This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Indication of Infection
- Port 8866 (TCP) open on the victim machine
- Outgoing messages matching the described characteristics
- Files/Registry keys as described
Methods of Infection
This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:
The virus spoofs the sender address by using a harvested address in the From: field.
Messages are constructed as follows:
: (address is spoofed)
: ID (string)... thanks
Yours ID (string2)
: randomly named binary (11,264 bytes) with .EXE file extension.
Where "string" and "string2" are random strings.
The virus avoids sending itself to addresses containing the following:
Remote Access Component
The virus listens on TCP port 8866 for remote connections. The functionality this backdoor provides to the hacker is currently under investigation.
A notification is sent to the author(s) via HTTP. A GET request (containing the port number and "id") is sent to a PHP script on remote server(s). Users are recommended to block access to the following domains:
I-Worm.Bagle.b (AVP), W32.Alua@mm (NAV), W32.Aula@mm (NAV), W32/Tanx.A-mm, W32/Yourid.A.worm (Panda), Win32.HLLM.Strato.16896 (Dialogue Science), WORM_BAGLE.B (Trend)