Email-Worm.Win32.Bagz.f

Jest to robak rozprzestrzeniaj膮cy si臋 przez Internet jako za艂膮cznik zainfekowanych wiadomo艣ci e-mail. Ma posta膰 pliku PE EXE o rozmiarze 70 145 (kompresja UPX, rozmiar po rozpakowaniu - oko艂o 111 KB).

Instalacja

Po uruchomieniu robak kopiuje si臋 do foldera WindowsSystem z nast臋puj膮cymi nazwami:

sysinfo32.exe
trace32.exe
sqlssl.doc ... .exe

Robak funkcjonuje jako us艂uga Windows Secure SSL. Aby by艂o to mo偶liwe, robak tworzy w rejestrze systemowym nast臋puj膮cy klucz:

[HKLMSystemCurrentControlSetServicesALEXORA]

Rozprzestrzenianie - poczta elektroniczna

Adresy potencjalnych ofiar pobierane s膮 z systemowej ksi膮偶ki adresowej oraz z plik贸w posiadaj膮cych nast臋puj膮ce rozszerzenia:

.TBB
.tbb 
.TBI 
.tbi 
.DBX 
.dbx 
.HTM 
.htm 
.TXT 
.txt

W celu wysy艂ania wiadomo艣ci robak nawi膮zuje bezpo艣rednie po艂膮czenie z serwerem SMTP odbiorcy.

Szkodnik nie wysy艂a w艂asnych kopii pod adresy zawieraj膮ce nast臋puj膮ce teksty:

@avp
@foo
@iana
@messagelab
@microsoft
abuse
admin
administrator@
all@
anyone@
bsd
bugs@
cafee
certific
certs@
contact@
contract@
feste
free-av
f-secur
gold-
gold-certs@
google
help@
hostmaster@
icrosoft
info@
kasp
linux
listserv
local
netadmin@
news
nobody@
noone@
noreply
ntivi
oocies
panda
pgp
postmaster@
rating@
root@
samples
sopho
spam
support
support@
unix
update
webmaster@
winrar
winzip
Infected messages

Charakterystyka zainfekowanych wiadomo艣ci e-mail

  • Temat (wybierany z poni偶szych mo偶liwo艣ci):
    ASAP 
    Administrator 
    Allert! 
    Amirecans 
    Att 
    attach 
    attachments 
    best regards 
    contract 
    Have a nice day 
    Hello 
    Money 
    office 
    please responce 
    re: Andrey 
    re: order 
    re: please 
    Read this 
    Russian's 
    text 
    toxic 
    urgent 
    Vasia 
    waiting 
    Warning
    
  • Tre艣膰 (wybierana z poni偶szych mo偶liwo艣ci):
    Hi
    Did you get the previous document I attached for you?
    I resent it in this email just in case, because 
    I really need you to check it out asap.
    Best Regards
    
    Hi
    I made a mistake and forgot to click attach on the 
    previous email I sent you.
    Please give me your opinion on this opportunity 
    when you get a chance.
    Best Regards
    
    Hi
    I was supposed to send you this document yesterday.
    Sorry for the delay, please forward this to your 
    family if possible.
    It contains important info for both of you.
    
    Hi
    Sorry, I forgot to send an important document to 
    you in that last email. I had an important phone call.
    Please checkout attached doc file when you have a moment.
    Best Regards
    
    Hi
    I was in a rush and I forgot to attach an important document.
    Please see attached doc file.
    Best Regards,
    
    Sorry to bother you, but I am having a problem receiving 
    your emails.
    I am responding to your last email in the attached file.
    Please get back to me if there is any problem reading 
    the attachment.
    
    I am responding to your last email in the attached file.
    I had a delivery problem with your inbox, so maybe 
    you'll receive this now.
    
    Can you please check out the email I have attached?
    For some reason, I received only part of your last 
    several emails.
    I want to make sure that there are no problems with 
    either of our accounts.
    
    This email is being sent as attachment because it was 
    previously blocked by your email filters.
    Please view the attachment and respond.
    Thanks
    
    I resent this email as attachment because it was 
    previously blocked by your email filters.
    Please read the attachment and respond.
    Thanks
    
    I apologize, but I need you to verify that I have 
    the correct contact info for you.
    My system crashed last weekend and I lost most of 
    my friends and work contacts.
    Please check the attached (.pdf) and please let 
    me know if your info is current.
    
    My last email to you was returned.
    The reason is that I am not currently added to 
    your “allowed” contact list.
    Please add my updated contact info provided in 
    the attached (.pdf) file
    so I can send you emails in the future.
    Sincerely
    
    I have updated my email address
    See the (.pdf) file attached and please respond 
    if you have any questions.
    
    We have made recent updates to our database.
    Please verify your mailing address on file is correct.
    We have attached a (.pdf) sheet for you to use 
    for your response.
    
    Hello
    Our contact information has changed.
    See the attached (.pdf) sheet for details.
    Sincerely,
    
    ***URGENT: SERVICE SHUTDOWN NOTICE***
    Due to your failure to comply with our email 
    Rules and Regulations, your email account has 
    been temporarily suspended for 24 hours
    unless we are contacted regarding this situation.
    You must read the attached document for further 
    instructions.
    Failure to comply will result in termination 
    of your account.
    Regards,
    Net Operator
    ***URGENT: SERVICE SHUTDOWN NOTICE***
    
    ***ATTENTION: YOUR EMAIL IS NOT BEING DELIVERED!***
    You are currently unable to send emails.
    This may be a billing issue.
    Please call the billing center.
    The # for the billing office is located in the 
    attached contact list for your convenience.
    ***ATTENTION: YOUR EMAIL IS NOT BEING DELIVERED!***
    
    ***YOUR MESSAGE HAS BEEN RECOGNIZED AS SPAM***
    Hello,
    The previous email you sent has been recognized as spam.
    This means your email was not delivered to your 
    friend or client.
    You must open the attached file to receive 
    more information.
    ***YOUR MESSAGE HAS BEEN RECOGNIZED AS SPAM***
    
    Hello,
    What version of windows you are using?
    This last document I received from you came out weird.
    Please see the attached word file and resend 
    the file to me.
    Many thanks,
    User
    
    Hello,
    My PC crashed while I was sending that last email.
    I have re-attached the document of yours 
    that I discovered.
    Please read attached document and respond ASAP.
    Sincerely,
    User
    
    Hello,
    Your email was sent in an INVALID format.
    To verify this email was sent from you, 
    simply open the attached email (.eml) file
    and click yes in the sender options box.
    Thank You,
    User
    
    Hello,
    Your email was received.
    YOUR REPLY IS URGENT!
    Please view the attached text file for instructions.
    Regards,
    User
    
    Hello,
    I was in a hurry and I forgot to attach 
    an important document.
    Please see attached.
    Best Regards,
    User
    
    Hello,
    I resent this email as attachment because it 
    was previously blocked by your email filters.
    Please read the attachment and respond.
    Thanks,User
    
    Hello,
    Sorry, I forgot to attach the new contact information.
    Please view the attached (.pdf) contact sheet.
    Sincerely, User
    
  • Nazwa za艂膮cznika (wybierana z poni偶szych mo偶liwo艣ci):
    about.doc ... .exe 
    about.zip 
    admin.doc ... .exe 
    admin.zip 
    archivator.doc ... .exe 
    archivator.zip 
    archives.doc ... .exe 
    archives.zip 
    ataches.doc ... .exe 
    ataches.zip 
    backup.doc ... .exe 
    backup.zip 
    docs.doc ... .exe 
    docs.zip 
    documentation.doc ... .exe 
    documentation.zip 
    help.doc ... .exe 
    help.zip 
    inbox.doc ... .exe 
    inbox.zip 
    manual.doc ... .exe 
    manual.zip 
    outbox.doc ... .exe 
    outbox.zip 
    payment.doc ... .exe 
    payment.zip 
    photos.doc ... .exe 
    photos.zip 
    rar.doc ... .exe 
    rar.zip 
    readme.doc ... .exe 
    readme.zip 
    save.doc ... .exe 
    save.zip
    sqlssl.doc ... .exe 
    zip.doc ... .exe 
    zip.zip
    

Funkcje robaka

Robak modyfikuje plik %System%driversetchosts wykorzystywany do t艂umaczenia nazw domenowych na adresy IP. Szkodnik dodaje do pliku hosts poni偶sze teksty, w wyniku czego u偶ytkownik zainfekowanego komputera nie ma mo偶liwo艣ci odwiedzania tych stron WWW:

127.0.0.1 ad.doubleclick.net
127.0.0.1 ad.fastclick.net
127.0.0.1 ads.fastclick.net
127.0.0.1 ar.atwola.com
127.0.0.1 atdmt.com
127.0.0.1 avp.ch
127.0.0.1 avp.com
127.0.0.1 avp.ru
127.0.0.1 awaps.net
127.0.0.1 banner.fastclick.net
127.0.0.1 banners.fastclick.net
127.0.0.1 ca.com
127.0.0.1 click.atdmt.com
127.0.0.1 clicks.atdmt.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 download.microsoft.com
127.0.0.1 downloads.microsoft.com
127.0.0.1 engine.awaps.net
127.0.0.1 fastclick.net
127.0.0.1 f-secure.com
127.0.0.1 ftp.f-secure.com
127.0.0.1 ftp.sophos.com
127.0.0.1 go.microsoft.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 media.fastclick.net
127.0.0.1 msdn.microsoft.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 office.microsoft.com
127.0.0.1 phx.corporate-ir.net
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 service1.symantec.com
127.0.0.1 sophos.com
127.0.0.1 spd.atdmt.com
127.0.0.1 support.microsoft.com
127.0.0.1 symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 vil.nai.com
127.0.0.1 viruslist.ru
127.0.0.1 windowsupdate.microsoft.com
127.0.0.1 www.avp.ch
127.0.0.1 www.avp.com
127.0.0.1 www.avp.ru
127.0.0.1 www.awaps.net
127.0.0.1 www.ca.com
127.0.0.1 www.fastclick.net
127.0.0.1 www.f-secure.com
127.0.0.1 www.kaspersky.ru
127.0.0.1 www.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.ru
127.0.0.1 www3.ca.com

Robak usuwa z rejestru systemowego klucze, kt贸rych nazwy zawieraj膮 nast臋puj膮ce teksty:

804mbd1.chk
804mbd1.img
aboutplg.dll
alert.zap
appinit.ini
apwcmdnt.dll
apwutil.dll
ashavast.exe
ashbug.exe
ashchest.exe
ashdisp.exe
ashldres.dll
ashlogv.exe
ashmaisv.exe
ashpopwz.exe
ashquick.exe
ashserv.exe
ashsimpl.exe
ashskpcc.exe
ashskpck.exe
aswboot.exe
aswregsvr.exe
aswupdsv.exe
avcompbr.dll
avres.dll
ootwarn.exe
camupd.dll
ccavmail.dll
ccimscan.dll
ccimscn.exe
cerbprovider.pvx
cfgwiz.exe
cfgwzres.dll
defalert.dll
djsalert.dll
dunzip32.dll
edisk.dll
email.zap
emscnres.dll
filter.zap
firewall.zap
framewrk.dll
ftscnres.dll
idlock.zap
imscnbin.inf
imscnres.inf
ltchkres.dll
mcappins.exe
mcavtsub.dll
mcinfo.exe
mcmnhdlr.exe
mcscan32.dll
mcshield.dll
mcshield.exe
mcurial.dll
mcvsctl.dll
mcvsescn.exe
mcvsftsn.exe
mcvsmap.exe
mcvsrte.exe
mcvsscrp.dll
mcvsshl.dll
mcvsshld.exe
mcvsskt.dll
mcvsworm.dll
mghtml.exe
mpfagent.exe
mpfconsole.exe
mpfservice.exe
mpftray.exe
mpfui.dll
mpfupdchk.dll
mpfwizard.exe
mvtx.exe

32call.dll

32exclu.dll

aiann.dll

aievent.dll

avap32.dll

avapscr.dll

avapsvc.exe

avapw32.dll

avapw32.exe

avcfgwz.dll

avcomui.dll

averror.dll

avevent.dll

avlcom.dll

avlnch.dll

avlogv.dll

avlucbk.dll

avntutl.dll

avoptrf.dll

avopts.dll

avprod.dll

avshext.dll

avstats.dll

avstub.exe

avtasks.dll

avtskwz.dll

avui.dll

avui.nsi

avuihtm.dll

avw32.exe

avwnt.exe

etbrext.dll

tclient.dll
oeheur.dll
officeav.dll
opscan.exe
outscan.dll
outscres.dll
patch25d.dll
patchw32.dll
persfw.exe
pfwadmin.exe
probegse.dll
programs.zap
ptchinst.dll
qconres.dll
qconsole.exe
qspak32.dll
quar32.dll
quarantine
quaropts.dat
s32integ.dll
s32navo.dll
savrt.sys
savrt32.dll
savrtpel.sys
savscan.exe
scan.dat
scandlvr.dll
scandres.dll
scanmgr.dll
scanserv.dll
sched.exe
scriptui.dll
scrpres.dll
scrpsbin.inf
scrstres.inf
sdpck32i.dll
sdsnd32i.dll
sdsok32i.dll
sdstp32i.dll
security.zap
shextbin.inf
shextres.inf
shlres.dll
ssleay32.dll
statushp.dll
symnavo.dll
	utorwiz.dll
vsagntui.dll
vsavpro.dll
vsdb.dll
vsmon.exe
vsoui.dll
vsoupd.dll
vsowow.dll
vsruledb.dll
vsvault.dll
wormres.dll
zatutor.exe
zauninst.exe
zav.zap
zl_priv.htm
zlclient.exe
zlparser.dll
zonealarm.exe
I-Worm.Bagz.f (Kaspersky Lab), W32/Bagz!dload (McAfee),   W32.Bagz.F@mm (Symantec),   Win32.HLLM.Bagz (Doctor Web),   W32/Bagz-E (Sophos),   Win32/Bagz.E@mm (RAV),   WORM_BAGZ.E (Trend Micro),   Worm/Bagz.E.2 (H+BEDV),   W32/Bagz.F@mm (FRISK),   Win32:Bagz-E (ALWIL),   I-Worm/Bagz.I (Grisoft),   Win32.Bagz.F@mm (SOFTWIN),   Worm.Bagz.E-dwl (ClamAV),   W32/Bagz.G.worm (Panda),   Win32/Bagz.F (Eset)