Virus Profile: W32/Bagle.bj@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 1/26/2005
Date Added: 1/26/2005
Origin: Unknown
Length: 18,690+ bytes
Type: Virus
Subtype: E-mail
DAT Required: 4423
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

  • Unexpected ports (TCP) open on the victim machine
  • Outgoing messages matching the described characteristics
  • Files/Registry keys as described

    • Methods of Infection

      Mail Propagation

    This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:

    • .wab
    • .txt
    • .msg
    • .htm
    • .shtm
    • .stm
    • .xml
    • .dbx
    • .mbx
    • .mdx
    • .eml
    • .nch
    • .mmf
    • .ods
    • .cfg
    • .asp
    • .php
    • .pl
    • .wsh
    • .adb
    • .tbb
    • .sht
    • .xls
    • .oft
    • .uin
    • .cgi
    • .mht
    • .dhtm
    • .jsp

    The virus spoofs the sender address by using a harvested address in the From: field.

    The virus avoids sending itself to addresses containing the following:

    • @microsoft
    • rating@
    • f-secur
    • news
    • update
    • anyone@
    • bugs@
    • contract@
    • feste
    • gold-certs@
    • help@
    • info@
    • nobody@
    • noone@
    • kasp
    • admin
    • icrosoft
    • support
    • ntivi
    • unix
    • bsd
    • linux
    • listserv
    • certific
    • sopho
    • @foo
    • @iana
    • free-av
    • @messagelab
    • winzip
    • google
    • winrar
    • samples
    • abuse
    • panda
    • cafee
    • spam
    • pgp
    • @avp.
    • noreply
    • local
    • root@
    • postmaster@

    Peer To Peer Propagation

    Files are created in folders that contain the phrase shar :

    • 1.exe
    • 2.exe
    • 3.exe
    • 4.exe
    • 5.scr
    • 6.exe
    • 7.exe
    • 8.exe
    • 9.exe
    • 10.exe
    • Ahead Nero 7.exe
    • Windown Longhorn Beta Leak.exe
    • Opera 8 New!.exe
    • XXX hardcore images.exe
    • WinAmp 6 New!.exe
    • WinAmp 5 Pro Keygen Crack Update.exe
    • Adobe Photoshop 9 full.exe
    • Matrix 3 Revolution English Subtitles.exe
    • ACDSee 9.exe

    Remote Access Component

    The virus listens on random TCP ports beginning with 2339, for remote connections. It attempts to notify the author that the infected system is ready to accept commands, by contacting various websites, calling a JPG file (error.jpg) on the remote sites.

    • http://www.pyrlandia-boogie.pl
    • http://www.kps4parents.com
    • http://www.pipni.cz
    • http://www.selu.edu
    • http://www.travelchronic.de
    • http://www.fleigutaetscher.ch
    • http://www.irakli.org
    • http://www.oboe-online.com
    • http://www.pe-sh.com
    • http://www.idb-group.net
    • http://www.ceskyhosting.cz
    • http://www.hartacorporation.com
    • http://www.glass.la
    • http://www.24-7-transportation.com
    • http://www.fepese.ufsc.br
    • http://www.ellarouge.com.au
    • http://www.bbsh.org
    • http://www.boneheadmusic.com
    • http://www.sljinc.com
    • http://www.tivogoddess.com
    • http://www.fcpages.com
    • http://www.szantomierz.art.pl
    • http://www.elenalazar.com
    • http://www.generationnow.net
    • http://www.flashcorp.com
    • http://www.kencorbett.com
    • http://www.FritoPie.NET
    • http://www.leonhendrix.com
    • http://www.transportation.gov.bh
    • http://www.jhaforpresident.7p.com
    • http://www.DarrkSydebaby.com
    • http://www.cntv.info
    • http://www.sugardas.lt
    • http://www.adhdtests.com
    • http://www.argontech.net
    • http://www.customloyal.com
    • http://www.ohiolimo.com
    • http://www.topko.sk
    • http://www.ssmifc.ca
    • http://www.reliance-yachts.com
    • http://www.worest.com.ar
    • http://www.kps4parents.com
    • http://www.coolfreepages.com
    • http://www.scanex-medical.fi
    • http://www.jimvann.com
    • http://www.orari.net
    • http://www.himpsi.org
    • http://www.mtfdesign.com
    • http://www.jldr.ca
    • http://www.relocationflorida.com
    • http://www.rentalstation.com
    • http://www.approved1stmortgage.com
    • http://www.velezcourtesymanagement.com
    • http://www.sunassetholdings.com
    • http://www.compsolutionstore.com
    • http://www.uhcc.com
    • http://www.justrepublicans.com
    • http://www.pfadfinder-leobersdorf.com
    • http://www.featech.com
    • http://www.vinirforge.com
    • http://www.magicbottle.com.tw
    • http://www.giantrevenue.com
    • http://www.couponcapital.net
    • http://www.crystalrose.ca
    • http://www.bottombouncer.com
    • http://www.anthonyflanagan.com
    • http://www.bradster.com
    • http://www.traverse.com
    • http://www.ims-i.com
    • http://www.realgps.com
    • http://www.aviation-center.de
    • http://www.gci-bln.de
    • http://www.pankration.com
    • http://www.jansenboiler.com
    • http://www.corpsite.com
    • http://www.everett.wednet.edu
    • http://www.onepositiveplace.org
    • http://www.raecoinc.com
    • http://www.wwwebad.com
    • http://www.corpsite.com
    • http://www.wwwebmaster.com
    • http://www.wwwebad.com
    • http://www.dragcar.com
    • http://www.wwwebad.com
    • http://www.oohlala-kirkland.com
    • http://www.calderwoodinn.com
    • http://www.buddyboymusic.com
    • http://www.smacgreetings.com
    • http://www.tkd2xcell.com
    • http://www.curtmarsh.com
    • http://www.dontbeaweekendparent.com
    • http://www.soloconsulting.com
    • http://www.lasermach.com
    • http://www.alupass.lu
    • http://www.sigi.lu
    • http://www.redlightpictures.com
    • http://www.irinaswelt.de
    • http://www.bueroservice-it.de
    • http://www.kranenberg.de
    • http://www.the-fabulous-lions.de
    • http://www.mongolische-renner.de
    • http://www.capri-frames.de
    • http://www.aimcenter.net
    • http://www.boneheadmusic.com
    • http://www.fludir.is
    • http://www.sljinc.com
    • http://www.tivogoddess.com
    • http://www.fcpages.com
    • http://www.andara.com
    • http://www.freeservers.com
    • http://www.programmierung2000.de
    • http://www.asianfestival.nl
    • http://www.aviation-center.de
    • http://www.gci-bln.de
    • http://www.mass-i.kiev.ua
    • http://www.jasnet.pl
    • http://www.atlantisteste.hpg.com.br
    • http://www.fludir.is
    • http://www.rieraquadros.com.br
    • http://www.metal.pl
    • http://www.handsforhealth.com
    • http://www.angelartsanctuary.com
    • http://www.firstnightoceancounty.org
    • http://www.chinasenfa.com
    • http://www.ulpiano.org
    • http://www.gamp.pl
    • http://www.vikingpc.pl
    • http://www.woundedshepherds.com
    • http://www.cpc.adv.br
    • http://www.velocityprint.com
    • http://www.esperanzaparalafamilia.com
    • http://www.celula.com.mx
    • http://www.mexis.com
    • http://www.wecompete.com
    • http://www.vbw.info
    • http://www.gfn.org
    • http://www.aegee.org
    • http://www.deadrobot.com
    • http://www.cscliberec.cz
    • http://www.ecofotos.com.br
    • http://www.amanit.ru
    • http://www.bga-gsm.ru
    • http://www.innnewport.com
    • http://www.knicks.nl
    • http://www.srg-neuburg.de
    • http://www.mepmh.de
    • http://www.mepbisu.de
    • http://www.kradtraining.de
    • http://www.polizeimotorrad.de
    • http://www.sea.bz.it
    • http://www.uslungiarue.it
    • http://www.gcnet.ru
    • http://www.aimcenter.net
    • http://www.vandermost.de
    • http://www.szantomierz.art.pl
    • http://www.immonaut.sk
    • http://www.eurostavba.sk
    • http://www.spadochron.pl
       

    Virus Characteristics

    -- Update March 11, 2005 --
     The assessment of this threat has been downgraded to Low-Profiled due to a decrease in prevalence.

    -- Update 27th January 2005 12:50 PST --

    Due to increased prevalence the risk assessment of this threat has been raised to medium. The 4423 DATs have been released early to address this threat.

    The following EXTRA.DAT packages are also available.
    EXTRA.DAT
    SUPER EXTRA.DAT

    --

    This is a mass-mailing worm with the following characteristics:

    • contains its own SMTP engine to construct outgoing messages
    • harvests email addresses from the victim machine
    • the From: address of messages is spoofed
    • contains a remote access component (notification is sent to hacker)
    • copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)

    Mail Propagation

    The details are as follows:

    From : (address is spoofed)
    Subject :

    • Delivery service mail
    • Delivery by mail
    • Registration is accepted
    • Is delivered mail
    • You are made active

    Body Text:

    • Thanks for use of our software.
    • Before use read the help

    Attachment: (may be one of the following, with an extension of .exe, .scr, .com, or .cpl)

    • wsd01
    • viupd02
    • siupd02
    • guupd02
    • zupd02
    • upd02
    • Jol03

    The virus copies itself into the Windows System directory as sysformat.exe. For example:

    • C:\WINNT\SYSTEM32\sysformat.exe

    It also creates other files in this directory to perform its functions:

    • C:\WINNT\SYSTEM32\sysformat.exeopen
    • C:\WINNT\SYSTEM32\sysformat.exeopenopen

    The following Registry key is added to hook system startup:

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\
      CurrentVersion\Run "sysformat" = C:\WINNT\SYSTEM32\sysformat.exe

    Additionally, the following Registry keys are added:

    • HKEY_CURRENT_USER\Software\Microsoft\Params "TimeKey"

    It deletes these values

    • "My AV"
    • "ICQ Net"

    from the following Registry keys, if they are present:

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\
      CurrentVersion\Run
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
      CurrentVersion\Run

    A mutex is created to ensure only one instance of the worm is running at a time.  One of the following mutex names is used in an attempt to stop particular variants of W32/Netsky running on the infected machine:

    • MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
    • _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

    This worm attempts to terminate the process of security programs with the the following filenames:

    • mcagent.exe
    • mcvsshld.exe
    • mcshield.exe
    • mcvsescn.exe
    • mcvsrte.exe
    • DefWatch.exe
    • Rtvscan.exe
    • ccEvtMgr.exe
    • NISUM.EXE
    • ccPxySvc.exe
    • navapsvc.exe
    • NPROTECT.EXE
    • nopdb.exe
    • ccApp.exe
    • Avsynmgr.exe
    • VsStat.exe
    • Vshwin32.exe
    • alogserv.exe
    • RuLaunch.exe
    • Avconsol.exe
    • PavFires.exe
    • FIREWALL.EXE
    • ATUPDATER.EXE
    • LUALL.EXE
    • DRWEBUPW.EXE
    • AUTODOWN.EXE
    • NUPGRADE.EXE
    • OUTPOST.EXE
    • ICSSUPPNT.EXE
    • ICSUPP95.EXE
    • ESCANH95.EXE
    • AVXQUAR.EXE
    • ESCANHNT.EXE
    • ATUPDATER.EXE
    • AUPDATE.EXE
    • AUTOTRACE.EXE
    • AUTOUPDATE.EXE
    • AVXQUAR.EXE
    • AVWUPD32.EXE
    • AVPUPD.EXE
    • CFIAUDIT.EXE
    • UPDATE.EXE
    • NUPGRADE.EXE
    • MCUPDATE.EXE
    • pavsrv50.exe
    • AVENGINE.EXE
    • APVXDWIN.EXE
    • pavProxy.exe
    • navapw32.exe
    • navapsvc.exe
    • ccProxy.exe
    • navapsvc.exe
    • NPROTECT.EXE
    • SAVScan.exe
    • SNDSrvc.exe
    • symlcsvc.exe
    • LUCOMS~1.EXE
    • blackd.exe
    • bawindo.exe
    • FrameworkService.exe
    • VsTskMgr.exe
    • SHSTAT.EXE
    • UpdaterUI.exe

    The worm opens random ports starting with 2339 (TCP) on the victim machine.

       

    All Users :
    The specified     engine and DAT files  were released early for this threat.

    Additional Windows ME/XP removal considerations

    Manual Removal Instructions
    To remove this virus "by hand", follow these steps:

    1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
    2. Delete the files following from your WINDOWS System directory (typically C:\Windows\System or C:\Winnt\System32)
       sysformat.exe
      sysformat.exeopen
             sysformat.exeopenopen
    3. Edit the registry
      • Delete the "Sysformat" value from
        • HKEY_CURRENT_USER\Software\Microsoft\
          Windows\CurrentVersion\Run
    4. Reboot the system into Default Mode

    McAfee Intrushield
     An IntruShield User-Defined Signature (UDS) has been created to detect this threat and is available for download at:
     
    https://mysupport.nai.com/
    Knowledgebase Article KB38001
     
    Please note: The above knowledgebase article is password protected and requires your to log into Service Portal before accessing it.