Email-Worm.Win32.Bagle.fm
Po uruchomieniu robak wy艣wietla poni偶sze okno:
Podczas instalacji szkodnik kopiuje si臋 do foldera WindowsSystem z poni偶szymi nazwami:
%System% egmaping.exe %System% egmaping.exeopen %System% egmaping.exeopenopen
po czym tworzy wpis w rejestrze zapewniaj膮cy mu uruchamianie wraz z ka偶dym startem systemu Windows:
"Regmonitor"="%System%
egmaping.exe"
Dodatkowo robak tworzy w folderze Windows plik winresw.exe. Zawiera on trojana, kt贸ry pobiera pliki z Internetu bez wiedzy i zgody u偶ytkownika zainfekowanego komputera.
Adresy potencjalnych ofiar pobierane s膮 z systemowej ksi膮偶ki adresowej oraz z plik贸w posiadaj膮cych nast臋puj膮ce rozszerzenia:
adb asp cfg cgi dbx dhtm eml htm jsp mbx mdx mht mmf msg nch ods oft php pl sht shtm stm tbb txt uin wab wsh xls xml
Szkodnik nie wysy艂a w艂asnych kopii pod adresy zawieraj膮ce nast臋puj膮ce teksty:
@avp. @foo @hotmail @iana @messagelab @microsoft @msn abuse admin anyone@ bsd bugs@ cafee certific contract@ feste free-av f-secur gold-certs@ google help@ icrosoft info@ kasp linux listserv local news nobody@ noone@ noreply ntivi panda pgp postmaster@ rating@ root@ samples sopho spam support unix update winrar winzip
W celu wysy艂ania wiadomo艣ci robak nawi膮zuje bezpo艣rednie po艂膮czenie z serwerem SMTP odbiorcy.
Przyk艂ady wiadomo艣ci wysy艂anej przez robaka:
- Temat (wybierany z poni偶szych mo偶liwo艣ci):
Your Receipt (losowa liczba)--(losowa liczba) Order reminder: ID (losowa liczba) Billing department, order (losowa liczba)--(losowa liczba)
- Tre艣膰 (wybierana z poni偶szych mo偶liwo艣ci):
- Dear Sir or Madam, This notification is just a friendly reminder (not a bill or a second charge) that on 15-JAN-06, you placed an order from Symantec Store. This order was paid using your Visa, whose last 4 digits are ************2346, and will be appearing on your billing statement shortly. The charge will appear as DR *Symantec. This is just a reminder to help you recognize the charge. You will not be charged again. You antivirus definition file is attached to this email, please install it to be perfectly protected from the latest viruses and other internet threats.
- Details about your reciept attached with this email. You have to use Adobe Acrobat Reader to open it. Transaction Number: (losowa liczba) This is your receipt for your $1490 purchase of a 1.0 months subscription which will appear on your statement as (losowa liczba). Your membership will automatically renew per the terms and conditions. Should you ever have any problems whatsoever, please don't hesitate to contact our live technical support staff - available 24 hours a day 7 days a week. We can be reached by phone toll free in the US at 800-***-8593. Rather use email? Drop us a line at bill@gmail.com and we'll always get back to you within an hour. Enjoy the service! Support
- Your email (adres odbiorcy wiadomo艣ci) has exceeded its bandwidth quota in the period beginning on 2006-01-01. Your quota is set to 10485760 bytes (10.0 MB), and your email has consumed 559189702 bytes (533.285 MB) beyond that quota. Our over-bandwidth charges are Additional Bandwidth/Month Monthly Cost 100 Mb $200.00 200 MB $360.00 300 MB $480.00 400 MB $624.00 500 Mb $740.00 <- your over-usage 600 Mb $850.00 Our automatically generated bill is attached with this email. Sincerely, Sales Manager.
- Nazwa za艂膮cznika (wybierana z poni偶szych mo偶liwo艣ci):
Generated_bill.exe Order_details.exe Service_receipt.exe
Za艂膮cznik mo偶e tak偶e zawiera膰 pliku tekstowy Description.txt o nast臋puj膮cej zawarto艣ci:
Order attach
Robak kopiuje si臋 z poni偶szymi nazwami do folder贸w, kt贸rych nazwy zawieraj膮 s艂owo "Shar":
Adobe Photoshop 9 full.exe Ahead Nero 10.exe anna benson sex video.exe barrett jackson nude photos, movies, porn video.exe Britney Spears sex photos.exe IE beta 7.exe jenna elfman sex anal deepthroat kate beckinsale nude pictures.exe miss america Porno, sex, oral, anal cool, awesome!!.exe paris hilton Porno pics arhive, xxx.exe Porno Screensaver.scr Serials 2005 database.exe Serials.txt.exe Windown Vista Beta Leak.exe Windows Sourcecode update.doc.exe XXX hardcore images.exe
Robak otwiera port TCP 6777 i oczekuje na polecenia zdalnego cyberprzest臋pcy.
Tworzony przez robaka plik winresw.exe zawiera list臋 adres贸w URL. Robak sprawdza te adresy w poszukiwaniu plik贸w do pobrania na zainfekowany komputer. Pobrane pliki s膮 uruchamiane. Oto lista adres贸w sprawdzanych przez robaka:
http://***hit.fateback.com http://209.16.***.230/.%20/pr http://debut.***.com/ http://dook.***.by/ http://ijj.t***.com/ http://myphotokool.t***.com/
Robak mo偶e w ten spos贸b pobiera膰 w艂asne uaktualnienia, a tak偶e inne szkodliwe programy.
Robak usuwa nast臋puj膮ce wpisy z rejestru systemowego:
[HKCUSoftwareMicrosoftWindowsCurrentVersionRun]
My AV
Zone Labs Client Ex
9XHtProtect
Antivirus
Special Firewall Service
service
Tiny AV
ICQNet
HtProtect
NetDy
Jammer2nd
FirewallSvr
MsInfo
SysMonXP
EasyAV
PandaAVEngine
Norton Antivirus AV
KasperskyAVEng
SkynetsRevenge
ICQ Net
W kodzie robaka zapisany jest nast臋puj膮cy tekst:
In a difficult world In a nameless time I want to survive So, you will be mine!! -- Bagle Author, 29.04.04, Germany.