W32/Bagle.C@mm
W32/Bagle.C@mm
Threat risk
|
Detection files published:
28 Feb. 2004 |
Description created:
2004-02-28 |
Description updated:
2004-02-28 |
|
Alias:
|
Spreading mechanism
| |
|
Payload:
Backdoor, terminates AV update processes | ||
Summary
This is an email worm. File size is 15872 (UPX packed) or 28160 bytes (unpacked).It will remove itself if date is later than March 14th 2004.
Spreading description
Email characteristics:
Subject: (variable)
Body: (none)
Attachment: [random letters].zip
When run this worm will copy itself to the Windows System directory using the file name [SYSTEM] eadme.exe. It will also extract and install two other files:
[SYSTEM]onde.exe
[SYSTEM]doc.exe
These are additional components of the worm.
ONDE.EXE (18944 bytes) contains the main worm functionality, as well as a backdoor.
DOC.EXE (1536 bytes) is a program that loads ONDE.EXE as a DLL.
ONDE.EXE installs a Mutex called imain_mutex to avoid being loaded twice.
Registry keys created by the worm:
HKCUSOFTWAREDateTime2 port = [listen port]
HKCUSOFTWAREDateTime2 frun = 1
HKCUSOFTWAREDateTime2 uid = [random no.] HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunGouday.exe = [SYSTEM] eadme.exe
The worm contains its own SMTP engine and will send itself to addresses found on the local computer. These addresses are picked from files of type .wab, .txt, .htm, .htm, .dbx, .mdx, .eml, .nch, .mmf, .ods, .cfg, .asp, .php, .pl, .adb and.sht.
Mails subjects are composed from the following:
Price
New Price-list
Hardware devices price-list
Weekly activity report
Daily activity report
Maria
Jenny
Jessica
Registration confirmation
USA government abolishes the capital punishment
Freedom for everyone
Flayers among us
From Hair-cutter
Melissa
Camila
Price-list
Pricelist
Price list
Hello my friend
Hi!
Well...
Greet the day
The account
Looking for the report
You really love me? he he
You are dismissed
Accounts department
From me
Monthly incomings summary
The summary
Proclivity to servitude
Ahtung!
The employee
Attachment is a zip file with a random letter file name.
When the worm has installed itself, it will open a Notepad window and exit.
Threat description
The worm installs a backdoor on the computer. It listens by default on port 2745. This backdoor can f.ex. be used for uploading and executing a program.
It attempts to contact the following web sites:
http://permail.uni-muenster.de/scr.php
http://www.songtext.net/de/scr.php
http://www.sportscheck.de/scr.php
It accesses these web addresses with user ID and port no as parameters; that way the hacker can log who is vulnerable and on which port.
It also looks for and kills the following processes:
ATUPDATER.EXE
AVWUPD32.EXE
AVPUPD.EXE
LUALL.EXE
DRWEBUPW.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
UPDATE.EXE
NUPGRADE.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
MCUPDATE.EXE
NUPGRADE.EXE
OUTPOST.EXE
AVLTMAIN.EXE
Removal
General information about removal of malicious software
Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.
| Usage | Title | Comment |
|---|---|---|
| Stopping network share infectors | ||
| Cleaning of back-up folders on Windows Me and XP |