high
Summary
Summary
Action- More Information
| Included in our products from | April 2004 (3.80) |
|---|---|
| Protection available since | 2 March 2004 11:32:04 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please read the instructions for removing W32/Bagle-I.
More Information
W32/Bagle-I is an email worm which sends itself via its own SMTP engine to addresses harvested from your hard disk. The worm searches for files with the extensions WAB, TXT, HTM, XML, DBX, MDX, EML, NCH, MMF, ODS, CFG, ASP, PHP, PL, ADB, TBB and SHT.
When run the worm opens copies itself to the Windows system folder as i11r54n4.exe and creates the following files in the same folder:
- go154o.exe - the main DLL component of the worm
- i1i5n1j4.exe - a DLL plugin used to load go154o.exe
- i11r54n4.EXEOPEN - a copy of the worm in a password protected ZIP format
W32/Bagle-I adds the value rate.exe = <SYSTEM>\i11r54n4.exe to the registry key
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
This means that W32/Bagle-I runs every time you logon to your computer.
Emails have the following characteristics:
Subject lines:
Hokki =)
Weah, hello! :-)
Weeeeee! :)))
Hi! :-)
:-)
:)
ello! =))
Hey, ya! =))
^_^ meay-meay!
^_^ mew-mew (-:
Hey, dude, it's me ^_^ :P
Message text: Randomly constructed from one of -
Argh, i don't like the plaintext :)
You have won!!!
The access is open !!!
and
archive password: <random_password_for_the_zip_archive>
password: <random_password_for_the_zip_archive>
password -- <random_password_for_the_zip_archive>
pass: <random_password_for_the_zip_archive>
<random_password_for_the_zip_archive> -- archive password
...btw, <random_password_for_the_zip_archive> is a password for archive
password for archive: <random_password_for_the_zip_archive>
The attached file is a randomly named ZIP archive with a name chosen from the following list:
Attach
TextDocument
Readme
Msg
MsgInfo
Document
Info
AttachedFile
AttachedDocument
TextDocument
Text
TextFile
Letter
MoreInfo
Message
W32/Bagle-I opens up a backdoor on port 2745 and listens for connections. If it receives the appropriate command it attempts to download and execute a file. W32/Bagle-I also makes a web connection to a remote URL, thus reporting the location and open port of infected computers.
W32/Bagle-I attempts to terminate several anti-virus and security-related processes:
ATUPDATER.EXE
AVWUPD32.EXE
AVPUPD.EXE
LUALL.EXE
DRWEBUPW.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
UPDATE.EXE
NUPGRADE.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
MCUPDATE.EXE
NUPGRADE.EXE
OUTPOST.EXE
AVLTMAIN.EXE
W32/Bagle-I searches mapped drives for folders containing the string "shar" in the folder name. If such folder is found, the worm copies itself to the folder using the following names:
ACDSee 9.exe win-pe
Adobe Photoshop 9 full.exe win-pe
Ahead Nero 7.exe win-pe
Matrix 3 Revolution English Subtitles.exe win-pe
Microsoft Office 2003 Crack, Working!.exe win-pe
Microsoft Office XP working Crack, Keygen.exe win-pe
Microsoft Windows XP, WinXP Crack, working Keygen.exe win-pe
Opera 8 New!.exe win-pe
Porno Screensaver.scr win-pe
Porno pics arhive, xxx.exe win-pe
Porno, sex, oral, anal cool, awesome!!.exe win-pe
Serials.txt.exe win-pe
WinAmp 5 Pro Keygen Crack Update.exe win-pe
WinAmp 6 New!.exe win-pe
Windown Longhorn Beta Leak.exe win-pe
Windows Sourcecode update.doc.exe win-pe
XXX hardcore images.exe win-pe
If the date is after 25 March 2005, W32/Bagle-I terminates itself and deletes all the registry entries it created.
|
