I-Worm.Bagle.s
Description I-Worm.Bagle.s
Bagle.s is an Internet worm spreading as an attachment to infected emails.
The worm is a PE exe file about 8 KB in size. Bagle.s is compressed by FSG and the unpacked file is about 37KB in size.
Infected messages have the following characteristics:
Sender address:
random
Subject:
none
Body:
empty
Attachment name:
random characters
Attachment file type:
.exe
Installation
After launch Bagle.s copies itself into the Windows system registry as gigabit.exe and registers this file in the system registry autorun key:
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun]
"gigabit.exe" = "%system%gigabit.exe"
Bagle.s then creates the key:
[SOFTWAREWindows2004]
"gsed"
where it stores it's variables.
Bagle.s also launches mshearts.exe - The Miscrosoft Hearts Network.
Finally, Bagle.s attempts to connect to several remote sites and store id information from the infected machine on these sites.
Propagation
Bagle.s searches disks for files with the following extensions:
adb
asp
cfg
cgi
dbx
dhtm
eml
htm
jsp
mbx
mdx
mht
mmf
msg
nch
ods
oft
php
pl
sht
shtm
stm
tbb
txt
uin
wab
wsh
xls
xml
and sends copies of itself to all email addresses detected in these files using an inbuilt SMTP-engine.
Remote Administration
Bagle.s opens and monitors port 4751. The inbuilt backdoor function allows the master to:
Execute commands
Download files
Check other viruses! Be aware! Use Antiviral Software
Chukcha Family
Description Chukcha Family
These are not dangerous not memory resident parasitic viruses. They search for COM-files and writes themselves to their beginnings. They display messages in Russian.
Cicada
Description Cicada
It is a dangerous memory resident boot virus. It hooks INT 13h and writes itself into the MBR of hard drive and boot sectors of floppy disks. On July, 10th it erases the hard drive sectors and displays:
+----------------------------------------------------------------------+
¦ +--------------+¦
¦ ______ ___ ___ ¦Golden Cicada ++
¦ ___ ___ _____ ___ ______ _____ ___ ___ ¦ Virus! ¦¦
¦ ___ ___ ___ ___ ___ ___ ___ ___ ________ ¦ Version Pro. ¦¦
¦ ___ ____ ___ ___ ___ ___ ___ ____ ___ ___ ¦June 10, 1994.++
¦ ______ _____ ___ _______ _____ ___ ___ +--------------+¦
¦ ¦
¦ ______ ___ ___ ¦
¦ ___ ___ ___ _____ _____ ______ _____ ___ ¦
¦ ___ ___ ___ ___ ___ ___ ___ ___ ___ ¦
¦ ___ ___ ___ ___ ___ ___ ___ ___ ___ ___ ¦
¦ ______ ___ _____ _______ _______ _______ ___ ¦
¦ ¦
¦----------------------------------------------------------------------¦
¦ Something wonderful was happened! Your PC is now Stoned! And your ¦
¦ PC was out of order that all the doctor's efforts were in vain! Ha! ¦
¦ Ha! Ha! Ha! Serve you right!! I dont' want to damage your hard disk! ¦
¦ Butallwrite some trash into your hard disk now!! Well! Beware of this¦
¦ virus, don't copy software without any payments! Okay! Goodbye!!.... ¦
+----------------------------------------------------------------------+
Golden Cicada Virus Version Pro.
(C) Copyright CVEX Corp.,1994.
All rights reserved.
Made in Taiwan!
[Note: some characters not displayable in HTML]
|