W32/Bagle.bj@MM
W32/Bagle.bj@MM 
This is a mass-mailing worm with the following characteristics:
contains its own SMTP engine to construct outgoing messages
harvests email addresses from the victim machine
the From: address of messages is spoofed
contains a remote access component (notification is sent to hacker)
copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
Mail Propagation
The virus copies itself into the Windows System directory as sysformat.exe. For example:
C:\WINNT\SYSTEM32\sysformat.exe
It also creates other files in this directory to perform its functions:
C:\WINNT\SYSTEM32\sysformat.exeopen
C:\WINNT\SYSTEM32\sysformat.exeopenopen
The following Registry key is added to hook system startup:
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "sysformat" = C:\WINNT\SYSTEM32\sysformat.exe
Additionally, the following Registry keys are added:
HKEY_CURRENT_USER\Software\Microsoft\Params "TimeKey"
It deletes these values
"My AV"
"ICQ Net"
from the following Registry keys, if they are present:
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
A mutex is created to ensure only one instance of the worm is running at a time. One of the following mutex names is used in an attempt to stop particular variants of W32/Netsky running on the infected machine:
MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
This worm attempts to terminate the process of security programs with the the following filenames:
mcagent.exe
mcvsshld.exe
mcshield.exe
mcvsescn.exe
mcvsrte.exe
DefWatch.exe
Rtvscan.exe
ccEvtMgr.exe
NISUM.EXE
ccPxySvc.exe
navapsvc.exe
NPROTECT.EXE
nopdb.exe
ccApp.exe
Avsynmgr.exe
VsStat.exe
Vshwin32.exe
alogserv.exe
RuLaunch.exe
Avconsol.exe
PavFires.exe
FIREWALL.EXE
ATUPDATER.EXE
LUALL.EXE
DRWEBUPW.EXE
AUTODOWN.EXE
NUPGRADE.EXE
OUTPOST.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ESCANH95.EXE
AVXQUAR.EXE
ESCANHNT.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
AVWUPD32.EXE
AVPUPD.EXE
CFIAUDIT.EXE
UPDATE.EXE
NUPGRADE.EXE
MCUPDATE.EXE
pavsrv50.exe
AVENGINE.EXE
APVXDWIN.EXE
pavProxy.exe
navapw32.exe
navapsvc.exe
ccProxy.exe
navapsvc.exe
NPROTECT.EXE
SAVScan.exe
SNDSrvc.exe
symlcsvc.exe
LUCOMS~1.EXE
blackd.exe
bawindo.exe
FrameworkService.exe
VsTskMgr.exe
SHSTAT.EXE
UpdaterUI.exe
The worm opens random ports starting with 2339 (TCP) on the victim machine.
http://www.sybari.ws/VirusAlerts/VirusAlertView.aspx?Alias=Rainbow&TabId=0&Lang=en-US&mid=10659&ItemID=94
Trackbacks
No Trackbacks
Comments
No Comments
