NUEVA VARIANTE DE BAGLE CONTROLADA DESDE 4359. USAR SDATDAIY

Cerrado
Avatar de Usuario
msc hotline sat
Mensajes: 93500
Registrado: 09 Mar 2004, 20:39
Ubicación: BARCELONA (ESPAÑA)
Contactar:

NUEVA VARIANTE DE BAGLE CONTROLADA DESDE 4359. USAR SDATDAIY

Mensaje por msc hotline sat » 07 May 2004, 16:10

McAfee nos avisa de una nueva variante de BAGLE no controlada todavía por los antivirus. Se controlará con DATS 4359, pero ya se puede detectar usando los DATS CONTINUOS desde ahora, que quien usa McAfee se instalan ejecutando el SDATDAILY:



__________________________________________



Virus Name Risk Assessment

W32/Bagle.ab@MM Corporate User : Low

Home User : Low







Virus Information

Discovery Date: 05/06/2004

Origin: Unknown

Length: Varies

Type: Virus

SubType: E-mail worm

Minimum DAT: 4359 (05/12/2004)

Updated DAT: 4359 (05/12/2004)

Minimum Engine: 4.2.40

Description Added: 05/06/2004

Description Modified: 05/06/2004 3:53 PM (PT)

Description Menu

Virus Characteristics

Symptoms

Method Of Infection

Removal Instructions

Variants / Aliases

Rate This page

Print This Page

Email This Page

Legend







Virus Characteristics:

This variant is a very minor change from W32/Bagle.aa@MM . It is packed using UPX. The ZIP files and the scripts within the messages created by this virus are picked up with 4354 and higher DATs as W32/Bagle.gen!pwdzip and W32/Bagle.aa@MM respectively.





This is a mass-mailing worm with the following characteristics:



contains its own SMTP engine to construct outgoing messages

harvests email addresses from the victim machine

the From: address of messages is spoofed

attachment can be a password-protected zip file, with the password included in the message body.

contains a remote access component (notification is sent to hacker)

copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)

When executed it will display a false message as follows:









Mail Propagation



The details are as follows:



From : (address is spoofed)



Subject:



Re: Msg reply

Re: Hello

Re: Yahoo!

Re: Thank you!

Re: Thanks :)

RE: Text message

Re: Document

Incoming message

Re: Incoming Message

RE: Incoming Msg

RE: Message Notify

Notification

Changes..

New changes

Hidden message

Fax Message Received

Protected message

RE: Protected message

Forum notify

Site changes

Re: Hi

Encrypted document

Body Text:



Uses various constructed strings



Attachment: May be one of the follwing:



Information

Details

text_document

Readme

Document

Info

the_message

Details

MoreInfo

Message

You_will_answer_to_me

Half_Live

Counter_strike

Loves_money

the_message

Alive_condom

Joke

Toy

Nervous_illnesses

Manufacture

You_are_dismissed

Your_complaint

Your_money

Smoke

I_search_for_you



using one the following extensions:



Script dropper - using one of the following file extensions:

HTA

VBS

Executable, using one of the following file extensions:

exe

scr

com

cpl

Executable dropper, CPL file with .CPL file extension.



The executable uses the following icon:







The CPL file uses the following icon:







The virus copies itself into the Windows System directory as drvddll.exe. For example:



C:\WINNT\SYSTEM32\drvddll.exe

It also creates other files in this directory to perform its functions:



drvddll.exeopen (Copy of the worm)

drvddll.exeopenopen (Copy of the worm)

A file with the name of CPLSTUB.EXE is dropped into the %Windir% folder. This is another copy of the worm.



The following Registry key is added to hook system startup:



HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Run "drvddll.exe" = C:\WINNT\SYSTEM32\drvddll.exe

This worm attempts to terminate the process of security programs with the the following filenames:



AGENTSVR.EXE

ANTI-TROJAN.EXE

ANTIVIRUS.EXE

ANTS.EXE

APIMONITOR.EXE

APLICA32.EXE

APVXDWIN.EXE

ATCON.EXE

ATGUARD.EXE

ATRO55EN.EXE

ATUPDATER.EXE

ATWATCH.EXE

AUPDATE.EXE

AUTODOWN.EXE

AUTOTRACE.EXE

AUTOUPDATE.EXE

AVCONSOL.EXE

AVGSERV9.EXE

AVLTMAIN.EXE

AVPUPD.EXE

AVSYNMGR.EXE

AVWUPD32.EXE

AVXQUAR.EXE

AVprotect9x.exe

BD_PROFESSIONAL.EXE

BIDEF.EXE

BIDSERVER.EXE

BIPCP.EXE

BIPCPEVALSETUP.EXE

BISP.EXE

BLACKD.EXE

BLACKICE.EXE

BOOTWARN.EXE

BORG2.EXE

BS120.EXE

CDP.EXE

CFGWIZ.EXE

CFIADMIN.EXE

CFIAUDIT.EXE

CFINET.EXE

CFINET32.EXE

CLEAN.EXE

CLEANER.EXE

CLEANER3.EXE

CLEANPC.EXE

CMGRDIAN.EXE

CMON016.EXE

CPD.EXE

CPF9X206.EXE

CPFNT206.EXE

CV.EXE

CWNB181.EXE

CWNTDWMO.EXE

DEFWATCH.EXE

DEPUTY.EXE

DPF.EXE

DPFSETUP.EXE

DRWATSON.EXE

DRWEBUPW.EXE

ENT.EXE

ESCANH95.EXE

ESCANHNT.EXE

ESCANV95.EXE

EXANTIVIRUS-CNET.EXE

FAST.EXE

FIREWALL.EXE

FLOWPROTECTOR.EXE

FP-WIN_TRIAL.EXE

FRW.EXE

FSAV.EXE

FSAV530STBYB.EXE

FSAV530WTBYB.EXE

FSAV95.EXE

GBMENU.EXE

GBPOLL.EXE

GUARD.EXE

GUARDDOG.EXE

HACKTRACERSETUP.EXE

HTLOG.EXE

HWPE.EXE

IAMAPP.EXE

IAMSERV.EXE

ICLOAD95.EXE

ICLOADNT.EXE

ICMON.EXE

ICSSUPPNT.EXE

ICSUPP95.EXE

ICSUPPNT.EXE

IFW2000.EXE

IPARMOR.EXE

IRIS.EXE

JAMMER.EXE

KAVLITE40ENG.EXE

KAVPERS40ENG.EXE

KERIO-PF-213-EN-WIN.EXE

KERIO-WRL-421-EN-WIN.EXE

KERIO-WRP-421-EN-WIN.EXE

KILLPROCESSSETUP161.EXE

LDPRO.EXE

LOCALNET.EXE

LOCKDOWN.EXE

LOCKDOWN2000.EXE

LSETUP.EXE

LUALL.EXE

LUCOMSERVER.EXE

LUINIT.EXE

MCAGENT.EXE

MCUPDATE.EXE

MFW2EN.EXE

MFWENG3.02D30.EXE

MGUI.EXE

MINILOG.EXE

MOOLIVE.EXE

MRFLUX.EXE

MSCONFIG.EXE

MSINFO32.EXE

MSSMMC32.EXE

MU0311AD.EXE

NAV80TRY.EXE

NAVAPW32.EXE

NAVDX.EXE

NAVSTUB.EXE

NAVW32.EXE

NC2000.EXE

NCINST4.EXE

NDD32.EXE

NEOMONITOR.EXE

NETARMOR.EXE

NETINFO.EXE

NETMON.EXE

NETSCANPRO.EXE

NETSPYHUNTER-1.2.EXE

NETSTAT.EXE

NISSERV.EXE

NISUM.EXE

NMAIN.EXE

NORTON_INTERNET_SECU_3.0_407.EXE

NPF40_TW_98_NT_ME_2K.EXE

NPFMESSENGER.EXE

NPROTECT.EXE

NSCHED32.EXE

NTVDM.EXE

NUPGRADE.EXE

NVARCH16.EXE

NWINST4.EXE

NWTOOL16.EXE

OSTRONET.EXE

OUTPOST.EXE

OUTPOSTINSTALL.EXE

OUTPOSTPROINSTALL.EXE

PADMIN.EXE

PANIXK.EXE

PAVPROXY.EXE

PCC2002S902.EXE

PCC2K_76_1436.EXE

PCCIOMON.EXE

PCDSETUP.EXE

PCFWALLICON.EXE

PCIP10117_0.EXE

PDSETUP.EXE

PERISCOPE.EXE

PERSFW.EXE

PF2.EXE

PFWADMIN.EXE

PINGSCAN.EXE

PLATIN.EXE

POPROXY.EXE

POPSCAN.EXE

PORTDETECTIVE.EXE

PPINUPDT.EXE

PPTBC.EXE

PPVSTOP.EXE

PROCEXPLORERV1.0.EXE

PROPORT.EXE

PROTECTX.EXE

PSPF.EXE

PURGE.EXE

PVIEW95.EXE

QCONSOLE.EXE

QSERVER.EXE

RAV8WIN32ENG.EXE

REGEDIT.EXE

REGEDT32.EXE

RESCUE.EXE

RESCUE32.EXE

RRGUARD.EXE

RSHELL.EXE

RTVSCN95.EXE

RULAUNCH.EXE

SAFEWEB.EXE

SBSERV.EXE

SD.EXE

SETUPVAMEEVAL.EXE

SETUP_FLOWPROTECTOR_US.EXE

SFC.EXE

SGSSFW32.EXE

SH.EXE

SHELLSPYINSTALL.EXE

SHN.EXE

SMC.EXE

SOFI.EXE

SPF.EXE

SPHINX.EXE

SPYXX.EXE

SS3EDIT.EXE

ST2.EXE

SUPFTRL.EXE

SUPPORTER5.EXE

SYMPROXYSVC.EXE

SYSEDIT.EXE

TASKMON.EXE

TAUMON.EXE

TAUSCAN.EXE

TC.EXE

TCA.EXE

TCM.EXE

TDS-3.EXE

TDS2-98.EXE

TDS2-NT.EXE

TFAK5.EXE

TGBOB.EXE

TITANIN.EXE

TITANINXP.EXE

TRACERT.EXE

TRJSCAN.EXE

TRJSETUP.EXE

TROJANTRAP3.EXE

UNDOBOOT.EXE

UPDATE.EXE

VBCMSERV.EXE

VBCONS.EXE

VBUST.EXE

VBWIN9X.EXE

VBWINNTW.EXE

VCSETUP.EXE

VFSETUP.EXE

VIRUSMDPERSONALFIREWALL.EXE

VNLAN300.EXE

VNPC3000.EXE

VPC42.EXE

VPFW30S.EXE

VPTRAY.EXE

VSCENU6.02D30.EXE

VSECOMR.EXE

VSHWIN32.EXE

VSISETUP.EXE

VSMAIN.EXE

VSMON.EXE

VSSTAT.EXE

VSWIN9XE.EXE

VSWINNTSE.EXE

VSWINPERSE.EXE

W32DSM89.EXE

W9X.EXE

WATCHDOG.EXE

WEBSCANX.EXE

WGFE95.EXE

WHOSWATCHINGME.EXE

WINRECON.EXE

WNT.EXE

WRADMIN.EXE

WRCTRL.EXE

WSBGATE.EXE

WYVERNWORKSFIREWALL.EXE

XPF202EN.EXE

ZAPRO.EXE

ZAPSETUP3001.EXE

ZATUTOR.EXE

ZAUINST.EXE

ZONALM2601.EXE

ZONEALARM.EXE

The worm opens port 2535 (TCP) on the victim machine.



Top of Page



Symptoms

Port 2535 (TCP) open on the victim machine

Outgoing messages matching the described characteristics

Files/Registry keys as described



Top of Page



Method Of Infection

Mail Propagation



This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:



.wab

.txt

.msg

.htm

.shtm

.stm

.xml

.dbx

mbx

.mdx

.eml

.nch

.mmf

.ods

.cfg

.asp

.php

.pl

.wsh

.adb

.tbb

.sht

.xls

.oft

.uin

.cgi

.mht

.dhtm

.jsp





Remote Access Component



The virus listens on TCP port 2535 for remote connections. It attempts to notify the author that the infected system is ready to accept commands, by contacting various websites, calling a PHP script on the remote sites. At the time of this writing this script does not exist on any of these sites.



http://www.spiegel.de/5.php

http://www.leipziger-messe.de/5.php

http://www.mobile.de/5.php

http://www.neformal.de/5.php

http://www.avh.de/5.php

http://www.goethe.de/5.php

http://www.degruyter.de/5.php

http://www.heise.de/5.php

http://www.autoscout24.de/5.php

http://www.russische-botschaft.de/5.php

http://www.bmbf.de/5.php

http://www.berlinale.de/5.php

http://www.hamann-motorsport.de/5.php

http://Spaceclub.de/5.php

http://www.fracht-24.de/5.php

http://www.loveparade.de/5.php

http://www.dalnoboyshik.de/5.php

http://www.deutschland.de/5.php

http://www.ac-schnitzer.de/5.php

http://abakan.strana.de/5.php

http://www.emis.de/5.php

http://www.dwd.de/5.php

http://www.ifdesign.de/5.php

http://www.beckers-systems.de/5.php

http://www.pri-wo-hamburg.de/5.php

http://virtualzone.de/5.php

http://www.mitsumi.de/5.php

http://www.fu-berlin.de/5.php

http://www.nabu.de/5.php

http://www.tekeli.de/5.php

http://www.welt.de/5.php

http://www.gospel-nations.de/5.php

http://www.neznakomez.de/5.php

http://www.tecchannel.de/5.php

http://www.php-resource.de/5.php

http://www.windac.de/5.php

http://www.gsi.de/5.php

http://www.turism.de/5.php

http://jakimov.golos.de/5.php

http://www.www.mirko-becker.gmxhome.de/5.php

http://vg.xtonne.de/5.php

http://www.go-amman.de/5.php

http://3treepoint.com/5.php

http://www.restarted-alliance.de/5.php

http://2udar.ligakvn.de/5.php

http://www.sprach-zertifikat.de/5.php

http://www.dfg.de/5.php

http://www.kliniken.de/5.php

http://www.winfuture.de/5.php

http://www.hamburg.de/5.php

http://www.auma.de/5.php

http://www.teac.de/5.php

http://www.eumetsat.de/5.php

http://www.documenta.de/5.php

http://hardvision.ru/5.php

http://www.bruecke-osteuropa.de/5.php

http://www.mk-motorsport.de/5.php

http://www.bundesregierung.de/5.php

http://ditec.um.es/5.php

http://www.insel-ruegen-hotel.de/5.php

http://www.tib.uni-hannover.de/5.php

http://www.chugai.de/5.php

http://www.blauer-engel.de/5.php

http://www.partner-inform.de/5.php

http://250x.com/5.php

http://villakinderbunt.de/5.php

http://s318.evanzo-server.de/5.php

http://andimeisslein.de/5.php

http://tobimayer.de/5.php

http://markusgimenez.de/5.php

http://www.fiz-karlsruhe.de/5.php

http://www.gdch.de/5.php

http://www.intermatgmbh.de/5.php

http://www.hotel-pension-spree.de/5.php

http://vg.xtonne.de/5.php

http://www.low-spirit.de/5.php

http://www.red-dot.de/5.php

http://www.fernuni-hagen.de/5.php

http://www.ruletka.de/5.php

http://www.deutsch-als-fremdsprache.de/5.php

http://www.uni-oldenburg.de/5.php

http://fotos.schneider.bards.de/5.php

http://www.deutsches-museum.de/5.php

http://www.de-bug.de/5.php

http://www.uni-stuttgart.de/5.php

http://www.embl-heidelberg.de/5.php

http://www.mdz-moskau.de/5.php

http://www.mitsubishi-evs.de/5.php

http://www.siegenia-aubi.com/5.php

http://www.cicv.fr/5.php

http://www.paromi.de/5.php

http://www.jura.uni-sb.de/5.php

http://www.exactaudiocopy.de/5.php



Peer To Peer Propagation



Files are created in folders that contain the phrase shar :



Microsoft Office 2003 Crack, Working!.exe

Microsoft Windows XP, WinXP Crack, working Keygen.exe

Microsoft Office XP working Crack, Keygen.exe

Porno, sex, oral, anal cool, awesome!!.exe

Porno Screensaver.scr

Serials.txt.exe

KAV 5.0

Kaspersky Antivirus 5.0

Porno pics arhive, xxx.exe

Windows Sourcecode update.doc.exe

Ahead Nero 7.exe

Windown Longhorn Beta Leak.exe

Opera 8 New!.exe

XXX hardcore images.exe

WinAmp 6 New!.exe

WinAmp 5 Pro Keygen Crack Update.exe

Adobe Photoshop 9 full.exe

Matrix 3 Revolution English Subtitles.exe

ACDSee 9.exe



__________________________________________



Si bien todavía está en los inicios de la propagacion, dado que los BAGLE acostumbran a alcanzar niveles altos de propagacion por e-mail masivo, se alerta del mismo.



Si se eleva el riesgo a MEDIO, McAFee adelantará la publicacion de los DATS 4359, inicialmente previsto para la noche del proximo miercoles, como es lo habitual normalmente.



saludos



ms, 07-05-2004

Avatar de Usuario
msc hotline sat
Mensajes: 93500
Registrado: 09 Mar 2004, 20:39
Ubicación: BARCELONA (ESPAÑA)
Contactar:

Mensaje por msc hotline sat » 10 May 2004, 10:08

Se comunica que la actual version del ELIBAGLA.EXE, disponible en esta web, ya controla y elimina esta variante del virus BAGLE.AB





saludos



ms, 10-05-2004

Cerrado

Volver a “ALERTAS VIRICAS y utilidades de eliminacion”