W32/Bagle.i@MM

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Minimum DAT

4331 (2004-03-02)

Updated DAT

4331 (2004-03-02)

Minimum Engine

5.1.00

File Length

Varies

Description Added

2004-03-02

Description Modified

2004-03-03

Malware Proliferation

Characteristics

This variant of W32/Bagle is functionally similar to the .F variant. It bears the following characteristics:

The virus copies itself into the Windows System directory as I11R54N4.EXE. For example:
- C:\WINNT\SYSTEM32\i11r54n4.exe (21,212 bytes)
The following Registry key is added to hook system startup:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run
  "rate.exe" = C:\WINNT\SYSTEM32\i11r54n4.exe
The following Registry key is also added:
- HKEY_CURRENT_USER\Software\Windor
It also creates other files in the Windows Systemdirectory to perform its functions:
- go154o.exe (19,968 bytes) - DLL to perform mailing
- i1i5n1j4.exe (1,536 bytes) - DLL loader
- i11r54n4.exeopen (21,348 bytes) - ZIP file, that is sent via email
Like its predecessors, this worm checks the system date. If it is the 25th March 2005 or later, the worm simply exits and does not propagate.
The worm uses the following icon, to make it appear that the file is a folder:
The worm opens port 2745 (TCP) on the victim machine

Mail Propagation

Messages are constructed as follows:

From : (address is spoofed)
Subject :

^_^ meay-meay!

^_^ mew-mew (-:

Weah, hello! :-)

Weeeeee! ;)))

Hi! :-)

ello! =))

Hey, ya! =))

Body Text:

Hey, dude, it's me ^_^ :P

Argh, i don't like the plaintext :)

You have won!!!

The access is open !!!

Attachment: password-protected ZIP archive. File within ZIP has random name. The password is included in the message body:

archive password: %password%
password: %password%
pass: %password%
password - - %password %
%password % - - archive password
... btw, %password% is a password for archive
password for archive %password%

Symptoms

Port 2745 (TCP) open on the victim machine

Outgoing messages matching the described characteristics

Files/Registry keys as described

Method of Infection

Mail Propagation

This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:

.adb
.asp
.cfg
.dbx
.eml
.htm
.mdx
.mmf
.nch
.ods
.php
.pl
.sht
.tbb
.txt
.wab
.xml

The virus spoofs the sender address by using a harvested address in the From: field.

The virus avoids sending itself to addresses containing the following:

@avp.
@hotmail.com
@microsoft
@msn.com
local
noreply
postmaster@
root@

Remote Access Component

The virus listens on TCP port 2745 for remote connections. It attempts to notify the author that the infected system is ready to accept commands, by contacting various websites, calling a PHP script on the remote sites. At the time of this writing this script is inaccessible. The websites are contacted every 27.8 hours.

http://postertog.de/scr.php
http://www.gfotxt.net/scr.php
http://www.maiklibis.de/scr.php

The format of the HTTP packets sent to the above websites is :-

GET /scr.php?p=2745 HTTP/1.1

Peer To Peer Propagation

Files are created in folders that contain the phrase shar :

ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Opera 8 New!.exe
Porno pics arhive, xxx.exe
Porno Screensaver.scr
Porno, sex, oral, anal cool, awesome!!.exe
Serials.txt.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe

Removal

All Users :
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Stinger
Stinger has been updated to assist in detecting and repairing this threat.

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
Delete the files following from your WINDOWS System directory (typically C:\Windows\System or C:\Winnt\System32)
i11r54n4.exe
go154o.exe
i1i5n1j4.exe
i11r54n4.exeopen
Edit the registry
- Delete the "rate.exe" value from
  - HKEY_CURRENT_USER\Software\Microsoft\
    Windows\CurrentVersion\Run
- Delete the following key for W32/Bagle.h@MM:
  - HKEY_CURRENT_USER\Software\Winexe
- Delete the following key for W32/Bagle.i@MM :
  - HKEY_CURRENT_USER\Software\Windor
Reboot the system into Default Mode

McAfee Threatscan:

Detection of the W32/Bagle.h@MM variant is provided in the W32/Bagle.e@MM signature release.

ThreatScan Signature version: 2004-03-01

ThreatScan users can detect the virus by running a ThreatScan task using the following settings:

Select the "Remote Infection Detection" category and "Windows Virus Checks" template.

-or-

Select the "Other" category and "Scan All Vulnerabilities" template.

For additional information:
Run the "ThreatScan Template Report"
Look for module number #4068

ThreatScan users can detect the remote access component by running a Resource Discovery Task using the following settings:

-Select TCP Port scan
-Enter port: 2745

McAfee Desktop Firewall
To prevent possible remote access McAfee Desktop Firewall users can block incoming TCP port 2745.

Threat Detail