Virus Database

I-Worm.Bagle.c

Description I-Worm.Bagle.c
This worm spreads via the Internet in the form of an attachment to infected emails.
The worm itself is a PE EXE file of approximately 15KB, compressed using UPX. The size of the decompressed file is approximately 28KB.
Characteristics of infected messages
Message header:
Accounts department
Ahtung!
Camila
Daily activity report
Flayers among us
Freedom for everyone
From Hair-cutter
From me
Greet the day
Hardware devices price-list
Hello my friend
Hi!
Jenny
Jessica
Looking for the report
Maria
Melissa
Monthly incomings summary
New Price-list
Price
Price list
Pricelist
Price-list
Proclivity to servitude
Registration confirmation
The account
The employee
The summary
USA government abolishes the capital punishment
Weekly activity report
Wellall
You are dismissed
You really love me? he he
Message body:
Empty.
Attachment:
A ZIP file with a random name, with a file size of 15994 bytes. The zipped file contains an EXE file with a random name and and Excel icon.
Installation
Once launched, the worm copies itself and all components to the Windows system directory under the names 'readme.exe', 'onde.exe', doc.exe' and 'readme.exeopen' and then registers 'readme.exe' in the system registry auto-run key:
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
"gouday.exe" = "%system% eadme.exe"]
Also creates the following registry key:
[HKCUSOFTWAREDataTime2]
and saves its variables there.
The worm attempts to connect to a number of remote sites, storing information about the infected machine on theses sites.
Bagle.c executes the default Windows 'Notepad' program, notepad.exe, tricking users into believing the program they just executed "does something".
Propagation
The worm searches for files with the following extensions:
adb
asp
cfg
dbx
eml
htm
html
mdx
mmf
nch
ods
php
pl
sht
txt
wab
and send itself to all email addresses found in these files. The worm uses its own SMTP server to send email.
Remote administration
The worm opens and monitors port 2745. A backdoor function means that commands can then be executed and files can be downloaded on the victim computer, with all of this being done from a remote location.
Other
The worm attempts to block antivirus database updates by terminating the following processes:
ATUPDATER.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVLTMAIN.EXE
AVPUPD.EXE
AVWUPD32.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
DRWEBUPW.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
MCUPDATE.EXE
NUPGRADE.EXE
NUPGRADE.EXE
OUTPOST.EXE
UPDATE.EXE
Bagle.c is programmed to stop propagating after March 14, 2004.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.BadtransII

Description I-Worm.BadtransII

This is a worm that spreads under Win32 systems. The virus sends e-mail messages with infected files attached, as well as installs a spying Trojan component to steal information from infected systems. The worm was discovered in-the-wild in November 2001.
The worm itself is a Win32 executable file (PE EXE file). It was found in-the-wild in compressed form, and is about 29Kb in size. Upon being decompressed, the worm file length becomes about 60Kb in size.
The worm consists of two main components, the Worm and Trojan. The "Worm" component sends infected messages, and the "Trojan" component sends out information (user's info, RAS data, cached passwords, keyboard log) from infected computers to a specified e-mail address. It also keeps a "keylogger" program body in its code, and installs it into the system while infecting a new machine.
Infecting the system
When an infected file is run (when a user clicks on an attached file and activates it, or if the worm gains control through an IFRAME security breach), the worm code gains control. First of all, it drops (installs) its components to the system and registers in the system registry.
The installed Trojan file-name, the target directory and registry key are optional. They are stored in encrypted form in the Trojan file at the file end. A hacker may configure them before sending them to a victim's machine, or before putting it on a Web site.
The worm also drops an additional keyboard hooker (Win32 DLL file) to the system, and then uses this to spy on text entered by a keyboard. The DLL file name is optional as well.
Other optional features are:
- the worm deletes original infected file when installation is complete
- the size of keyboard log file

Spreading
To send infected messages, the worm uses a direct connection to an SMTP server. A victim's e-mail addresses are obtained in two different ways:
#1. The worm scans *.HT* and *.ASP files and extracts e-mail addresses from here
#2. The worm, using MAPI functions, reads all e-mail from the incoming box, and obtains e-mail addresses from here.

Next, the worm sends infected messages. The message body contains HTML format, and uses an IFRAME breach to spawn an infected attachment on vulnerable machines.
The message fields are as follows:
From: - original sender, or fake address, randomly selected from:
" Anna"
"JUDY"
"Rita Tulliani"
"Tina"
"Kelly Andersen"
" Andy"
"Linda"
"Mon S"
"Joanna"
"JESSICA BENAVIDES"
" Administrator"
" Admin"
"Support"
"Monika Prado"
"Mary L. Adams"
" Anna"
"JUDY"
"Tina"

The original sender address is a bit modified: the "_" character is inserted before the e-mail address in there, for example:
"John K. Smith" "Vasja Pupkin" - original address
"John K. Smith" <_john123@yahoo.com> "Vasja Pupkin" <_vasyap@rambler.ru> - sent by worm

Subject: empty, or "Re:", or "Re:" followed by original Subject from real Inbox messsage (see #2 above)
Body: empty
Attachment: randomly selected "filename + ext1 + ext2" where:
"Filename":
Pics (or PICS ) Card (or CARD)
images (or IMAGES) Me_nude (or ME_NUDE)
README Sorry_about_yesterday
New_Napster_Site info
news_doc (or NEWS_DOC) docs (or DOCS)
HAMSTER Humor (or HUMOR)
YOU_are_FAT! (or YOU_ARE_FAT!) fun (or FUN)
stuff SEARCHURL
SETUP S3MSONG

"ext1": .DOC .ZIP .MP3
"ext2": .scr, .pif

For example: "info.DOC.scr"
The worm doesn't send infected messages twice to the same address. To do this, it stores all infected e-mails in the Windows system directory in a PROTOCOL.DLL file, and checks this file content before sending a new message.
Spying Trojan
This routine stores stolen information to a log file (with an optional name), and encrypts this information with a key (also optional). After a period of time, this information is sent to one of a number of randomly selected e-mail addresses. A list of these addresses appears below; the list contains 22 addresses and e-mail servers; and these messages are sent through (email + server):
ZVDOHYIK@yahoo.com mx2.mail.yahoo.com
udtzqccc@yahoo.com mx2.mail.yahoo.com
DTCELACB@yahoo.com mx2.mail.yahoo.com
I1MCH2TH@yahoo.com mx2.mail.yahoo.com
WPADJQ12@yahoo.com mx2.mail.yahoo.com
fjshd@rambler.ru mail5.rambler.ru
smr@eurosport.com mail.ifrance.com
bgnd2@canada.com mail.canada.com
muwripa@fairesuivre.com fs.cpio.com
rmxqpey@latemodels.com inbound.latemodels.com.criticalpath.net
eccles@ballsy.net inbound.ballsy.net.criticalpath.net
suck_my_prick@ijustgotfired.com mail.monkeybrains.net
suck_my_prick4@ukr.net mail.ukr.net
thisisno_fucking_good@usa.com usa-com.mr.outblaze.com
S_Mentis@mail-x-change.com mail-fwd.rapidsite.net
YJPFJTGZ@excite.com mta.excite.com
JGQZCD@excite.com mta.excite.com
XHZJ3@excite.com mta.excite.com
OZUNYLRL@excite.com mta.excite.com
tsnlqd@excite.com mta.excite.com
cxkawog@krovatka.net imap.front.ru
ssdn@myrealbox.com smtp.myrealbox.com

Found In-The-Wild
This worm variant found in-the-wild on November 24, 2001 has the following options:
It installs itself to a Windows system directory with the KERNEL32.EXE name, and registers it in the following registry key:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce Kernel32 = kernel32.exe
It drops a keyboard hooker with the KDLL.DLL name. The log info is stored in the Windows system directory with the CP_25389.NLS name.

I-Worm.Bagle.a

Description I-Worm.Bagle.a
This worm spreads via the Internet in an attachment to infected emails.
The worm itself is a Window PE EXE file of approximately 15KB.
Messages sent by the worm have the following characteristics:
From:
random sender
Subject:
Hi
Body:
Test =)
Signature:
Test, yep
Attach:
random name
Installation
The worm is activated only if a user clicks on the attached file. When installing, the worm copies itself to the system directory under the name &apos;bbeagle.exe&apos; and registers this file in the system registry auto-run key:
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun]
"d3dupdate.exe" = "%system%beagle.exe"
The worm will also run the Windows application calc.exe.
The worm attempts to connect to several remote sites relating to TrojanProxy.Win32.Mitglieder.
Replication
The worm looks for files with the extensions wab, txt, htm, html, r1 and scans them for email-like text strings, then sends infected messages to the email addresses found.
The worm uses an SMTP engine to send infected messages.
Backdoor function
The worm opens port 6777 to listen for commands. The backdoor function allows the attacker to download files and execute commands on the infected computer.
Other
If the system date is later than 28th January 2004, the worm will not have any effect.

Home