My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Bagle.AD@mm

MEDIUM
MEDIUM
~ 67 KBytes (packed)

Symptoms

When run, the virus displays a fake message, stating:

"Can't find a viewer associated with the file"


- Presence of the next files in %SYSTEM% folder:

loader_name.exe
loader_name.exeopen
loader_name.exeopenopen


- Presence of the next registry key or entry:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"reg_key"="%SYSTEM%\loader_name.exe"


where %WINDOWS% points to Windows folder (or WinNT on Windows NT based systems)
%SYSTEM% points to "System" folder on Windows 9x systems and "System32" folder on WinNT systems.

- Presence of files named:

Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe

in folders whose names contain the string "shar"

Removal instructions:

- automatic removal: let BitDefender delete/disinfect files found infected.

Analyzed By

Patrik Vicol BitDefender Virus Researcher

Technical Description:

The virus arrives via e-mail in the following formats:


Subject: (one of the following)

Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks :)
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
RE: Incoming Msg
RE: Message Notify
Notification
Changes..
Update
Fax Message
Protected message
RE: Protected message
Forum notify
Site changes
Re: Hi
Encrypted document



Body: (one of the following)

Read the attach.

Your file is attached.

More info is in attach

See attach.

Please, have a look at the attached file.

Your document is attached.

Please, read the document.

Attach tells everything.

Attached file tells everything.

Check attached file for details.

Check attached file.

Pay attention at the attach.

See the attached file for details.

Message is in attach

Here is the file.



Attachment's name is one of the following:

Information
Details
Updates
Readme
Document
Info
MoreInfo
Message
Sources



Attachment's extension may be:

.exe
.scr
.com
.zip
.vbs
.hta
.cpl



If the attachment is in a password protected zip file, following messages can also be found in the Body:

For security reasons attached file is password protected. The password is ...
For security purposes the attached file is password protected. Password -- ...
Note: Use password ... to open archive.
Attached file is protected with the password for security reasons. Password is ...
In order to read the attach you have to use the following password: ...
Archive password: ...
Password - ...
Password: ...



When run, the virus will do the following:

1. Displays a fake error message: "Can't find a viewer associated with the file"

2. Creates aforementioned registry entry to run at computer startup

3. Creates aforementioned files in %SYSTEM% folder

4. Scans for e-mail addresses on all fixed drives in files matching:
.wab, .txt, .msg, .htm, .shtm, .stm, .xml, .dbx, .mbx, .mdx, .eml, .nch, .mmf, .ods, .cfg, .asp, .php, .pl, .wsh, .adb, .tbb, .sht, .xls, .oft, .uin, .cgi, .mht, .dhtm, .jsp

5. Scans on all fixed drives for folders whose names contain "shar" and creates copies of the virus as:

Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe


6. Deletes registry keys created by variants of NetSky virus

7. Creates mutexes so that variants of Netsky virus will not run

8. Uses its own smtp engine to send itself to harvested e-mails; avoids sending to e-mail addresses containing:

@hotmail, @msn, @microsoft, rating@, f-secur, news, update, anyone@, bugs@, contract@, feste, gold-certs@, help@, info@, nobody@, noone@, kasp, admin, icrosoft, support, ntivi, unix, bsd, linux, listserv, certific, sopho, @foo, @iana, free-av, @messagelab, winzip, google, winrar, samples, abuse, panda, cafee, spam, pgp, @avp., noreply, local, root@, postmaster@

9. Opens a backdoor on port 1234