26112 bytes (packed with tElock v0.96)
Presence of FirewallSvr.exe in %windir% (e.g. C:\Windows) folder and in processes list.
Presence of f**k_you_bagle.txt in %windir% (e.g. C:\Windows) folder containing a block of ascii characters.
Presence in start-up registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" of the string "FirewallSvr" pointing to "%windir%\FirewallSvr.exe".
* open Task Manager by pressing [CTR]+[ALT]+[DEL] or [CTRL]+[SHIFT]+[ESCAPE] for Win2000/XP
* use End Process in Processes tab on FirewallSvr.exe
* open Registry Editor typing [WIN]+[R]regedit[ENTER]
* remove the HKLM\Software\Microsoft\Windows\CurrentVersion\Run\FirewallSvr registry key
* delete %windir%\FirewallSvr.exe and %windir%\f**k_you_bagle.txt
Automatic removal: let BitDefender disinfect infected files
Mircea Ciubotariu BitDefender Virus Researcher
The worm spreads via email and infects by executing the attachment.
It was written in C++, compiled using VC6 and packed.
When run it first copies itself to %windir%\FirewallSvr.exe and creates a link in registry pointing to it, so that it will be loaded at system startup.
Then it checks a mutex named ____--->>>>U<<<<--____ to avoid running a new copy of the worm.
After that it initializes the internal variables used for email harvesting and multiplying by setting the first email address to email@example.com. Ar this time it also creates a file called f**k_you_bagle.txt in which it encodes a copy of the worm in base64 format. This file will be used later at sending emails by appending it to the email text as attachment data.
Next it creates a thread which searches drives from C: through Z: but skipping DVD/CD-ROM drives for specific file types which may contain suitable email addresses, but only up to 312661 (0x4C555) addresses.
The files scanned for email addresses must have one of the following extensions:
The worm creates then a thread which acts as a backdoor, by opening and listening on port 82. When an attacker sends a file on this port the worm will save it as Rand.exe and execute it, where Rand is a random number in the range 0-32767.
Finally the worm creates 7 threads to send emails to the potential recipients found.
These email addresses are checked to be valid on different hardcoded servers by Mail eXcahnge look-ups.
From the country code of the destination email address the subject, body message and attachment name are chosen as follows:
the order is: country code, attachment base name, subject, body message
.de, dokument, Re: dokument, Bitte lesen Sie das Dokument.
.fr, document, Re: document, Veuillez lire le document.
.it, documento, Re: documento, Legga prego il documento.
.pt, original, Re: original, Leia por favor o original.
.no, dokumentet, Re: dokumentet, Behage lese dokumentet.
.pl, udokumentowac, Re: udokumentowac, Podobac sie przeczytac ten udokumentowac.
.fi, dokumentoida, Re: dokumentoida, Haluta kuulua dokumentoida.
.se, dokumenten, Re: dokumenten, Behaga lSsa dokumenten.
.tk, belge, Re: belge, mutlu etmek okumak belgili tanimlik belge.
If no code from the above is found the next one will be used:
.xx, document, Re: document, Please read the document.
Probably the author intended to compose the attachment name from the attachment base name to which a executable .pif extenstion would have been added, but instead attachment name is composed from the country code and the extension .pif.
From April 28 to 30 2004 the worm creates a total of 50 (49+1) threads which attempt DoS attacks on the following sites:
Most of the strings used by the worm are encrypted using a translation table for A-Z and a-z characters.