Win32.Worm.Bagle.FJ
SYMPTOMS: The presence of a file named sysformat.exe in the windows system directory.The presence of a task named sysformat in the process list (if the machine is running Windows 95 / 98 / Me, this process is cloaked and is invisible). The windows firewall and security center (in case the machine is running Windows XP Service Pack 2) is disabled. Security software (anti-viruses, firewalls...) on the machine are disabled and can not be started. The host file in the System32\Drivers\etc subdirectory of the windows directory is of size 1,771 and contains only entries which begin with 127.0.0.1 and sites belonging to antivirus vendors. TECHNICAL DESCRIPTION: This is a mass mailer / downloader malware. It arrives in the form of an archive which contains two files: an executable and an other one containing random characters. The executable has a similar icon with a text document and when first executed it copies itself in the system directory with the name sysformat.exe and then launches notepad.exe.It drops a hosts file in the System32\Drivers subdirectory of the windows directory of size 1,771 which disables the access to certain anti-virus related sites. This can result in the anti-virus beeing unable to perform an update. It disables the built-in firewall and security center on machines running Windows XP Service Pack 2. It kills several security (anti-virus and firewall) products. It tries to download files from a predefined list of sites and to execute them. It searches the available hard-disks (removable media or network drives won't be searched) for files having the extension: .wab .txt .msg .htm .shtm .stm .xml .dbx .mbx .mdx .eml .nch .mmf .ods .cfg .asp .php .pl .wsh .adb .tbb .sht .xls .oft .uin .cgi .mht .dhtm .jsp These files will be searched for e-mail addresses and the worm will send itself to these addresses if they don't contain one of the following substrings: @microsoft rating@ f-secur news update anyone@ bugs@ contract@ feste gold-certs@ help@ info@ nobody@ noone@ kasp admin icrosoft support ntivi unix bsd linux listserv certific sopho @foo @iana free-av @messagelab winzip winrar samples abuse panda cafee spam pgp @avp. noreply local root@ postmaster@ The worm will also search the hard drives for folders which contain the substring "shar" in them (for example "My Shared Documents") and will copy itself there under these names: 1.exe 2.exe 3.exe 4.exe 5.scr 6.exe 7.exe 8.exe 9.exe 10.exe Ahead Nero 7.exe Windown Longhorn Beta Leak.exe Opera 8 New!.exe XXX hardcore images.exe WinAmp 6 New!.exe WinAmp 5 Pro Keygen Crack Update.exe Adobe Photoshop 9 full.exe Matrix 3 Revolution English Subtitles.exe ACDSee 9.exe The subject of the sent mail contains the following words: price February price pricelst pricelist price_lst new_price February_price 21_price Removal instructions: Please let BitDefender disinfect your files. To restore your internet connection which the sites the worm blacklisted, be sure to scan the system directory and let BitDefender delete the host file (about which it should report that it is infected with Generic.Qhost) or delete this yourself. Until you do this, the machine won't be able to connect to some sites which can result in your anti-virus products being unable to perform the update operation.ANALYZED BY: Attila-Mihaly Balazs, virus researcher |
