Win32.Bagle.AY@mm( Win32.Bagle.AY@mm;Win32.Bagle-gen )
SYMPTOMS: The presence of the following registry key:HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\sysformat = %sysdir%\\sysformat.exe The presence of the following files: %sysdir%\\sysformat.exe %sysdir%\\sysformat.exeopen Usually %sysdir% is C:\\Windows\\System32 TECHNICAL DESCRIPTION: The virus is almost the same as Win32.Bagle.AX@mm, with few changes. It comes packed with PEX and is ~23000 bytes in size packed and about ~69000 bytes unpacked.At runtime, it drops the files sysformat.exe and sysformat.exeopen in the %sysdir% folder. The file \"sysformat.exeopen\" is the attachement used in the mails that the virus will send. Usually it\'s different than sysformat.exe, because it has random garbage bytes appended at the end (that\'s why the size is variable). It creates a mutex with the name: MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D It deletes the following registry entry (if exists): {HKCU-HKLM}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\"My AV\" It adds the following registry keys: HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\sysformat = %sysdir%\\sysformat.exe It then creates a mail, choosing randomly from a list of predefined mail parts: From: (spoofed) Subject: Delivery service mail Delivery by mail Registration is accepted Is delivered mail You are made active Body: Thanks for use of our software. Before use read the help Attachement name: wsd01 viupd02 siupd02 guupd02 zupd02 upd02 Jol03 To the attachement name, an extension is appended, one of the following: .exe .scr .com .cpl The virus will not send mails to addresses that contain one of the following: @microsoft rating@ f-secur news update anyone@ bugs@ contract@ feste gold-certs@ help@ info@ nobody@ noone@ kasp admin icrosoft support ntivi unix linux listserv certific sopho @foo @iana free-av @messagelab winzip winrar samples abuse panda cafee spam @avp. noreply local root@ postmaster@ The virus will search for email addresses in all files with the extension: .wab .txt .msg .htm .shtm .stm .xml .dbx .mbx .mdx .eml .nch .mmf .ods .cfg .asp .php .wsh .adb .tbb .sht .xls .oft .uin .cgi .mht .dhtm .jsp It has some P2P spreading capabilities, the same it uses since early versions: it searches folders that contain the string \"shar\" and copies itself there under the following names: 1.exe 2.exe 3.exe 4.exe 5.scr 6.exe 7.exe 8.exe 9.exe 10.exe Ahead Nero 7.exe Windown Longhorn Beta Leak.exe Opera 8 New!.exe XXX hardcore images.exe WinAmp 6 New!.exe WinAmp 5 Pro Keygen Crack Update.exe Adobe Photoshop 9 full.exe Matrix 3 Revolution English Subtitles.exe ACDSee 9.exe The virus will kill the following processes, if found active (the majority are antivirus processes): mcagent.exe mcvsshld.exe mcshield.exe mcvsescn.exe mcvsrte.exe DefWatch.exe Rtvscan.exe ccEvtMgr.exe NISUM.EXE ccPxySvc.exe navapsvc.exe NPROTECT.EXE nopdb.exe ccApp.exe Avsynmgr.exe VsStat.exe Vshwin32.exe alogserv.exe RuLaunch.exe Avconsol.exe PavFires.exe FIREWALL.EXE ATUPDATER.EXE LUALL.EXE DRWEBUPW.EXE AUTODOWN.EXE NUPGRADE.EXE OUTPOST.EXE ICSSUPPNT.EXE ICSUPP95.EXE ESCANH95.EXE AVXQUAR.EXE ESCANHNT.EXE ATUPDATER.EXE AUPDATE.EXE AUTOTRACE.EXE AUTOUPDATE.EXE AVXQUAR.EXE AVWUPD32.EXE AVPUPD.EXE CFIAUDIT.EXE UPDATE.EXE NUPGRADE.EXE MCUPDATE.EXE pavsrv50.exe AVENGINE.EXE APVXDWIN.EXE pavProxy.exe navapw32.exe navapsvc.exe ccProxy.exe navapsvc.exe NPROTECT.EXE SAVScan.exe SNDSrvc.exe symlcsvc.exe LUCOMS~1.EXE blackd.exe bawindo.exe FrameworkService.exe VsTskMgr.exe SHSTAT.EXE UpdaterUI.exe The virus will at last try to download one file from the following addresses: http://www.pyrlandia-boogie.pl/ http://www.kps4parents.com/ http://www.pipni.cz/ http://www.selu.edu/ http://www.travelchronic.de/ http://www.fleigutaetscher.ch/ http://www.irakli.org/ http://www.oboe-online.com/ http://www.oboe-online.com/ http://www.pe-sh.com/ http://www.idb-group.net/ http://www.ceskyhosting.cz/ http://www.ceskyhosting.cz/ http://www.hartacorporation.com/ http://www.glass.la/ http://www.glass.la/ http://www.24-7-transportation.com/ http://www.fepese.ufsc.br/ http://www.ellarouge.com.au/ http://www.bbsh.org/ http://www.boneheadmusic.com/ http://www.sljinc.com/ http://www.tivogoddess.com/ http://www.fcpages.com/ http://www.szantomierz.art.pl/ http://www.elenalazar.com/ http://www.generationnow.net/ http://www.flashcorp.com/ http://www.kencorbett.com/ http://www.FritoPie.NET/ http://www.leonhendrix.com/ http://www.transportation.gov.bh/ http://www.transportation.gov.bh/ http://www.jhaforpresident.7p.com/ http://www.DarrkSydebaby.com/ http://www.cntv.info/ http://www.sugardas.lt/ http://www.adhdtests.com/ http://www.argontech.net/ http://www.customloyal.com/ http://www.ohiolimo.com/ http://www.topko.sk/ http://www.ssmifc.ca/ http://www.reliance-yachts.com/ http://www.worest.com.ar/ http://www.kps4parents.com/ http://www.coolfreepages.com/ http://www.scanex-medical.fi/ http://www.jimvann.com/ http://www.orari.net/ http://www.himpsi.org/ http://www.mtfdesign.com/ http://www.jldr.ca/ http://www.relocationflorida.com/ http://www.rentalstation.com/ http://www.approved1stmortgage.com/ http://www.velezcourtesymanagement.com/ http://www.sunassetholdings.com/ http://www.compsolutionstore.com/ http://www.uhcc.com/ http://www.justrepublicans.com/ http://www.pfadfinder-leobersdorf.com/ http://www.featech.com/ http://www.vinirforge.com/ http://www.magicbottle.com.tw/ http://www.giantrevenue.com/ http://www.couponcapital.net/ http://www.crystalrose.ca/ http://www.bottombouncer.com/ http://www.anthonyflanagan.com/ http://www.bradster.com/ http://www.traverse.com/ http://www.ims-i.com/ http://www.realgps.com/ http://www.aviation-center.de/ http://www.gci-bln.de/ http://www.pankration.com/ http://www.jansenboiler.com/ http://www.corpsite.com/ http://www.everett.wednet.edu/ http://www.onepositiveplace.org/ http://www.raecoinc.com/ http://www.wwwebad.com/ http://www.corpsite.com/ http://www.wwwebmaster.com/ http://www.wwwebad.com/ http://www.dragcar.com/ http://www.wwwebad.com/ http://www.oohlala-kirkland.com/ http://www.calderwoodinn.com/ http://www.buddyboymusic.com/ http://www.smacgreetings.com/ http://www.tkd2xcell.com/ http://www.curtmarsh.com/ http://www.dontbeaweekendparent.com/ http://www.soloconsulting.com/ http://www.lasermach.com/ http://www.alupass.lu/ http://www.sigi.lu/ http://www.redlightpictures.com/ http://www.irinaswelt.de/ http://www.bueroservice-it.de/ http://www.kranenberg.de/ http://www.kranenberg.de/ http://www.the-fabulous-lions.de/ http://www.the-fabulous-lions.de/ http://www.mongolische-renner.de/ http://www.mongolische-renner.de/ http://www.capri-frames.de/ http://www.capri-frames.de/ http://www.aimcenter.net/ http://www.boneheadmusic.com/ http://www.fludir.is/ http://www.sljinc.com/ http://www.tivogoddess.com/ http://www.fcpages.com/ http://www.andara.com/ http://www.freeservers.com/ http://www.programmierung2000.de/ http://www.asianfestival.nl/ http://www.aviation-center.de/ http://www.gci-bln.de/ http://www.mass-i.kiev.ua/ http://www.jasnet.pl/ http://www.atlantisteste.hpg.com.br/ http://www.fludir.is/ http://www.rieraquadros.com.br/ http://www.metal.pl/ http://www.handsforhealth.com/ http://www.angelartsanctuary.com/ http://www.firstnightoceancounty.org/ http://www.chinasenfa.com/ http://www.chinasenfa.com/ http://www.ulpiano.org/ http://www.gamp.pl/ http://www.vikingpc.pl/ http://www.woundedshepherds.com/ http://www.cpc.adv.br/ http://www.velocityprint.com/ http://www.esperanzaparalafamilia.com/ http://www.celula.com.mx/ http://www.mexis.com/ http://www.wecompete.com/ http://www.vbw.info/ http://www.gfn.org/ http://www.aegee.org/ http://www.deadrobot.com/ http://www.cscliberec.cz/ http://www.ecofotos.com.br/ http://www.amanit.ru/ http://www.bga-gsm.ru/ http://www.innnewport.com/ http://www.knicks.nl/ http://www.srg-neuburg.de/ http://www.mepmh.de/ http://www.mepbisu.de/ http://www.kradtraining.de/ http://www.polizeimotorrad.de/ http://www.sea.bz.it/ http://www.uslungiarue.it/ http://www.gcnet.ru/ http://www.aimcenter.net/ http://www.vandermost.de/ http://www.vandermost.de/ http://www.szantomierz.art.pl/ http://www.immonaut.sk/ http://www.eurostavba.sk/ http://www.spadochron.pl/ The virus will not send mails after the date 25.04.2006. Removal instructions: Automatic desinfection: Let BitDefender delete all files it finds infected.Manual removal: use Task Manager to kill the process \"sysformat\", then delete the files and registry keys listed in the \"Symptoms\" category. ANALYZED BY: Daniel Ionita |