Your essential free software toolbox

SHARE
THIS ON

Win32.Worm.Bagle.FJ

MEDIUM

LOW

19,524 (packed)

()

Symptoms

The presence of a file named sysformat.exe in the windows system directory.

The presence of a task named sysformat in the process list (if the machine is running Windows 95 / 98 / Me, this process is cloaked and is invisible).

The windows firewall and security center (in case the machine is running Windows XP Service Pack 2) is disabled.

Security software (anti-viruses, firewalls...) on the machine are disabled and can not be started.

The host file in the System32\Drivers\etc subdirectory of the windows directory is of size 1,771 and contains only entries which begin with 127.0.0.1 and sites belonging to antivirus vendors.

Removal instructions:

Please let BitDefender disinfect your files. To restore your internet connection which the sites the worm blacklisted, be sure to scan the system directory and let BitDefender delete the host file (about which it should report that it is infected with Generic.Qhost) or delete this yourself. Until you do this, the machine won't be able to connect to some sites which can result in your anti-virus products being unable to perform the update operation.

Analyzed By

Attila-Mihaly Balazs, virus researcher

Technical Description:

This is a mass mailer / downloader malware. It arrives in the form of an archive which contains two files: an executable and an other one containing random characters. The executable has a similar icon with a text document and when first executed it copies itself in the system directory with the name sysformat.exe and then launches notepad.exe.

It drops a hosts file in the System32\Drivers subdirectory of the windows directory of size 1,771 which disables the access to certain anti-virus related sites. This can result in the anti-virus beeing unable to perform an update.

It disables the built-in firewall and security center on machines running Windows XP Service Pack 2.

It kills several security (anti-virus and firewall) products.

It tries to download files from a predefined list of sites and to execute them.

It searches the available hard-disks (removable media or network drives won't be searched) for files having the extension:

.wab
.txt
.msg
.htm
.shtm
.stm
.xml
.dbx
.mbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.pl
.wsh
.adb
.tbb
.sht
.xls
.oft
.uin
.cgi
.mht
.dhtm
.jsp

These files will be searched for e-mail addresses and the worm will send itself to these addresses if they don't contain one of the following substrings:

@microsoft
rating@
f-secur
news
update
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
sopho
@foo
@iana
free-av
@messagelab
winzip
google
winrar
samples
abuse
panda
cafee
spam
pgp
@avp.
noreply
local
root@
postmaster@

The worm will also search the hard drives for folders which contain the substring "shar" in them (for example "My Shared Documents") and will copy itself there under these names:

1.exe
2.exe
3.exe
4.exe
5.scr
6.exe
7.exe
8.exe
9.exe
10.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe

The subject of the sent mail contains the following words:

price
February price
pricelst
pricelist
price_lst
new_price
February_price
21_price