10/01/04 - W32/Bagle.az@MM spreads via e-mail. It follows the routine below:
This is a mass-mailing worm with the following characteristics:
contains its own SMTP engine to construct outgoing messages
harvests email addresses from the victim machine
the From: address of messages is spoofed
contains a remote access component
copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
Mail Propagation
The details are as follows:
From : (address is spoofed)
Subject :
Re:
Re: Hello
Re: Thank you!
Re: Thanks :)
Re: Hi
Body Text:
:)
:))
Attachment: (with an extension of .exe, .scr, .com or .cpl)
Price
price
Joke
The virus copies itself into the Windows System directory as BAWINDO.EXE. For example:
C:\WINDOWS\SYSTEM32\bawindo.exe
It also creates other files in this directory to perform its functions:
C:\WINDOWS\SYSTEM32\bawindo.exeopen
C:\WINDOWS\SYSTEM32\bawindo.exeopenopen
The following Registry key is added to hook system startup:
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "bawindo" = "C:\WINDOWS\SYSTEM32\bawindo.exe"
A mutex is created to ensure only one instance of the worm is running at a time. One of the following mutex names is used in an attempt to stop particular variants of W32/Netsky running on the infected machine:
'D'r'o'p'p'e'd'S'k'y'N'e't'
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
[SkyNet.cz]SystemsMutex
AdmSkynetJklS003
____--->>>>U<<<<--____
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
The worm opens port 81 (TCP) and a random UDP port on the victim machine.
More info on this worm:
http://vil.nai.com/vil/content/v_128582.htm Removal Instructions
Go to the following website for removal instructions:
http://vil.nai.com/vil/content/v_128582.htm Download Stinger to Scan for infection:
http://vil.nai.com/vil/stinger
|
