NUEVO VIRUS MASIVO BAGLE.AF , PRECISA NUEVOS DATS 4377

Cerrado
Avatar de Usuario
msc hotline sat
Mensajes: 93500
Registrado: 09 Mar 2004, 20:39
Ubicación: BARCELONA (ESPAÑA)
Contactar:

NUEVO VIRUS MASIVO BAGLE.AF , PRECISA NUEVOS DATS 4377

Mensaje por msc hotline sat » 16 Jul 2004, 08:44

De buena mañana hemos sido bombardeados por mails infectados con una nueva variante del birus BAGLE.AF, que por sus caracteristicas y tecnicas de propagacion, lo hacen previsiblemente de gran difusion, por lo que avisamos al respecto, ofreciendo las caracteristicas del mismo segun McAfee:



descripcion del Blagle.AF segun McAfee:

__________________________________________



Virus Name Risk Assessment

W32/Bagle.af@MM Corporate User : Medium-On-Watch

Home User : Medium-On-Watch







Virus Information

Discovery Date: 07/15/2004

Origin: Unknown

Length: Varies

Type: Virus

SubType: E-mail

Minimum DAT: 4377 (07/15/2004)

Updated DAT: 4377 (07/15/2004)

Minimum Engine: 4.3.20

Description Added: 07/15/2004

Description Modified: 07/15/2004 6:07 PM (PT)

Description Menu

Virus Characteristics

Symptoms

Method Of Infection

Removal Instructions

Variants / Aliases

Rate This page

Print This Page

Email This Page

Legend







Virus Characteristics:

The following EXTRA.DAT packages are available, prior to the full DAT release.

EXTRA.DAT

SUPER EXTRA.DAT







This is a mass-mailing worm with the following characteristics:



contains its own SMTP engine to construct outgoing messages

harvests email addresses from the victim machine

the From: address of messages is spoofed

attachment can be a password-protected zip file, with the password included in the message body.

contains a remote access component (notification is sent to hacker)

copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)

uses various mutex names selected from those W32/Netsky variants have used, in order to prevent those W32/Netsky variants running on infected machines

terminates processes of security programs and other worms

deletes registry entries of security programs and other worms

Mail Propagation



From : (address is spoofed)

Attachment names are chosen from the following list:



Information

Details

text_document

Updates

Readme

Document

Info

Details

Message

The worm will use a different set of lists to choose subject and body text from, depending on whether the attachment is sent as a password-protected ZIP file.



The details for non-ZIP files (.EXE, .SCR,.COM,.ZIP, .CPL) are as follows:



Subject :



Re: Msg reply

Re: Hello

Re: Yahoo!

Re: Thank you!

Re: Thanks :)

RE: Text message

Re: Document

Incoming message

Re: Incoming Message

RE: Incoming Msg

RE: Message Notify

Notification

Changes..

Update

Fax Message

Protected message

RE: Protected message

Forum notify

Site changes

Re: Hi

Encrypted document

Body Text:



Read the attach.

Your file is attached.

More info is in attach

See attach.

Please, have a look at the attached file.

Your document is attached.

Please, read the document.

Attach tells everything.

Attached file tells everything.

Check attached file for details.

Check attached file.

Pay attention at the attach.

See the attached file for details.

Message is in attach

Here is the file.

Details for password-protected ZIP files are as follows:



Subject :



Password:

Pass -

Password -

Body Text:



For security reasons attached file is password protected. The password is

For security purposes the attached file is password protected. Password --

Note: Use password to open archive.

Attached file is protected with the password for security reasons. Password is

In order to read the attach you have to use the following password:

Archive password:

Password -

Password:

Password-protected ZIP files may also contain a second, randomly-named file with one of the following extensions:



.ini

.cfg

.txt

.vxd

.def

.dll

These files contain only random garbage-characters.





Installation



The virus copies itself into the Windows System directory as sysxp.exe. For example:



C:\WINNT\SYSTEM32\sysxp.exe

It also creates other files in this directory to perform its functions:



sysxp.exeopen

sysxp.exeopenopen

The following Registry key is added to hook system startup:



HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Run "key" = "C:\WINNT\SYSTEM32\sysxp.exe"

A mutex is created to ensure only one instance of the worm is running at a time. One of the following mutex names is used in an attempt to stop particular variants of W32/Netsky running on the infected machine:



ZonesCounterMutex

ZonesCacheCounterMutex

MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D

'D'r'o'p'p'e'd'S'k'y'N'e't'

_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_

[SkyNet.cz]SystemsMutex

AdmSkynetJklS003

____--->>>>U<<<<--____

_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

RasPbFile

The worm opens port 1080 (TCP) on the victim machine and random UDP ports.



Top of Page



Symptoms

Port 1234 (TCP) open on the victim machine

Outgoing messages matching the described characteristics

Files/Registry keys as described



Top of Page



Method Of Infection

Mail Propagation



This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:



.wab

.txt

.msg

.htm

.shtm

.stm

.xml

.dbx

.mbx

.mdx

.eml

.nch

.mmf

.ods

.cfg

.asp

.php

.pl

.wsh

.adb

.tbb

.sht

.xls

.oft

.uin

.cgi

.mht

.dhtm

.jsp

The virus spoofs the sender address by using a harvested address in the From: field.



The worm will avoid sending itself to email addresses which contains the following strings:



@hotmail

@msn

@microsoft

rating@

f-secur

news

update

anyone@

bugs@

contract@

feste

gold-certs@

help@

info@

nobody@

noone@

kasp

admin

icrosoft

support

ntivi

unix

bsd

linux

listserv

certific

sopho

@foo

@iana

free-av

@messagelab

winzip

google

winrar

samples

abuse

panda

cafee

spam

pgp

@avp.

noreply

local

root@

postmaster@

Peer To Peer Propagation



Files are created in folders that contain the phrase shar :



Microsoft Office 2003 Crack, Working!.exe

Microsoft Windows XP, WinXP Crack, working Keygen.exe

Microsoft Office XP working Crack, Keygen.exe

Porno, sex, oral, anal cool, awesome!!.exe

Porno Screensaver.scr

Serials.txt.exe

KAV 5.0

Kaspersky Antivirus 5.0

Porno pics arhive, xxx.exe

Windows Sourcecode update.doc.exe

Ahead Nero 7.exe

Windown Longhorn Beta Leak.exe

Opera 8 New!.exe

XXX hardcore images.exe

WinAmp 6 New!.exe

WinAmp 5 Pro Keygen Crack Update.exe

Adobe Photoshop 9 full.exe

Matrix 3 Revolution English Subtitles.exe

ACDSee 9.exe

Registry entry removal



The following list of registry entries for security products and worms is deleted:



HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Run "My AV"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Run "My AV"

HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Run "Zone Labs Client Ex"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Run "Zone Labs Client Ex"

HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Run "9XHtProtect"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Run "9XHtProtect"

HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Run "Antivirus"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Run "Antivirus"

HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Run "Special Firewall Service"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Run "Special Firewall Service"

HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Run "service"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Run "service"

HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Run "Tiny AV"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Run "Tiny AV"

HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Run "ICQNet"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Run "ICQNet"

HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Run "HtProtect"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Run "HtProtect"

HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Run "NetDy"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Run "NetDy"

HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Run "Jammer2nd"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Run "Jammer2nd"

HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Run "FirewallSvr"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Run "FirewallSvr"

HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Run "MsInfo"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Run "MsInfo"

HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Run "SysMonXP"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Run "SysMonXP"

HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Run "EasyAV"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Run "EasyAV"

HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Run "PandaAVEngine"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Run "PandaAVEngine"

HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Run "Norton Antivirus AV"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Run "Norton Antivirus AV"

HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Run "KasperskyAVEng"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Run "KasperskyAVEng"

HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Run "SkynetsRevenge"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Run "SkynetsRevenge"

HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Run "ICQ Net"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Run "ICQ Net"

Remote Access Component



The virus listens on TCP port 1080 for remote connections. It attempts to notify the author that the infected system is ready to accept commands, by contacting various websites, calling a PHP script on the remote sites.





__________________________________________



Cabe resaltar que llega por e-mail y por recursos compartidos P2P (Kazaa, Emule, Imesj, edonhkey, etc)



Los mails llegan con fichero anexado con variedad de extensiones, incluyendo ZIP con password, para pasar desapercibido por los antivirus corporativos de los servidores correo, como GroupShield o WebShield por ahora )lo hemos podido comprobar en nuestras carnes)



Las dirtecciones que oine como remitentes de los mails son FALSAS, escogidas al azar entre las encontrada en los ficheros del ordenador infectado, al igual que hacían otras versiones del mismo virus, ugual que el MyDoom, el Sober y el tristemente tan famoso NetSky



Abre puerta trasea àra acceso al hacker a las maquinas infectadas, quedando a la escuvha a través del port TCP 1080



Borra las claves de lanzamiento de algunas aplicaciones de seguridad. como los cortafuegos zonealarm, norton, etc, y algunos antivirus como el Haspersky, Symantec, etc, con lo que las máquinas que los equipen quedan desprotegidas. Aparte finaliza las tareas y procesos en memoria de la maypria de software de seguridad, antivirus, cortafuegos, etc,



Hace una copia de sí mismo en las carpetas compartidas P2P, para lo que usa diferentes nombres, con los cuales se copia en las carpetas que contengan la cadena SHAR.

Además, periodicamente se conecta a una lista de webs php a las que informa de su presencia en el equipo infectado, para que el hacker se pueda conectar a ellos a travñes del bacjdoor instalado en el port 1080



Una manera de ver si se tiene el virus es buscar ficheros SYSXP.* en el directorio de sistema de las máquinas sospechosas. Si existiera el virus, habría creado tres ficheros en dicga carpeta, con diferentes extensiones, EXE, EXEOPEN y EXEOPENOPEN, la primera de las cuales es invocada por una clave que crea en el registro de sistema, lanzando el virus en cada reinicio de windows



En este momento ya hemos subido a esta web la utilidad ELIBAGLA.EXE version 2.7, que detecta. elimina y restaura las claves de registro modificadas por dicho virus.



---v2.7--- (16 de Julio del 2004) (para el Bagle.AF)



https://foros.zonavirus.com/viewtopic.php?p=68#68



saludos



ms, 16-07-2004
Última edición por msc hotline sat el 16 Jul 2004, 11:11, editado 1 vez en total.

Avatar de Usuario
msc hotline sat
Mensajes: 93500
Registrado: 09 Mar 2004, 20:39
Ubicación: BARCELONA (ESPAÑA)
Contactar:

Mensaje por msc hotline sat » 16 Jul 2004, 10:44

Informacion en castellano de dicho virus, según vsantivirus:



http://www.vsantivirus.com/bagle-af.htm



saludos



ms, 16-07-2004

Cerrado

Volver a “ALERTAS VIRICAS y utilidades de eliminacion”