Topic: W32/Bagle-AF

[Clive]

Type
Win32 worm
 
Sophos has received many reports of this worm from the wild.
 
 
Description
W32/Bagle-AF is a member of the W32/Bagle family of email worms.
W32/Bagle-AF spreads by email. The email addresses are collected from files on the computer containing the following file extensions:

WAB, TXT, MSG, HTM, SHTM, STM, XML, DBX, MBX, MDX, EML, NCH, MMF, ODS, CFG, ASP, PHP, PL, WSH, ADB, TBB, SHT, XLS, OFT, UIN, CGI, MHT, DHTM, JSP.

W32/Bagle-AF uses its own internal SMTP engine to spread.

The worm sends a HTML based email with the following characteristics:

Sender:

The sender address is always spoofed.

Attachment Name:

The basename of the attachment is choosen from the following list:

Information
Details
text_document
Updates
Readme
Document
Info
Details
Message

W32/Bagle-AF is able to send itself as an encrypted ZIP file, a CPL file or a normal executable file with the extension EXE, COM or SCR.

Subject line:

Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
RE: Incoming Msg
RE: Message Notify
Notification
Changes..
Update
Fax Message
Protected message
RE: Protected message
Forum notify
Site changes
Re: Hi
Encrypted document

Mesage text:

When the worm arrives in an unencrypted (i.e directly executable) file the message text is one of the following:

Read the attach.
Your file is attached.
More info is in attach.
See attach.
Please, have a look at the attached file.
Your document is attached.
Please, read the document.
Attach tells everything.
Attached file tells everything.
Check attached file for details.
Check attached file.
Pay attention at the attach.
See the attached file for details.
Message is in attach
Here is the file.

When the worm attaches itself as an encrypted file the password is included in the email as an bitmap image and the message text is one of the following:

For security reasons attached file is password protected.
The password is <bitmap file>

For security purposes the attached file is password protected.
Password -- <bitmap file>

Attached file is protected with the password for security reasons.
Password is <bitmap file>

In order to read the attach you have to use the following
password: <bitmap file>

Note: Use password <bitmap file> to open archive

Archive password: <bitmap file>

Password - <bitmap file>

Password: <bitmap file>

The ZIP file contains an executable with the extensions EXE, COM or SCR and
a benign text file with one of the extensions INI, CFG, TXT, VXD, DEF OR DLL.

The worm the tries to remove registry run entries for several security
and anti-virus related products. The following entries are removed from
HKLM\Software\Microsoft\Windows\CurrentVersion\Run if they exist:

My AV
Zone Labs Client Ex
9XHtProtect
Antivirus
Special Firewall Service
service
Tiny AV
ICQNet
HtProtect
NetDy
Jammer2nd
FirewallSvr
MsInfo
SysMonXP
EasyAV
PandaAVEngine
Norton Antivirus AV
KasperskyAVEng
SkynetsRevenge
ICQ Net

W32/Bagle-AF copies itself to the Windows system folder and creates a registry entry to run itself on startup under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

W32/Bagle-AF then creates copies of itself in all folders containing the substring SHAR on all drives. The worm uses the following filenames:

Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe
 
http://www.sophos.com/virusinfo/analyses/w32bagleaf.html

[Clive]

New Bagle opens another spam backdoor
Robert Lemos
CNET News.com
July 16, 2004, 08:35 BST
 
Unknown online vandals with an apparent connection to spam email have created a new version of the Bagle computer worm that has spread somewhat successfully in the past 24 hours, antivirus companies said on Thursday.    

The mass-mailing computer virus, dubbed Bagle.AF or Beagle.AB by different security firms, opens a path for intruders to relay bulk email messages through the infected computer and attempts to contact one of almost 150 compromised German Web sites to let the attackers know of their latest conquest.

"It certainly is successful," said Oliver Friedrichs, senior manager for antivirus firm Symantec's security response centre. "It is definitely comparable to threats that we saw earlier this year such as MyDoom."

Symantec raised the virus to a threat rating of three on its five-point scale, while rival antivirus firm McAfee -- formerly Network Associates -- gave the program a medium danger rating.

The latest incarnation of the Bagle virus is largely a copy of previous versions of the program, Friedrichs said. The first worm in the Bagle line started infecting computers in January.

Bagle.AF arrives in email as an attached file and infects computers running the Windows operating system if the user opens the file. The program attempts to halt more than 250 security applications from running on the computer, mails itself to any email address it can find on the computer, and contacts one of 141 German Web sites, twice the number that a previous version of the virus contacted. The diverse range of Web sites have probably been compromised by online vandals, leaving behind software to record which computers have been infected by the Bagle worm.

With that information, the vandals can use the compromised computers to spread spam, or sell the information to spammers, Friedrichs said. The virus leaves open a backdoor specifically for that purpose.

Increasingly, computer viruses are used to spread software that surreptitiously converts computers to an attacker's purpose. Such "bot" software can be used by spammers and more dangerous online denizens to disrupt access to Web sites or collect personal financial information.

And while the latest Bagle worm uses an old method of spreading itself, it's still effective. Symantec has had almost 175 reports of infections, Friedrichs said.

"I think what we are seeing is that these threats will continue to be successful because people are continuing to trust attachments and continuing to click on them," he said. "Really, the human factor is the weakest link that is allowing these worms to be so successful."

 

[TR]

AVG virus removal tool >>

http://www.grisoft.com/us/us_remtext.php?id=bagbugnet

Virus Removal utilities and Handbooks
BackDoor.Agent, I-Worm/Atak.B, I-Worm/Bagle.A-Z, I-Worm/Bugbear.C-D, I-Worm/Netsky.A-Z, AA-AC, I-Worm/Sasser.A-F, PSW.Bispy.A-C