Email-Worm.Win32.Bagz.f
Po uruchomieniu robak kopiuje si臋 do foldera WindowsSystem z nast臋puj膮cymi nazwami:
sysinfo32.exe trace32.exe sqlssl.doc ... .exe
Robak funkcjonuje jako us艂uga Windows Secure SSL. Aby by艂o to mo偶liwe, robak tworzy w rejestrze systemowym nast臋puj膮cy klucz:
Adresy potencjalnych ofiar pobierane s膮 z systemowej ksi膮偶ki adresowej oraz z plik贸w posiadaj膮cych nast臋puj膮ce rozszerzenia:
.TBB .tbb .TBI .tbi .DBX .dbx .HTM .htm .TXT .txt
W celu wysy艂ania wiadomo艣ci robak nawi膮zuje bezpo艣rednie po艂膮czenie z serwerem SMTP odbiorcy.
Szkodnik nie wysy艂a w艂asnych kopii pod adresy zawieraj膮ce nast臋puj膮ce teksty:
@avp @foo @iana @messagelab @microsoft abuse admin administrator@ all@ anyone@ bsd bugs@ cafee certific certs@ contact@ contract@ feste free-av f-secur gold- gold-certs@ google help@ hostmaster@ icrosoft info@ kasp linux listserv local netadmin@ news nobody@ noone@ noreply ntivi oocies panda pgp postmaster@ rating@ root@ samples sopho spam support support@ unix update webmaster@ winrar winzip Infected messages
- Temat (wybierany z poni偶szych mo偶liwo艣ci):
ASAP Administrator Allert! Amirecans Att attach attachments best regards contract Have a nice day Hello Money office please responce re: Andrey re: order re: please Read this Russian's text toxic urgent Vasia waiting Warning
- Tre艣膰 (wybierana z poni偶szych mo偶liwo艣ci):
Hi Did you get the previous document I attached for you? I resent it in this email just in case, because I really need you to check it out asap. Best Regards Hi I made a mistake and forgot to click attach on the previous email I sent you. Please give me your opinion on this opportunity when you get a chance. Best Regards Hi I was supposed to send you this document yesterday. Sorry for the delay, please forward this to your family if possible. It contains important info for both of you. Hi Sorry, I forgot to send an important document to you in that last email. I had an important phone call. Please checkout attached doc file when you have a moment. Best Regards Hi I was in a rush and I forgot to attach an important document. Please see attached doc file. Best Regards, Sorry to bother you, but I am having a problem receiving your emails. I am responding to your last email in the attached file. Please get back to me if there is any problem reading the attachment. I am responding to your last email in the attached file. I had a delivery problem with your inbox, so maybe you'll receive this now. Can you please check out the email I have attached? For some reason, I received only part of your last several emails. I want to make sure that there are no problems with either of our accounts. This email is being sent as attachment because it was previously blocked by your email filters. Please view the attachment and respond. Thanks I resent this email as attachment because it was previously blocked by your email filters. Please read the attachment and respond. Thanks I apologize, but I need you to verify that I have the correct contact info for you. My system crashed last weekend and I lost most of my friends and work contacts. Please check the attached (.pdf) and please let me know if your info is current. My last email to you was returned. The reason is that I am not currently added to your “allowed” contact list. Please add my updated contact info provided in the attached (.pdf) file so I can send you emails in the future. Sincerely I have updated my email address See the (.pdf) file attached and please respond if you have any questions. We have made recent updates to our database. Please verify your mailing address on file is correct. We have attached a (.pdf) sheet for you to use for your response. Hello Our contact information has changed. See the attached (.pdf) sheet for details. Sincerely, ***URGENT: SERVICE SHUTDOWN NOTICE*** Due to your failure to comply with our email Rules and Regulations, your email account has been temporarily suspended for 24 hours unless we are contacted regarding this situation. You must read the attached document for further instructions. Failure to comply will result in termination of your account. Regards, Net Operator ***URGENT: SERVICE SHUTDOWN NOTICE*** ***ATTENTION: YOUR EMAIL IS NOT BEING DELIVERED!*** You are currently unable to send emails. This may be a billing issue. Please call the billing center. The # for the billing office is located in the attached contact list for your convenience. ***ATTENTION: YOUR EMAIL IS NOT BEING DELIVERED!*** ***YOUR MESSAGE HAS BEEN RECOGNIZED AS SPAM*** Hello, The previous email you sent has been recognized as spam. This means your email was not delivered to your friend or client. You must open the attached file to receive more information. ***YOUR MESSAGE HAS BEEN RECOGNIZED AS SPAM*** Hello, What version of windows you are using? This last document I received from you came out weird. Please see the attached word file and resend the file to me. Many thanks, User Hello, My PC crashed while I was sending that last email. I have re-attached the document of yours that I discovered. Please read attached document and respond ASAP. Sincerely, User Hello, Your email was sent in an INVALID format. To verify this email was sent from you, simply open the attached email (.eml) file and click yes in the sender options box. Thank You, User Hello, Your email was received. YOUR REPLY IS URGENT! Please view the attached text file for instructions. Regards, User Hello, I was in a hurry and I forgot to attach an important document. Please see attached. Best Regards, User Hello, I resent this email as attachment because it was previously blocked by your email filters. Please read the attachment and respond. Thanks,User Hello, Sorry, I forgot to attach the new contact information. Please view the attached (.pdf) contact sheet. Sincerely, User
- Nazwa za艂膮cznika (wybierana z poni偶szych mo偶liwo艣ci):
about.doc ... .exe about.zip admin.doc ... .exe admin.zip archivator.doc ... .exe archivator.zip archives.doc ... .exe archives.zip ataches.doc ... .exe ataches.zip backup.doc ... .exe backup.zip docs.doc ... .exe docs.zip documentation.doc ... .exe documentation.zip help.doc ... .exe help.zip inbox.doc ... .exe inbox.zip manual.doc ... .exe manual.zip outbox.doc ... .exe outbox.zip payment.doc ... .exe payment.zip photos.doc ... .exe photos.zip rar.doc ... .exe rar.zip readme.doc ... .exe readme.zip save.doc ... .exe save.zip sqlssl.doc ... .exe zip.doc ... .exe zip.zip
Robak modyfikuje plik %System%driversetchosts wykorzystywany do t艂umaczenia nazw domenowych na adresy IP. Szkodnik dodaje do pliku hosts poni偶sze teksty, w wyniku czego u偶ytkownik zainfekowanego komputera nie ma mo偶liwo艣ci odwiedzania tych stron WWW:
127.0.0.1 ad.doubleclick.net 127.0.0.1 ad.fastclick.net 127.0.0.1 ads.fastclick.net 127.0.0.1 ar.atwola.com 127.0.0.1 atdmt.com 127.0.0.1 avp.ch 127.0.0.1 avp.com 127.0.0.1 avp.ru 127.0.0.1 awaps.net 127.0.0.1 banner.fastclick.net 127.0.0.1 banners.fastclick.net 127.0.0.1 ca.com 127.0.0.1 click.atdmt.com 127.0.0.1 clicks.atdmt.com 127.0.0.1 dispatch.mcafee.com 127.0.0.1 download.mcafee.com 127.0.0.1 download.microsoft.com 127.0.0.1 downloads.microsoft.com 127.0.0.1 engine.awaps.net 127.0.0.1 fastclick.net 127.0.0.1 f-secure.com 127.0.0.1 ftp.f-secure.com 127.0.0.1 ftp.sophos.com 127.0.0.1 go.microsoft.com 127.0.0.1 liveupdate.symantec.com 127.0.0.1 mast.mcafee.com 127.0.0.1 mcafee.com 127.0.0.1 media.fastclick.net 127.0.0.1 msdn.microsoft.com 127.0.0.1 my-etrust.com 127.0.0.1 nai.com 127.0.0.1 networkassociates.com 127.0.0.1 office.microsoft.com 127.0.0.1 phx.corporate-ir.net 127.0.0.1 secure.nai.com 127.0.0.1 securityresponse.symantec.com 127.0.0.1 service1.symantec.com 127.0.0.1 sophos.com 127.0.0.1 spd.atdmt.com 127.0.0.1 support.microsoft.com 127.0.0.1 symantec.com 127.0.0.1 update.symantec.com 127.0.0.1 updates.symantec.com 127.0.0.1 us.mcafee.com 127.0.0.1 vil.nai.com 127.0.0.1 viruslist.ru 127.0.0.1 windowsupdate.microsoft.com 127.0.0.1 www.avp.ch 127.0.0.1 www.avp.com 127.0.0.1 www.avp.ru 127.0.0.1 www.awaps.net 127.0.0.1 www.ca.com 127.0.0.1 www.fastclick.net 127.0.0.1 www.f-secure.com 127.0.0.1 www.kaspersky.ru 127.0.0.1 www.mcafee.com 127.0.0.1 www.my-etrust.com 127.0.0.1 www.nai.com 127.0.0.1 www.networkassociates.com 127.0.0.1 www.sophos.com 127.0.0.1 www.symantec.com 127.0.0.1 www.trendmicro.com 127.0.0.1 www.viruslist.ru 127.0.0.1 www3.ca.com
Robak usuwa z rejestru systemowego klucze, kt贸rych nazwy zawieraj膮 nast臋puj膮ce teksty:
804mbd1.chk 804mbd1.img aboutplg.dll alert.zap appinit.ini apwcmdnt.dll apwutil.dll ashavast.exe ashbug.exe ashchest.exe ashdisp.exe ashldres.dll ashlogv.exe ashmaisv.exe ashpopwz.exe ashquick.exe ashserv.exe ashsimpl.exe ashskpcc.exe ashskpck.exe aswboot.exe aswregsvr.exe aswupdsv.exe avcompbr.dll avres.dll ootwarn.exe camupd.dll ccavmail.dll ccimscan.dll ccimscn.exe cerbprovider.pvx cfgwiz.exe cfgwzres.dll defalert.dll djsalert.dll dunzip32.dll edisk.dll email.zap emscnres.dll filter.zap firewall.zap framewrk.dll ftscnres.dll idlock.zap imscnbin.inf imscnres.inf ltchkres.dll mcappins.exe mcavtsub.dll mcinfo.exe mcmnhdlr.exe mcscan32.dll mcshield.dll mcshield.exe mcurial.dll mcvsctl.dll mcvsescn.exe mcvsftsn.exe mcvsmap.exe mcvsrte.exe mcvsscrp.dll mcvsshl.dll mcvsshld.exe mcvsskt.dll mcvsworm.dll mghtml.exe mpfagent.exe mpfconsole.exe mpfservice.exe mpftray.exe mpfui.dll mpfupdchk.dll mpfwizard.exe mvtx.exe 32call.dll 32exclu.dll aiann.dll aievent.dll avap32.dll avapscr.dll avapsvc.exe avapw32.dll avapw32.exe avcfgwz.dll avcomui.dll averror.dll avevent.dll avlcom.dll avlnch.dll avlogv.dll avlucbk.dll avntutl.dll avoptrf.dll avopts.dll avprod.dll avshext.dll avstats.dll avstub.exe avtasks.dll avtskwz.dll avui.dll avui.nsi avuihtm.dll avw32.exe avwnt.exe etbrext.dll tclient.dll oeheur.dll officeav.dll opscan.exe outscan.dll outscres.dll patch25d.dll patchw32.dll persfw.exe pfwadmin.exe probegse.dll programs.zap ptchinst.dll qconres.dll qconsole.exe qspak32.dll quar32.dll quarantine quaropts.dat s32integ.dll s32navo.dll savrt.sys savrt32.dll savrtpel.sys savscan.exe scan.dat scandlvr.dll scandres.dll scanmgr.dll scanserv.dll sched.exe scriptui.dll scrpres.dll scrpsbin.inf scrstres.inf sdpck32i.dll sdsnd32i.dll sdsok32i.dll sdstp32i.dll security.zap shextbin.inf shextres.inf shlres.dll ssleay32.dll statushp.dll symnavo.dll utorwiz.dll vsagntui.dll vsavpro.dll vsdb.dll vsmon.exe vsoui.dll vsoupd.dll vsowow.dll vsruledb.dll vsvault.dll wormres.dll zatutor.exe zauninst.exe zav.zap zl_priv.htm zlclient.exe zlparser.dll zonealarm.exe