W32/Bagle.fb@MM

This page shows details and results of our analysis on the malware W32/Bagle.fb@MM

Overview

-- Update June 21, 2006 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1195282,00.html

This is a mass-mailing virus that spreads in a password protected zip file.  Along with the ZIP file, an image containing the password for the ZIP is also attached to infectious messages.  Users must take that password and use it to open the ZIP file and then manually execute the .EXE file within.  That EXE file is proactively detected as New Malware.b with released DAT files.  The same virus variant exists in packed form.  That package is proactively detected as W32/Bagle.dldr with released DAT files.


Minimum Engine

5600.1067

File Length

Varies

Description Added

2006-06-20

Description Modified

2006-06-21

Malware Proliferation

Characteristics

- Update 6/20/2006 -
This Bagle variant has been discovered in packed and never-packed forms today. The never-packed version is proactively detected as W32/Bagle.dldr


This is a mass-mailing worm with the following characteristics:

  • contains its own SMTP engine to construct outgoing messages
  • harvests email addresses from the victim machine
  • the From: address of messages is spoofed
  • attachment is a password-protected zip file, with the password included in the message body.
  • disables security applications
  • drops a rootkit

Mail Propagation

The details are as follows:

From : (address is spoofed)
Subject :

  • Ales
  • Alice
  • Alyce
  • Alyce
  • Andrew
  • Androw
  • Androwe
  • Ann
  • Anna
  • Anna
  • Anne
  • Annes
  • Anthonie
  • Anthonie
  • Anthony
  • Anthonye
  • Avice
  • Avis
  • Bennet
  • Bennett
  • Christean
  • Christian
  • Constance
  • Cybil
  • Daniel
  • Danyell
  • Dorithie
  • Dorothee
  • Dorothy
  • Edmond
  • Edmonde
  • Edmund
  • Edward
  • Edwarde
  • Elizabeth
  • Elizabethe
  • Ellen
  • Ellyn
  • Emanual
  • Emanuell
  • Ester
  • Frances
  • Francis
  • Fraunces
  • Gabriell
  • Geoffraie
  • George
  • Grace
  • Harry
  • Harrye
  • Henrie
  • Henry
  • Henrye
  • Hughe
  • Humphrey
  • Humphrie
  • I love you
  • Isabel
  • Isabell
  • James
  • Jane
  • Jeames
  • Jeffrey
  • Jeffrye
  • Joane
  • Johen
  • John
  • Josias
  • Judeth
  • Judith
  • Judithe
  • Katherine
  • Katheryne
  • Leonard
  • Leonarde
  • Margaret
  • Margarett
  • Margerie
  • Margerye
  • Margret
  • Margrett
  • Marie
  • Martha
  • Mary
  • Marye
  • Michael
  • Mychaell
  • Nathaniel
  • Nathaniell
  • Nathanyell
  • Nicholas
  • Nicholaus
  • Nycholas
  • Peter
  • Ralph
  • Rebecka
  • Richard
  • Richarde
  • Robert
  • Robert
  • Roberte
  • Roger
  • Rose
  • Rycharde
  • Samuell
  • Sara
  • Sidney
  • Sindony
  • Stephen
  • Susan
  • Susanna
  • Suzanna
  • Sybyll
  • Syndony
  • Thomas
  • To the beloved
  • Valentyne
  • William
  • Winifred
  • Wynefrede
  • Wynefreed
  • Wynnefreede

Body Text:

  • The password is
  • Password --
  • Use password
  • Password is
  • Zip password:
  • archive password:
  • Password -
  • Password:

These are all followed by the image from the included GIF file.

It may also include one of the following two additional phrases, before the password:

  • To the beloved
  • I love you

Attachment: (will contain a randomly named EXE and GIF file)

  • Ales.zip
  • Alice.zip
  • Alyce.zip
  • Andrew.zip
  • Androw.zip
  • Androwe.zip
  • Ann.zip
  • Anna.zip
  • Anne.zip
  • Annes.zip
  • Anthonie.zip
  • Anthony.zip
  • Anthonye.zip
  • Avice.zip
  • Avis.zip
  • Avis.zip
  • Bennet.zip
  • Bennett.zip
  • Christean.zip
  • Christian.zip
  • Constance.zip
  • Cybil.zip
  • Daniel.zip
  • Danyell.zip
  • Dorithie.zip
  • Dorothee.zip
  • Dorothy.zip
  • Edmond.zip
  • Edmonde.zip
  • Edmund.zip
  • Edward.zip
  • Edwarde.zip
  • Elizabeth.zip
  • Elizabethe.zip
  • Ellen.zip
  • Ellyn.zip
  • Emanual.zip
  • Emanuel.zip
  • Emanuell.zip
  • Ester.zip
  • Frances.zip
  • Francis.zip
  • Fraunces.zip
  • Gabriell.zip
  • Geoffraie.zip
  • George.zip
  • Grace.zip
  • Harry.zip
  • Harrye.zip
  • Henrie.zip
  • Henry.zip
  • Henrye.zip
  • Hughe.zip
  • Humphrey.zip
  • Humphrie.zip
  • Isabel.zip
  • Isabell.zip
  • James.zip
  • Jane.zip
  • Jeames.zip
  • Jeffrey.zip
  • Jeffrye.zip
  • Joane.zip
  • Johen.zip
  • John.zip
  • Josias.zip
  • Judeth.zip
  • Judith.zip
  • Judithe.zip
  • Katherine.zip
  • Katheryne.zip
  • Leonard.zip
  • Leonarde.zip
  • Margaret.zip
  • Margarett.zip
  • Margerie.zip
  • Margerye.zip
  • Margret.zip
  • Margrett.zip
  • Marie.zip
  • Martha.zip
  • Mary.zip
  • Marye.zip
  • Michael.zip
  • Mychaell.zip
  • Nathaniel.zip
  • Nathaniell.zip
  • Nathanyell.zip
  • Nicholas.zip
  • Nicholaus.zip
  • Nycholas.zip
  • Peter.zip
  • Ralph.zip
  • Rebecka.zip
  • Richard.zip
  • Richarde.zip
  • Robert.zip
  • Roberte.zip
  • Roger.zip
  • Rose.zip
  • Rycharde.zip
  • Samuell.zip
  • Sara.zip
  • Sidney.zip
  • Sindony.zip
  • Stephen.zip
  • Susan.zip
  • Susanna.zip
  • Suzanna.zip
  • Sybell.zip
  • Sybyll.zip
  • Syndony.zip
  • Thomas.zip
  • Valentyne.zip
  • William.zip
  • Winifred.zip
  • Wynefrede.zip
  • Wynefreed.zip
  • Wynnefreede.zip

The virus copies itself as HIDN.EXE to the following directory:

  • C:\Documents and Settings\%User%\Application Data\hidn\hidn.exe

It also creates a rootkit to hide directories (and all files within them) which contain the word shared:

  • C:\Documents and Settings\%User%\Application Data\hidn\m_hook.sys ( 15360 bytes )

It also creates a copy of its ZIP file locally, and a fake error message:

  • C:\temp.zip
  • C:\error.gif

The error message appears as follows

A registry key is created to run itself again upon system startup:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
    \Run "drv_st_key" = C:\Documents and Settings\%User%\Application Data\hidn\hidn.exe

Additionally, the following Registry keys are added:

  • HKEY_CURRENT_USER\Software\firstruxzx\firstrun="1"

It deletes the following registry entry, to disable Safe Boot:

  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Safeboot

This worm attempts to terminate services of security programs with the the following filenames:

  • wuauserv
  • Aavmker4
  • ABVPN2K
  • ADBLOCK.DLL
  • ADFirewall
  • AFWMCL
  • Ahnlab task Scheduler
  • alerter
  • AlertManger
  • AntiVir Service
  • AntiyFirewall
  • ARP.DLL
  • aswMon2
  • aswRdr
  • aswTdi
  • aswUpdSv
  • Ati HotKey Poller
  • avast! Antivirus
  • avast! Mail Scanner
  • avast! Web Scanner
  • AVEService
  • AVExch32Service
  • AvFlt
  • Avg7Alrt
  • Avg7Core
  • Avg7RsW
  • Avg7RsXP
  • Avg7UpdSvc
  • AvgCore
  • AvgFsh
  • AVGFwSrv
  • AvgFwSvr
  • AvgServ
  • AvgTdi
  • AVIRAMailService
  • AVIRAService
  • avpcc
  • AVUPDService
  • AVWUpSrv
  • AvxIni
  • awhost32
  • backweb client - 4476822
  • BackWeb Client - 7681197
  • backweb client-4476822
  • Bdfndisf
  • bdftdif
  • bdss
  • BlackICE
  • BsFileSpy
  • BsFirewall
  • BsMailProxy
  • CAISafe
  • ccEvtMgr
  • ccPwdSvc
  • ccSetMgr
  • ccSetMgr.exe
  • CONTENT.DLL
  • DefWatch
  • DNSCACHE.DLL
  • drwebnet
  • dvpapi
  • dvpinit
  • ewido security suite control
  • ewido security suite driver
  • ewido security suite guard
  • F-Prot Antivirus Update Monitor
  • F-Secure Gatekeeper Handler Starter
  • firewall
  • fsbwsys
  • FSDFWD
  • FSFW
  • FSMA
  • FTPFILT.DLL
  • FwcAgent
  • fwdrv
  • Guard NT
  • HSnSFW
  • HSnSPro
  • HTMLFILT.DLL
  • HTTPFILT.DLL
  • IMAPFILT.DLL
  • InoRPC
  • InoRT
  • InoTask
  • Ip6Fw
  • Ip6FwHlp
  • KAVMonitorService
  • KAVSvc
  • KLBLMain
  • KPfwSvc
  • KWatch3
  • KWatchSvc
  • MAILFILT.DLL
  • McAfee Firewall
  • McAfeeFramework
  • McShield
  • McTaskManager
  • mcupdmgr.exe
  • MCVSRte
  • Microsoft NetWork FireWall Services
  • MonSvcNT
  • MpfService
  • navapsvc
  • Ndisuio
  • NDIS_RD
  • Network Associates Log Service
  • nipsvc
  • NISSERV
  • NISUM
  • NNTPFILT.DLL
  • NOD32ControlCenter
  • NOD32krn
  • NOD32Service
  • Norman NJeeves
  • Norman Type-R
  • Norman ZANDA
  • Norton AntiVirus Server
  • NPDriver
  • NPFMntor
  • NProtectService
  • NSCTOP
  • nvcoas
  • NVCScheduler
  • nwclntc
  • nwclntd
  • nwclnte
  • nwclntf
  • nwclntg
  • nwclnth
  • NWService
  • OfcPfwSvc
  • Outbreak Manager
  • Outpost Firewall
  • OutpostFirewall
  • PASSRV
  • PAVAGENTE
  • PavAtScheduler
  • PAVDRV
  • PAVFIRES
  • PAVFNSVR
  • Pavkre
  • PavProc
  • PavProt
  • PavPrSrv
  • PavReport
  • PAVSRV
  • PCCPFW
  • PCC_PFW
  • PersFW
  • Personal Firewall
  • POP3FILT.DLL
  • PREVSRV
  • PROTECT.DLL
  • PSIMSVC
  • qhwscsvc
  • wscsvc
  • Quick Heal Online Protection
  • ravmon8
  • RfwService
  • SAVFMSE
  • SAVScan
  • SBService
  • schscnt
  • SECRET.DLL
  • SharedAccess
  • SmcService
  • SNDSrvc
  • SPBBCSvc
  • SpiderNT
  • SweepNet
  • SWEEPSRV.SYS
  • Symantec AntiVirus Client
  • Symantec Core LC
  • The_Hacker_Antivirus
  • Tmntsrv
  • TmPfw
  • tmproxy
  • tmtdi
  • tm_cfw
  • T_H_S_M
  • V3MonNT
  • V3MonSvc
  • Vba32ECM
  • Vba32ifs
  • Vba32Ldr
  • Vba32PP3
  • VBCompManService
  • VexiraAntivirus
  • VFILT
  • VisNetic AntiVirus Plug-in
  • vrfwsvc
  • vsmon
  • VSSERV
  • WinAntivirus
  • WinRoute
  • wuauserv
  • xcomm

The worm uses the following list to stop running processes:

  • a2guard.exe
  • aavshield.exe
  • AckWin32.exe
  • ADVCHK.EXE
  • AhnSD.exe
  • airdefense.exe
  • ALERTSVC.EXE
  • ALMon.exe
  • ALOGSERV.EXE
  • ALsvc.exe
  • amon.exe
  • Anti-Trojan.exe
  • AntiVirScheduler
  • AntiVirService
  • ANTS.EXE
  • APVXDWIN.EXE
  • Armor2net.exe
  • ashAvast.exe
  • ashDisp.exe
  • ashEnhcd.exe
  • ashMaiSv.exe
  • ashPopWz.exe
  • ashServ.exe
  • ashSimpl.exe
  • ashSkPck.exe
  • ashWebSv.exe
  • aswUpdSv.exe
  • ATCON.EXE
  • ATUPDATER.EXE
  • ATWATCH.EXE
  • AUPDATE.EXE
  • AUTODOWN.EXE
  • AUTOTRACE.EXE
  • AUTOUPDATE.EXE
  • avciman.exe
  • Avconsol.exe
  • AVENGINE.EXE
  • avgamsvr.exe
  • avgcc.exe
  • AVGCC32.EXE
  • AVGCTRL.EXE
  • avgemc.exe
  • avgfwsrv.exe
  • AVGNT.EXE
  • avgntdd
  • avgntmgr
  • AVGSERV.EXE
  • AVGUARD.EXE
  • avgupsvc.exe
  • avinitnt.exe
  • AvkServ.exe
  • AVKService.exe
  • AVKWCtl.exe
  • AVP.EXE
  • AVP32.EXE
  • avpcc.exe
  • avpm.exe
  • AVPUPD.EXE
  • AVSCHED32.EXE
  • avsynmgr.exe
  • AVWUPD32.EXE
  • AVWUPSRV.EXE
  • AVXMONITOR9X.EXE
  • AVXMONITORNT.EXE
  • AVXQUAR.EXE
  • BackWeb-4476822.exe
  • bdmcon.exe
  • bdnews.exe
  • bdoesrv.exe
  • bdss.exe
  • bdsubmit.exe
  • bdswitch.exe
  • blackd.exe
  • blackice.exe
  • cafix.exe
  • ccApp.exe
  • ccEvtMgr.exe
  • ccProxy.exe
  • ccSetMgr.exe
  • CFIAUDIT.EXE
  • ClamTray.exe
  • ClamWin.exe
  • Claw95.exe
  • Claw95cf.exe
  • cleaner.exe
  • cleaner3.exe
  • CliSvc.exe
  • CMGrdian.exe
  • cpd.exe
  • DefWatch.exe
  • DOORS.EXE
  • DrVirus.exe
  • drwadins.exe
  • drweb32w.exe
  • drwebscd.exe
  • DRWEBUPW.EXE
  • ESCANH95.EXE
  • ESCANHNT.EXE
  • ewidoctrl.exe
  • EzAntivirusRegistrationCheck.exe
  • F-AGNT95.EXE
  • F-PROT95.EXE
  • F-Sched.exe
  • F-StopW.EXE
  • FAMEH32.EXE
  • FAST.EXE
  • FCH32.EXE
  • FireSvc.exe
  • FireTray.exe
  • FIREWALL.EXE
  • fpavupdm.exe
  • freshclam.exe
  • FRW.EXE
  • fsav32.exe
  • fsavgui.exe
  • fsbwsys.exe
  • fsdfwd.exe
  • FSGK32.EXE
  • fsgk32st.exe
  • fsguiexe.exe
  • FSM32.EXE
  • FSMA32.EXE
  • FSMB32.EXE
  • fspex.exe
  • fssm32.exe
  • gcasDtServ.exe
  • gcasServ.exe
  • GIANTAntiSpywareMain.exe
  • GIANTAntiSpywareUpdater.exe
  • GUARD.EXE
  • GUARDGUI.EXE
  • GuardNT.exe
  • HRegMon.exe
  • Hrres.exe
  • HSockPE.exe
  • HUpdate.EXE
  • iamapp.exe
  • iamserv.exe
  • ICLOAD95.EXE
  • ICLOADNT.EXE
  • ICMON.EXE
  • ICSSUPPNT.EXE
  • ICSUPP95.EXE
  • ICSUPPNT.EXE
  • IFACE.EXE
  • INETUPD.EXE
  • InocIT.exe
  • InoRpc.exe
  • InoRT.exe
  • InoTask.exe
  • InoUpTNG.exe
  • IOMON98.EXE
  • isafe.exe
  • ISATRAY.EXE
  • ISRV95.EXE
  • ISSVC.exe
  • JEDI.EXE
  • KAV.exe
  • kavmm.exe
  • KAVPF.exe
  • KavPFW.exe
  • KAVStart.exe
  • KAVSvc.exe
  • KAVSvcUI.EXE
  • KMailMon.EXE
  • KPfwSvc.EXE
  • KWatch.EXE
  • livesrv.exe
  • LOCKDOWN2000.EXE
  • LogWatNT.exe
  • lpfw.exe
  • LUALL.EXE
  • LUCOMSERVER.EXE
  • Luupdate.exe
  • MCAGENT.EXE
  • mcmnhdlr.exe
  • mcregwiz.exe
  • Mcshield.exe
  • MCUPDATE.EXE
  • mcvsshld.exe
  • MINILOG.EXE
  • MONITOR.EXE
  • MonSysNT.exe
  • MOOLIVE.EXE
  • MpEng.exe
  • mpssvc.exe
  • MSMPSVC.exe
  • myAgtSvc.exe
  • myagttry.exe
  • navapsvc.exe
  • NAVAPW32.EXE
  • NavLu32.exe
  • NAVW32.EXE
  • NDD32.EXE
  • NeoWatchLog.exe
  • NeoWatchTray.exe
  • NISSERV
  • NISUM.EXE
  • NMAIN.EXE
  • nod32.exe
  • nod32krn.exe
  • nod32kui.exe
  • NORMIST.EXE
  • notstart.exe
  • npavtray.exe
  • NPFMNTOR.EXE
  • npfmsg.exe
  • NPROTECT.EXE
  • NSCHED32.EXE
  • NSMdtr.exe
  • NssServ.exe
  • NssTray.exe
  • ntrtscan.exe
  • NTXconfig.exe
  • NUPGRADE.EXE
  • NVC95.EXE
  • Nvcod.exe
  • Nvcte.exe
  • Nvcut.exe
  • NWService.exe
  • OfcPfwSvc.exe
  • OUTPOST.EXE
  • PAV.EXE
  • PavFires.exe
  • PavFnSvr.exe
  • Pavkre.exe
  • PavProt.exe
  • pavProxy.exe
  • pavprsrv.exe
  • pavsrv51.exe
  • PAVSS.EXE
  • pccguide.exe
  • PCCIOMON.EXE
  • pccntmon.exe
  • PCCPFW.exe
  • PcCtlCom.exe
  • PCTAV.exe
  • PERSFW.EXE
  • pertsk.exe
  • PERVAC.EXE
  • PNMSRV.EXE
  • POP3TRAP.EXE
  • POPROXY.EXE
  • prevsrv.exe
  • PsImSvc.exe
  • QHM32.EXE
  • QHONLINE.EXE
  • QHONSVC.EXE
  • QHPF.EXE
  • qhwscsvc.exe
  • RavMon.exe
  • RavTimer.exe
  • Realmon.exe
  • REALMON95.EXE
  • Rescue.exe
  • rfwmain.exe
  • Rtvscan.exe
  • RTVSCN95.EXE
  • RuLaunch.exe
  • SAVAdminService.exe
  • SAVMain.exe
  • savprogress.exe
  • SAVScan.exe
  • SCAN32.EXE
  • ScanningProcess.exe
  • sched.exe
  • sdhelp.exe
  • SERVIC~1.EXE
  • SHSTAT.EXE
  • SiteCli.exe
  • smc.exe
  • SNDSrvc.exe
  • SPBBCSvc.exe
  • SPHINX.EXE
  • spiderml.exe
  • spidernt.exe
  • Spiderui.exe
  • SpybotSD.exe
  • SPYXX.EXE
  • SS3EDIT.EXE
  • stopsignav.exe
  • swAgent.exe
  • swdoctor.exe
  • SWNETSUP.EXE
  • symlcsvc.exe
  • SymProxySvc.exe
  • SymSPort.exe
  • SymWSC.exe
  • SYNMGR.EXE
  • TAUMON.EXE
  • TBMon.exe
  • TC.EXE
  • tca.exe
  • TCM.EXE
  • TDS-3.EXE
  • TeaTimer.exe
  • TFAK.EXE
  • THAV.EXE
  • THSM.EXE
  • Tmas.exe
  • tmlisten.exe
  • Tmntsrv.exe
  • TmPfw.exe
  • tmproxy.exe
  • TNBUtil.exe
  • TRJSCAN.EXE
  • Up2Date.exe
  • UPDATE.EXE
  • UpdaterUI.exe
  • upgrepl.exe
  • Vba32ECM.exe
  • Vba32ifs.exe
  • vba32ldr.exe
  • Vba32PP3.exe
  • VBSNTW.exe
  • vchk.exe
  • vcrmon.exe
  • VetTray.exe
  • VirusKeeper.exe
  • VPTRAY.EXE
  • vrfwsvc.exe
  • VRMONNT.EXE
  • vrmonsvc.exe
  • vrrw32.exe
  • VSECOMR.EXE
  • Vshwin32.exe
  • vsmon.exe
  • vsserv.exe
  • VsStat.exe
  • WATCHDOG.EXE
  • WebProxy.exe
  • Webscanx.exe
  • WEBTRAP.EXE
  • WGFE95.EXE
  • Winaw32.exe
  • winroute.exe
  • winss.exe
  • winssnotify.exe
  • WRADMIN.EXE
  • WRCTRL.EXE
  • xcommsvr.exe
  • zatutor.exe
  • ZAUINST.EXE
  • zlclient.exe
  • zonealarm.exe
  • _AVP32.EXE
  • _AVPCC.EXE
  • _AVPM.EXE

It also prevents the following list of files from running:

  • filtnt.sys
  • guardnt.sys
  • zonealarm.exe
  • zlclient.exe
  • zatutor.exe
  • VsStat.exe
  • Vshwin32.exe
  • Vba32PP3.exe
  • vba32ldr.exe
  • Vba32ifs.exe
  • Vba32ECM.exe
  • upgrepl.exe
  • Up2Date.exe
  • tmproxy.exe
  • TmPfw.exe
  • Tmntsrv.exe
  • symlcsvc.exe
  • spiderml.exe
  • SPBBCSvc.exe
  • SNDSrvc.exe
  • RuLaunch.exe
  • regedt32.exe
  • regedit.exe
  • Realmon.exe
  • QHPF.EXE
  • PcCtlCom.exe
  • pccguide.exe
  • outpost.exe
  • Nvcut.exe
  • Nvcte.exe
  • Nvcod.exe
  • npfmsg.exe
  • NPFMNTOR.EXE
  • nod32kui.exe
  • nod32.exe
  • NAVAPSVC.EXE
  • Mcshield.exe
  • Luupdate.exe
  • LUALL.EXE
  • KAVPF.exe
  • kavmm.exe
  • KAV.exe
  • isafe.exe
  • InoUpTNG.exe
  • InocIT.exe
  • INETUPD.EXE
  • GuardNT.exe
  • GUARDGUI.EXE
  • freshclam.exe
  • drwebupw.exe
  • drwebscd.exe
  • drweb32w.exe
  • drwadins.exe
  • CMGrdian.exe
  • ClamWin.exe
  • ClamTray.exe
  • CCSETMGR.EXE
  • CCEVTMGR.EXE
  • ccApp.exe
  • cafix.exe
  • bdswitch.exe
  • bdsubmit.exe
  • bdnews.exe
  • bdmcon.exe
  • AVWUPD32.EXE
  • Avsynmgr.exe
  • AVSCHED32.EXE
  • AVGNT.EXE
  • avgemc.exe
  • avgcc.exe
  • Avconsol.exe
  • AUPDATE.EXE
  • ashWebSv.exe
  • ashSkPck.exe
  • ashSimpl.exe
  • ashPopWz.exe
  • ashEnhcd.exe
  • ashDisp.exe
  • ashAvast.exe
  • kavsvc.exe
  • bdmcon.exe
  • vsserv.exe
  • bdnews.exe
  • livesrv.exe
  • mcupdate.exe
  • frameworkservice.exe
  • upgrader.exe
  • apvxdwin.exe
  • LuComServer_2_5.EXE
  • lucomserver_2_6.exe
  • drwebupw.exe
  • nod32krn.exe

Symptoms

  • Outgoing messages matching the described characteristics
  • Files/Registry keys as described
  • Method of Infection

    Mail Propagation

    This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:

    • .wab
    • .txt
    • .msg
    • .htm
    • .shtm
    • .stm
    • .xml
    • .dbx
    • .mbx
    • .mdx
    • .eml
    • .nch
    • .mmf
    • .ods
    • .cfg
    • .asp
    • .php
    • .pl
    • .wsh
    • .adb
    • .tbb
    • .sht
    • .xls
    • .oft
    • .uin
    • .cgi
    • .mht
    • .dhtm
    • .jsp

    The virus spoofs the sender address by using a harvested address in the From: field.

    The virus avoids sending itself to addresses containing the following:

    • rating@
    • f-secur
    • news
    • update
    • anyone@
    • bugs@
    • contract@
    • feste
    • gold-certs@
    • help@
    • info@
    • nobody@
    • noone@
    • kasp
    • admin
    • icrosoft
    • support
    • ntivi
    • unix
    • bsd
    • linux
    • listserv
    • certific
    • sopho
    • @foo
    • @iana
    • free-av
    • @messagelab
    • winzip
    • google
    • winrar
    • samples
    • abuse
    • panda
    • cafee
    • spam
    • pgp
    • @avp.
    • noreply
    • local
    • root@
    • postmaster@

    Email Adress Harvesting Component

    Email addresses harvested from infected machines are uploaded to a page at the following sites.

    • http://www.titanmotors.com/images/1/
    • http://veranmaisala.com/1/
    • http://wklight.nazwa.pl/1/
    • http://yongsan24.co.kr/1/
    • http://accesible.cl/1/
    • http://hotelesalba.com/1/
    • http://amdlady.com/1/
    • http://inca.dnetsolution.net/1/
    • http://www.auraura.com/1/
    • http://avataresgratis.com/1/
    • http://beyoglu.com.tr/1/
    • http://brandshock.com/1/
    • http://www.buydigital.co.kr/1/
    • http://camaramafra.sc.gov.br/1/
    • http://camposequipamentos.com.br/1/
    • http://cbradio.sos.pl/1/
    • http://c-d-c.com.au/1/
    • http://www.klanpl.com/1/
    • http://coparefrescos.stantonstreetgroup.com/1/
    • http://creainspire.com/1/
    • http://desenjoi.com.br/1/
    • http://www.inprofile.gr/1/
    • http://www.diem.cl/1/
    • http://www.discotecapuzzle.com/1/

    It also tries to download a file from the following list of sites:

    • http://ujscie.one.pl/
    • http://1point2.iae.nl/
    • http://appaloosa.no/
    • http://apromed.com/
    • http://arborfolia.com/
    • http://pawlacz.com/
    • http://areal-realt.ru/
    • http://bitel.ru/
    • http://yetii.no-ip.com/
    • http://art4u1.superhost.pl/
    • http://www.artbed.pl/
    • http://art-bizar.foxnet.pl/
    • http://www.jonogueira.com/
    • http://asdesign.cz/
    • http://ftp-dom.earthlink.net/
    • http://www.aureaorodeley.com/
    • http://www.autoekb.ru/
    • http://www.autovorota.ru/
    • http://avenue.ee/
    • http://www.avinpharma.ru/
    • http://ouarzazateservices.com/
    • http://stats-adf.altadis.com/
    • http://bartex-cit.com.pl/
    • http://bazarbekr.sk/
    • http://gnu.univ.gda.pl/
    • http://bid-usa.com/
    • http://biliskov.com/
    • http://biomedpel.cz/
    • http://blackbull.cz/
    • http://bohuminsko.cz/
    • http://bonsai-world.com.au/
    • http://bpsbillboards.com/
    • http://cadinformatics.com/
    • http://canecaecia.com/
    • http://www.castnetnultimedia.com/
    • http://compucel.com/
    • http://continentalcarbonindia.com/
    • http://ceramax.co.kr/
    • http://prime.gushi.org/
    • http://www.chapisteriadaniel.com/
    • http://charlesspaans.com/
    • http://chatsk.wz.cz/
    • http://www.chittychat.com/
    • http://checkalertusa.com/
    • http://cibernegocios.com.ar/
    • http://5050clothing.com/
    • http://cof666.shockonline.net/
    • http://comaxtechnologies.net/
    • http://concellodesandias.com/
    • http://www.cort.ru/
    • http://donchef.com/
    • http://www.crfj.com/
    • http://kremz.ru/
    • http://dev.jintek.com/
    • http://foxvcoin.com/
    • http://uwua132.org/
    • http://v-v-kopretiny.ic.cz/
    • http://erich-kaestner-schule-donaueschingen.de/
    • http://vanvakfi.com/
    • http://axelero.hu/
    • http://kisalfold.com/
    • http://vega-sps.com/
    • http://vidus.ru/
    • http://viralstrategies.com/
    • http://svatba.viskot.cz/
    • http://Vivamodelhobby.com/
    • http://vkinfotech.com/
    • http://vytukas.com/
    • http://waisenhaus-kenya.ch/
    • http://watsrisuphan.org/
    • http://www.ag.ohio-state.edu/
    • http://wbecanada.com/
    • http://calamarco.com/
    • http://vproinc.com/
    • http://grupdogus.de/
    • http://knickimbit.de/
    • http://dogoodesign.ch/
    • http://systemforex.de/
    • http://zebrachina.net/
    • http://www.walsch.de/
    • http://hotchillishop.de/
    • http://innovation.ojom.net/
    • http://massgroup.de/
    • http://web-comp.hu/
    • http://webfull.com/
    • http://welvo.com/
    • http://www.ag.ohio-state.edu/
    • http://poliklinika-vajnorska.sk/
    • http://wvpilots.org/
    • http://www.kersten.de/
    • http://www.kljbwadersloh.de/
    • http://www.voov.de/
    • http://www.wchat.cz/
    • http://www.wg-aufbau-bautzen.de/
    • http://www.wzhuate.com/
    • http://zsnabreznaknm.sk/
    • http://xotravel.ru/
    • http://ilikesimple.com/
    • http://yeniguntugla.com/

    Removal

    All Users:
    Use current engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    But in some particular cases, the following steps need to be taken.

    Please go to the Microsoft Recovery Console and restore a clean MBR.

    On Windows XP:

    • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
    • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
    • Select the Windows installation that is compromised and provide the administrator password.
    • Issue 'fixmbr' command to restore the Master Boot Record
    • Follow onscreen instructions.
    • Reset and remove the CD from CD-ROM drive.


    On Windows Vista and 7:

    • Insert the Windows CD into the CD-ROM drive and restart the computer.
    • Click on "Repair Your Computer".
    • When the System Recovery Options dialog comes up, choose the Command Prompt.
    • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
    • Follow onscreen instructions.
    • Reset and remove the CD from CD-ROM drive.

    Variants