EXE
NUPGRADE.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
MCUPDATE.EXE
NUPGRADE.EXE
OUTPOST.EXE
AVLTMAIN.EXE
If the date is after 14 March 2004, W32/Bagle-D terminates itself and
deletes all the registry entries it created when it first ran.
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)SEEN-BY: 633/267 270 @PATH: 123/140 500 106/2000 633/267 |
|
| SOURCE: echomail via fidonet.ozzmosis.com | |
Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.