Warnung vor Worm.Win32.Bagle.AF!

 Symptoms:

• Files:
  %SYSDIR%loader_name.exe
  %SYSDIR%loader_name.exeopen
  %SYSDIR%loader_name.exeopenopen
  where %SYSDIR% is Windows System directory (eg. C:WindowsSystem, C:WinNTSystem32)
  
• Registry key:
  HKCUSoftwareMicrosoftWindowsCurrentVersionRun
  with the value:
  "reg_key"="%SYSDIR%loader_name.exe
  
• Port 1234 opened (see it using "netstat -a" at the command prompt)
  

Technical deion:
The worm comes by mail in the following form:

From: [spoofed]

Subject: one of the following:

• Re: Msg reply
  
• Re: Hello
  
• Re: Yahoo!
  
• Re: Thank you!
  
• Re: Thanks :)
  
• RE: Text message
  
• Re: Document
  
• Incoming message
  
• Re: Incoming Message
  
• RE: Incoming Msg
  
• RE: Message Notify
  
• Notification
  
• Changes..
  
• Update
  
• Fax Message
  
• Protected message
  
• RE: Protected message
  
• Forum notify
  
• Site changes
  
• Re: Hi
  
• Encrypted document

Attachment: has a .exe, .scr, .com, .zip, .vbs, .hta or .cpl extension and one of the following names:

• Information
  
• Details
  
• text_document
  
• Updates
  
• Readme
  
• Document
  
• Info
  
• Details
  
• MoreInfo
  
• Message
  
• Sources

Body text: may contain one or more of the following:

• Read the attach.
  
• Your file is attached.
  
• More info is in attach
  
• See attach.
  
• Please, have a look at the attached file.
  
• Your document is attached.
  
• Please, read the document.
  
• Attach tells everything.
  
• Attached file tells everything.
  
• Check attached file for details.
  
• Check attached file.
  
• Pay attention at the attach.
  
• See the attached file for details.
  
• Message is in attach
  
• Here is the file.
  
• For security reasons attached file is password protected. The password is [password]
  
• For security purposes the attached file is password protected. Password -- [password]
  
• Note: Use password [password] to open archive.
  
• Attached file is protected with the password for security reasons. Password is [password]
  
• In order to read the attach you have to use the following password: [password]
  
• Archive password: [password]
  
• Password - [password]
  
• Password: [password]

When ran, the worm displays a fake error message:

Can't find a viewer associated with the file

and creates one of the following mutexes:

• |MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
  
• 'D'r'o'p'p'e'd'S'k'y'N'e't'
  
• _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
  
• [SkyNet.cz]SystemsMutex
  
• AdmSkynetJklS003
  
• _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

then creates the following files:

• %SYSDIR%loader_name.exe -- worm executable file
  where %SYSDIR% is Windows System directory (eg. C:WindowsSystem, C:WinNTSystem32)
  
• %SYSDIR%loader_name.exeopen -- worm copy with some garbage appended
  
• %SYSDIR%loader_name.exeopenopen -- worm zipped (may be password protected)

and creates the registry key:

• HKCUSoftwareMicrosoftWindowsCurrentVersionRun
  with the value:
  "reg_key"="%SYSDIR%loader_name.exe

The key above is created ten times per second, so deleting it will not help unless the process (loader_name.exe) is killed.

The worm tries to remove the following registry keys:

• HKCUSoftwareMicrosoftWindowsMy AV
  
• HKCUSoftwareMicrosoftWindowsone Labs Client Ex
  
• HKCUSoftwareMicrosoftWindows9XHtProtect
  
• HKCUSoftwareMicrosoftWindowsAntivirus
  
• HKCUSoftwareMicrosoftWindowsSpecial Firewall Service
  
• HKCUSoftwareMicrosoftWindowsservice
  
• HKCUSoftwareMicrosoftWindowsTiny AV
  
• HKCUSoftwareMicrosoftWindowsICQNet
  
• HKCUSoftwareMicrosoftWindowsHtProtect
  
• HKCUSoftwareMicrosoftWindowsNetDy
  
• HKCUSoftwareMicrosoftWindowsJammer2nd
  
• HKCUSoftwareMicrosoftWindowsFirewallSvr
  
• HKCUSoftwareMicrosoftWindowsMsInfo
  
• HKCUSoftwareMicrosoftWindowsSysMonXP
  
• HKCUSoftwareMicrosoftWindowsEasyAV
  
• HKCUSoftwareMicrosoftWindowsPandaAVEngine
  
• HKCUSoftwareMicrosoftWindowsNorton Antivirus AV
  
• HKCUSoftwareMicrosoftWindowsKasperskyAVEng
  
• HKCUSoftwareMicrosoftWindowsSkynetsRevenge
  
• HKCUSoftwareMicrosoftWindowsICQ Net

To mail itself, the worm searches the local hard-disk for e-mail addresses inside files with the following extensions:

.wab, .txt, .msg, .htm, .shtm, .stm, .xml, .dbx, .mbx, .mdx, .eml, .nch, .mmf, .ods, .cfg, .asp, .php, .wsh, .adb, .tbb, .sht, .xls, .oft, .uin, .cgi, .mht, .dhtm, .jsp

and uses its own SMTP engine to resolve the target mail server and to send mail to it, skipping e-mail addresses that contain:

@hotmail, @msn, @microsoft, rating@, f-secur, news, update, anyone@, bugs@, contract@, feste, gold-certs@, help@, info@, nobody@, noone@, kasp, admin, icrosoft, support, ntivi, unix, linux, listserv, certific, sopho, @foo, @iana, free-av, @messagelab, winzip, google, winrar, samples, abuse, panda, cafee, spam, @avp., noreply, local, root@, postmaster@.

Also the worm copies itself to directories that have shar in their names (for instance the P2P shared folders) with one of the following names:

• Microsoft Office 2003 Crack, Working!.exe
  
• Microsoft Windows XP, WinXP Crack, working Keygen.exe
  
• Microsoft Office XP working Crack, Keygen.exe
  
• Porno, sex, oral, anal cool, awesome!!.exe
  
• Porno Screensaver.scr
  
• Serials.txt.exe
  
• KAV 5.0
  
• Kaspersky Antivirus 5.0
  
• Porno pics arhive, xxx.exe
  
• Windows Sourcecode update.doc.exe
  
• Ahead Nero 7.exe
  
• Windown Longhorn Beta Leak.exe
  
• Opera 8 New!.exe
  
• XXX hardcore images.exe
  
• WinAmp 6 New!.exe
  
• WinAmp 5 Pro Keygen Crack Update.exe
  
• Adobe Photoshop 9 full.exe
  
• Matrix 3 Revolution English Subtitles.exe
  
• ACDSee 9.exe

The worm also runs as backdoor on port 1234.

Source: BitDefender VirusInfo