descripcion del Blagle.AF segun McAfee:
__________________________________________
Virus Name Risk Assessment
W32/Bagle.af@MM Corporate User : Medium-On-Watch
Home User : Medium-On-Watch
Virus Information
Discovery Date: 07/15/2004
Origin: Unknown
Length: Varies
Type: Virus
SubType: E-mail
Minimum DAT: 4377 (07/15/2004)
Updated DAT: 4377 (07/15/2004)
Minimum Engine: 4.3.20
Description Added: 07/15/2004
Description Modified: 07/15/2004 6:07 PM (PT)
Description Menu
Virus Characteristics
Symptoms
Method Of Infection
Removal Instructions
Variants / Aliases
Rate This page
Print This Page
Email This Page
Legend
Virus Characteristics:
The following EXTRA.DAT packages are available, prior to the full DAT release.
EXTRA.DAT
SUPER EXTRA.DAT
This is a mass-mailing worm with the following characteristics:
contains its own SMTP engine to construct outgoing messages
harvests email addresses from the victim machine
the From: address of messages is spoofed
attachment can be a password-protected zip file, with the password included in the message body.
contains a remote access component (notification is sent to hacker)
copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
uses various mutex names selected from those W32/Netsky variants have used, in order to prevent those W32/Netsky variants running on infected machines
terminates processes of security programs and other worms
deletes registry entries of security programs and other worms
Mail Propagation
From : (address is spoofed)
Attachment names are chosen from the following list:
Information
Details
text_document
Updates
Readme
Document
Info
Details
Message
The worm will use a different set of lists to choose subject and body text from, depending on whether the attachment is sent as a password-protected ZIP file.
The details for non-ZIP files (.EXE, .SCR,.COM,.ZIP, .CPL) are as follows:
Subject :
Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
RE: Incoming Msg
RE: Message Notify
Notification
Changes..
Update
Fax Message
Protected message
RE: Protected message
Forum notify
Site changes
Re: Hi
Encrypted document
Body Text:
Read the attach.
Your file is attached.
More info is in attach
See attach.
Please, have a look at the attached file.
Your document is attached.
Please, read the document.
Attach tells everything.
Attached file tells everything.
Check attached file for details.
Check attached file.
Pay attention at the attach.
See the attached file for details.
Message is in attach
Here is the file.
Details for password-protected ZIP files are as follows:
Subject :
Password:
Pass -
Password -
Body Text:
For security reasons attached file is password protected. The password is
For security purposes the attached file is password protected. Password --
Note: Use password to open archive.
Attached file is protected with the password for security reasons. Password is
In order to read the attach you have to use the following password:
Archive password:
Password -
Password:
Password-protected ZIP files may also contain a second, randomly-named file with one of the following extensions:
.ini
.cfg
.txt
.vxd
.def
.dll
These files contain only random garbage-characters.
Installation
The virus copies itself into the Windows System directory as sysxp.exe. For example:
C:\WINNT\SYSTEM32\sysxp.exe
It also creates other files in this directory to perform its functions:
sysxp.exeopen
sysxp.exeopenopen
The following Registry key is added to hook system startup:
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "key" = "C:\WINNT\SYSTEM32\sysxp.exe"
A mutex is created to ensure only one instance of the worm is running at a time. One of the following mutex names is used in an attempt to stop particular variants of W32/Netsky running on the infected machine:
ZonesCounterMutex
ZonesCacheCounterMutex
MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
'D'r'o'p'p'e'd'S'k'y'N'e't'
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
[SkyNet.cz]SystemsMutex
AdmSkynetJklS003
____--->>>>U<<<<--____
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
RasPbFile
The worm opens port 1080 (TCP) on the victim machine and random UDP ports.
Top of Page
Symptoms
Port 1234 (TCP) open on the victim machine
Outgoing messages matching the described characteristics
Files/Registry keys as described
Top of Page
Method Of Infection
Mail Propagation
This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:
.wab
.txt
.msg
.htm
.shtm
.stm
.xml
.dbx
.mbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.pl
.wsh
.adb
.tbb
.sht
.xls
.oft
.uin
.cgi
.mht
.dhtm
.jsp
The virus spoofs the sender address by using a harvested address in the From: field.
The worm will avoid sending itself to email addresses which contains the following strings:
@hotmail
@msn
@microsoft
rating@
f-secur
news
update
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
sopho
@foo
@iana
free-av
@messagelab
winzip
winrar
samples
abuse
panda
cafee
spam
pgp
@avp.
noreply
local
root@
postmaster@
Peer To Peer Propagation
Files are created in folders that contain the phrase shar :
Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe
Registry entry removal
The following list of registry entries for security products and worms is deleted:
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "My AV"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "My AV"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "Zone Labs Client Ex"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "Zone Labs Client Ex"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "9XHtProtect"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "9XHtProtect"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "Antivirus"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "Antivirus"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "Special Firewall Service"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "Special Firewall Service"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "service"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "service"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "Tiny AV"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "Tiny AV"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "ICQNet"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "ICQNet"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "HtProtect"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "HtProtect"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "NetDy"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "NetDy"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "Jammer2nd"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "Jammer2nd"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "FirewallSvr"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "FirewallSvr"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "MsInfo"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "MsInfo"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "SysMonXP"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "SysMonXP"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "EasyAV"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "EasyAV"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "PandaAVEngine"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "PandaAVEngine"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "Norton Antivirus AV"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "Norton Antivirus AV"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "KasperskyAVEng"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "KasperskyAVEng"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "SkynetsRevenge"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "SkynetsRevenge"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "ICQ Net"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "ICQ Net"
Remote Access Component
The virus listens on TCP port 1080 for remote connections. It attempts to notify the author that the infected system is ready to accept commands, by contacting various websites, calling a PHP script on the remote sites.
__________________________________________
Cabe resaltar que llega por e-mail y por recursos compartidos P2P (Kazaa, Emule, Imesj, edonhkey, etc)
Los mails llegan con fichero anexado con variedad de extensiones, incluyendo ZIP con password, para pasar desapercibido por los antivirus corporativos de los servidores correo, como GroupShield o WebShield por ahora )lo hemos podido comprobar en nuestras carnes)
Las dirtecciones que oine como remitentes de los mails son FALSAS, escogidas al azar entre las encontrada en los ficheros del ordenador infectado, al igual que hacían otras versiones del mismo virus, ugual que el MyDoom, el Sober y el tristemente tan famoso NetSky
Abre puerta trasea àra acceso al hacker a las maquinas infectadas, quedando a la escuvha a través del port TCP 1080
Borra las claves de lanzamiento de algunas aplicaciones de seguridad. como los cortafuegos zonealarm, norton, etc, y algunos antivirus como el Haspersky, Symantec, etc, con lo que las máquinas que los equipen quedan desprotegidas. Aparte finaliza las tareas y procesos en memoria de la maypria de software de seguridad, antivirus, cortafuegos, etc,
Hace una copia de sí mismo en las carpetas compartidas P2P, para lo que usa diferentes nombres, con los cuales se copia en las carpetas que contengan la cadena SHAR.
Además, periodicamente se conecta a una lista de webs php a las que informa de su presencia en el equipo infectado, para que el hacker se pueda conectar a ellos a travñes del bacjdoor instalado en el port 1080
Una manera de ver si se tiene el virus es buscar ficheros SYSXP.* en el directorio de sistema de las máquinas sospechosas. Si existiera el virus, habría creado tres ficheros en dicga carpeta, con diferentes extensiones, EXE, EXEOPEN y EXEOPENOPEN, la primera de las cuales es invocada por una clave que crea en el registro de sistema, lanzando el virus en cada reinicio de windows
En este momento ya hemos subido a esta web la utilidad ELIBAGLA.EXE version 2.7, que detecta. elimina y restaura las claves de registro modificadas por dicho virus.
---v2.7--- (16 de Julio del 2004) (para el Bagle.AF)
saludos
ms, 16-07-2004