Virus Profile: W32/Bagz.a@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 4/5/2005
Date Added: 10/6/2004
Origin: N/A
Length: N/A
Type: Virus
Subtype: Email
DAT Required: 4397
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases:
    • Avira         - TR/Agent.mtv
    • Kaspersky - Trojan-Spy.Win32.Agent.bazy
    • Norman     - W32/EMailWorm.DUT
    • Symantec   - Downloader

Indication of Infection

    • Existence of above mentioned files and registry keys
    • Presence of unexpected network connection to the IP Address 192.168.[removed] .2 through a port number 53

Methods of Infection

This worm propagates via email constructing messages using its own SMTP engine. Email addresses are harvested from the victim machine, and the From: address of outgoing messages is spoofed.

   

Virus Characteristics

System Changes

Upon execution the virus copies itself into the following location.
    •   %WinDir%\csrss.exe
    •   %UserProfile%\csrss.exe

And drops another file in the following location.
    • %WinDir%\System32\lsasvc.exe

Registers run entry to run the process after reboot.

    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "Windows Update"= "%Userprofile%\csrss.exe"

The virus identifies the shared resources and harvests the email address from the victim machine.

It constructs messages using its own SMTP engine, attaching itself as an EXE (sometimes within a ZIP archive).

The virus uses the following Subjects for the Email

    • 192.168.1.12| WinXp
    • 192.168.1.12| Win2003
    • 192.168.1.12| Unkown
    • 192.168.1.12| WinVista
    • 192.168.1.12| WinNt
    • 192.168.1.12| Win2000

The lsasvc.exe file is installed as service on the victim machine, with the following properties:

    •    Display Name: Microsoft LSA Logon Authorization Service
    •    Image Path: %WindDir%\System32\LSASvc.exe

The service is installed to start automatically at system startup.

These defaults for typical path variables. (Although they may differ, these are common examples)
[Where %WinDir% is the Windows Directory - for example c:\windows and % UserProfile% is C:\Documents and Settings\Administrator]

   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations