Description
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Indication of Infection
When executed, the worm installs itself to the victim machine with the Windows system folder as WINGO.EXE. For example:
- C:\WINNT\SYSTEM32\WINGO.EXE
The following Registry key is added to hook system startup:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "wingo" = C:\WINNT\SYSTEM32\WINGO.EXE
The following Registry key is also added to store data (within a "TimeKey" key):
- HKEY_CURRENT_USER\Software\Params
Additionally, the virus may make multiple copies of itself in the Windows system directory, appending the string "open" to the filename. For example:
- C:\WINNT\SYSTEM32\WINGO.EXEOPEN
- C:\WINNT\SYSTEM32\WINGO.EXEOPENOPEN
- etc
Port 81 (TCP) is also opened on the victim machine.
A mutex is created to ensure only one instance of the worm is running at a time. One of the following mutex names is used in an attempt to stop particular variants of W32/Netsky running on the infected machine:
- {z4wMuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
- 'D'r'o'p'p'e'd'S'k'y'N'e't'
- _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
- [SkyNet.cz]SystemsMutex
- AdmSkynetJklS003
- ____--->>>>U<<<<--____
- _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
Methods of Infection
Mail Propagation
The virus constructs outgoing messages with its own SMTP engine. Target email addresses are harvested from the victim machine. Files with the following extensions are searched:
- .wab
- .txt
- .msg
- .htm
- .shtm
- .stm
- .xml
- .dbx
- .mbx
- .mdx
- .eml
- .nch
- .mmf
- .ods
- .cfg
- .asp
- .php
- .pl
- .wsh
- .adb
- .tbb
- .sht
- .xls
- .oft
- .uin
- .cgi
- .mht
- .dhtm
- .jsp
Outgoing messages are constructed with the varying subject, message body and attachment filename.
The From: address is spoofed.
Subject:
The subject line is one of the following:
- Re:
- Re: Hello
- Re: Thank you!
- Re: Thanks :)
- Re: Hi
Message Body:
The message body will be one of the following:
Attachment:
The attachment is an executable of name:
with one of the following extensions:
The virus does not mail itself to email addresses containing the following strings:
- @hotmail
- @msn
- @microsoft
- rating@
- f-secur
- news
- update
- anyone@
- bugs@
- contract@
- feste
- gold-certs@
- help@
- info@
- nobody@
- noone@
- kasp
- admin
- icrosoft
- support
- ntivi
- unix
- bsd
- linux
- listserv
- certific
- sopho
- @foo
- @iana
- free-av
- @messagelab
- winzip
- google
- winrar
- samples
- abuse
- panda
- cafee
- spam
- pgp
- @avp.
- noreply
- local
- root@
- postmaster@
P2P Propagation
The worm copies itself using enticing filenames to folders on the victim machine containing the string 'shar'
. The following filenames are used:
- Microsoft Office 2003 Crack, Working!.exe
- Microsoft Windows XP, WinXP Crack, working Keygen.exe
- Microsoft Office XP working Crack, Keygen.exe
- Porno, sex, oral, anal cool, awesome!!.exe
- Porno Screensaver.scr
- Serials.txt.exe
- KAV 5.0
- Kaspersky Antivirus 5.0
- Porno pics arhive, xxx.exe
- Windows Sourcecode update.doc.exe
- Ahead Nero 7.exe
- Windown Longhorn Beta Leak.exe
- Opera 8 New!.exe
- XXX hardcore images.exe
- WinAmp 6 New!.exe
- WinAmp 5 Pro Keygen Crack Update.exe
- Adobe Photoshop 9 full.exe
- Matrix 3 Revolution English Subtitles.exe
- ACDSee 9.exe
Process Termination Payload
The virus terminates the following processes if they are running on the victim machine:
- mcagent.exe
- mcvsshld.exe
- mcshield.exe
- mcvsescn.exe
- mcvsrte.exe
- DefWatch.exe
- Rtvscan.exe
- ccEvtMgr.exe
- NISUM.EXE
- ccPxySvc.exe
- navapsvc.exe
- NPROTECT.EXE
- nopdb.exe
- ccApp.exe
- Avsynmgr.exe
- VsStat.exe
- Vshwin32.exe
- alogserv.exe
- RuLaunch.exe
- Avconsol.exe
- PavFires.exe
- FIREWALL.EXE
- ATUPDATER.EXE
- LUALL.EXE
- DRWEBUPW.EXE
- AUTODOWN.EXE
- NUPGRADE.EXE
- OUTPOST.EXE
- ICSSUPPNT.EXE
- ICSUPP95.EXE
- ESCANH95.EXE
- AVXQUAR.EXE
- ESCANHNT.EXE
- ATUPDATER.EXE
- AUPDATE.EXE
- AUTOTRACE.EXE
- AUTOUPDATE.EXE
- AVXQUAR.EXE
- AVWUPD32.EXE
- AVPUPD.EXE
- CFIAUDIT.EXE
- UPDATE.EXE
- NUPGRADE.EXE
- MCUPDATE.EXE
- pavsrv50.exe
- AVENGINE.EXE
- APVXDWIN.EXE
- pavProxy.exe
- navapw32.exe
- navapsvc.exe
- ccProxy.exe
- navapsvc.exe
- NPROTECT.EXE
- SAVScan.exe
- SNDSrvc.exe
- symlcsvc.exe
- LUCOMS~1.EXE
- blackd.exe
- bawindo.exe
- FrameworkService.exe
- VsTskMgr.exe
- SHSTAT.EXE
- UpdaterUI.exe
BackDoor Component
The worm opens port 81 (TCP) on the victim machine. Initial analysis suggests this is a file execution backdoor. Once listening, the hacker is able to connect to a victim machine, and execute a file on that machine.
Downloading
This threat contacts a list of websites to retrieve a file named G.JPG. At the time of writing, this file was not available on any of the sites.
- http://www.24-7-transportation.com
- http://www.adhdtests.com
- http://www.aegee.org
- http://www.aimcenter.net
- http://www.alupass.lu
- http://www.amanit.ru
- http://www.andara.com
- http://www.angelartsanctuary.com
- http://www.anthonyflanagan.com
- http://www.approved1stmortgage.com
- http://www.argontech.net
- http://www.asianfestival.nl
- http://www.atlantisteste.hpg.com.br
- http://www.aviation-center.de
- http://www.bbsh.org
- http://www.bga-gsm.ru
- http://www.boneheadmusic.com
- http://www.bottombouncer.com
- http://www.bradster.com
- http://www.buddyboymusic.com
- http://www.bueroservice-it.de
- http://www.calderwoodinn.com
- http://www.capri-frames.de
- http://www.celula.com.mx
- http://www.ceskyhosting.cz
- http://www.chinasenfa.com
- http://www.cntv.info
- http://www.compsolutionstore.com
- http://www.coolfreepages.com
- http://www.corpsite.com
- http://www.couponcapital.net
- http://www.cpc.adv.br
- http://www.crystalrose.ca
- http://www.cscliberec.cz
- http://www.curtmarsh.com
- http://www.customloyal.com
- http://www.DarrkSydebaby.com
- http://www.deadrobot.com
- http://www.dontbeaweekendparent.com
- http://www.dragcar.com
- http://www.ecofotos.com.br
- http://www.elenalazar.com
- http://www.ellarouge.com.au
- http://www.esperanzaparalafamilia.com
- http://www.eurostavba.sk
- http://www.everett.wednet.edu
- http://www.fcpages.com
- http://www.featech.com
- http://www.fepese.ufsc.br
- http://www.firstnightoceancounty.org
- http://www.flashcorp.com
- http://www.fleigutaetscher.ch
- http://www.fludir.is
- http://www.freeservers.com
- http://www.FritoPie.NET
- http://www.gamp.pl
- http://www.gci-bln.de
- http://www.gcnet.ru
- http://www.generationnow.net
- http://www.gfn.org
- http://www.giantrevenue.com
- http://www.glass.la
- http://www.handsforhealth.com
- http://www.hartacorporation.com
- http://www.himpsi.org
- http://www.idb-group.net
- http://www.immonaut.sk
- http://www.ims-i.com
- http://www.innnewport.com
- http://www.irakli.org
- http://www.irinaswelt.de
- http://www.jansenboiler.com
- http://www.jasnet.pl
- http://www.jhaforpresident.7p.com
- http://www.jimvann.com
- http://www.jldr.ca
- http://www.justrepublicans.com
- http://www.kencorbett.com
- http://www.knicks.nl
- http://www.kps4parents.com
- http://www.kps4parents.com
- http://www.kradtraining.de
- http://www.kranenberg.de
- http://www.kranenberg.de
- http://www.lasermach.com
- http://www.leonhendrix.com
- http://www.magicbottle.com.tw
- http://www.mass-i.kiev.ua
- http://www.mepbisu.de
- http://www.mepmh.de
- http://www.metal.pl
- http://www.mexis.com
- http://www.mongolische-renner.de
- http://www.mtfdesign.com
- http://www.oboe-online.com
- http://www.ohiolimo.com
- http://www.onepositiveplace.org
- http://www.oohlala-kirkland.com
- http://www.orari.net
- http://www.pankration.com
- http://www.pe-sh.com
- http://www.pfadfinder-leobersdorf.com
- http://www.pipni.cz
- http://www.polizeimotorrad.de
- http://www.programmierung2000.de
- http://www.pyrlandia-boogie.pl
- http://www.raecoinc.com
- http://www.realgps.com
- http://www.redlightpictures.com
- http://www.reliance-yachts.com
- http://www.relocationflorida.com
- http://www.rentalstation.com
- http://www.rieraquadros.com.br
- http://www.scanex-medical.fi
- http://www.sea.bz.it
- http://www.selu.edu
- http://www.sigi.lu
- http://www.sljinc.com
- http://www.sljinc.com
- http://www.smacgreetings.com
- http://www.soloconsulting.com
- http://www.spadochron.pl
- http://www.srg-neuburg.de
- http://www.ssmifc.ca
- http://www.sugardas.lt
- http://www.sunassetholdings.com
- http://www.szantomierz.art.pl
- http://www.the-fabulous-lions.de
- http://www.tivogoddess.com
- http://www.tkd2xcell.com
- http://www.topko.sk
- http://www.transportation.gov.bh
- http://www.travelchronic.de
- http://www.traverse.com
- http://www.uhcc.com
- http://www.ulpiano.org
- http://www.uslungiarue.it
- http://www.vandermost.de
- http://www.vbw.info
- http://www.velezcourtesymanagement.com
- http://www.velocityprint.com
- http://www.vikingpc.pl
- http://www.vinirforge.com
- http://www.wecompete.com
- http://www.worest.com.ar
- http://www.woundedshepherds.com
- http://www.wwwebad.com
- http://www.wwwebmaster.com
Registry Entry Removal
In both of the following startup locations
- HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
The following keys for other worms and security products are deleted:
- My AV
- Zone Labs Client Ex
- 9XHtProtect
- Antivirus
- Special Firewall Service
- service
- Tiny AV
- ICQNet
- HtProtect
- NetDy
- Jammer2nd
- FirewallSvr
- MsInfo
- SysMonXP
- EasyAV
- PandaAVEngine
- Norton Antivirus AV
- KasperskyAVEng
- SkynetsRevenge
- ICQ Net
Aliases
I-Worm.Bagle.at (Kasperksy), W32/Bagle-AU (Sophos), W32/Bagle.BC.worm (Panda), WORM_BAGLE.AT (Trend)