MrOZ
20-01-2004, 11:12
Win32/Bagle.A is a worm spreading in the form of a file in the attachment of an e-mail. Its body is not compressed, it has a random file name with the “exe“ extension and it‘s size is 15872 bytes. The sender address is a random e-mail address, which means it is not the address of the actual infected computer spreading the worm. The worm arrives with a Subject line: „Hi“. The body contains the following text:
Test =)
amjscyqovdejfpxt
--
Test, yep.
The string in the second line is random string changing each time the worm spread itself. The icon of the attached file is a calculator and upon its opening, besides its harmful activities, it also launches the system calculator (calc.exe). The worm is active only if the system date is set to be prior January 28 th 2004. The worm copies itself on the disk with the file name “bbeagle.exe“.
The worm registers itself in the following registry:
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"d3dupdate.exe" = " %systemdir% \bbeagle.exe"
And it creates a new key:
[HKEY_CURRENT_USER\Software\Windows98]
"uid"= random number
"frun"=dword:00000001
The worm acquires addresses for its spreading from files with the following extensions: wab, txt, htm and html. It skips the addresses containing the following strings: „@hotmail.com“, „@msn.com“, „@microsoft“, „@avp“ and „r1“.
The worm is capable of downloading an executable file from the internet and run on the infected computer. The worm connects to the following web sites:
h*tp://www.elrasshop.de/1.php
h*tp://www.it-msc.de/1.php
h*tp://www.getyourfree.net/1.php
h*tp://www.dmdesign.de/1.php
h*tp://64.176.228.13/1.php
h*tp://www.leonzernitsky.com/1.php
h*tp://216.98.136.248/1.php
h*tp://216.98.134.247/1.php
h*tp://www.cdromca.com/1.php
h*tp://www.kunst-in-templin.de/1.php
h*tp://vipweb.ru/1.php
h*tp://antol-co.ru/1.php
h*tp://www.bags-dostavka.mags.ru/1.php
h*tp://www.5x12.ru/1.php
h*tp://bose-audio.net/1.php
h*tp://www.sttngdata.de/1.php
h*tp://wh9.tu-dresden.de/1.php
h*tp://www.micronuke.net/1.php
h*tp://www.stadthagen.org/1.php
h*tp://www.beasty-cars.de/1.php
h*tp://www.polohexe.de/1.php
h*tp://www.bino88.de/1.php
h*tp://www.grefrathpaenz.de/1.php
h*tp://www.bhamidy.de/1.php
h*tp://www.mystic-vws.de/1.php
h*tp://www.auto-hobby-essen.de/1.php
h*tp://www.polozicke.de/1.php
h*tp://www.twr-music.de/1.php
h*tp://www.sc-erbendorf.de/1.php
h*tp://www.montania.de/1.php
h*tp://www.medi-martin.de/1.php
h*tp://vvcgn.de/1.php
h*tp://www.ballonfoto.com/1.php
h*tp://www.marder-gmbh.de/1.php
h*tp://www.dvd-filme.com/1.php
h*tp://www.smeangol.com/1.php
h*tp://www.elrasshop.de/1.php
h*tp://www.it-msc.de/1.php
h*tp://www.getyourfree.net/1.php
h*tp://www.dmdesign.de/1.php
h*tp://64.176.228.13/1.php
h*tp://www.leonzernitsky.com/1.php
h*tp://216.98.136.248/1.php
h*tp://216.98.134.247/1.php
h*tp://www.cdromca.com/1.php
h*tp://www.kunst-in-templin.de/1.php
h*tp://vipweb.ru/1.php
h*tp://antol-co.ru/1.php
h*tp://www.bags-dostavka.mags.ru/1.php
h*tp://www.5x12.ru/1.php
h*tp://bose-audio.net/1.php
h*tp://www.sttngdata.de/1.php
h*tp://wh9.tu-dresden.de/1.php
h*tp://www.micronuke.net/1.php
h*tp://www.stadthagen.org/1.php
h*tp://www.beasty-cars.de/1.php
h*tp://www.polohexe.de/1.php
h*tp://www.bino88.de/1.php
h*tp://www.grefrathpaenz.de/1.php
h*tp://www.bhamidy.de/1.php
h*tp://www.mystic-vws.de/1.php
h*tp://www.auto-hobby-essen.de/1.php
h*tp://www.polozicke.de/1.php
h*tp://www.twr-music.de/1.php
h*tp://www.sc-erbendorf.de/1.php
h*tp://www.montania.de/1.php
h*tp://www.medi-martin.de/1.php
h*tp://vvcgn.de/1.php
h*tp://www.ballonfoto.com/1.php
h*tp://www.marder-gmbh.de/1.php
h*tp://www.dvd-filme.com/1.php
h*tp://www.smeangol.com/1.php
http://www.nod32.it/pedia/b/bagle-a.htm
--------------------------------------------------------------------------------------
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.A
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100965
http://www.bitdefender.com/bd/site/virusinfo.php?menu_id=1&v_id=182
http://www.sophos.com/virusinfo/analyses/w32baglea.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.a@mm.html
---------------------------------------------------------------------------------------
Tool di rimozione x W32/Bagle@MM:
Bitdefener
http://www.bitdefender.com/bd/site/virusin..._id=1&v_id=182#
Antivir
http://www.antivir.de/vireninfo/bagle.htm#removal
Panda
http://www.pandasoftware.com/virus_info/en...us=43789&sind=0
http://www.pandasoftware.com/virus_info/en...l&idvirus=43789
Symantec
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.a@mm.htm
Eset
http://www.nod32.it/support/support.htm#freetools
---------------------------------------------------------------------------------------------
(PS: @ qualke mod --> esisteva già 1 3d riguardo questo virus ma nn sono riuscito a trovarlo. Se lo trovate uniteli. Grazie)
Test =)
amjscyqovdejfpxt
--
Test, yep.
The string in the second line is random string changing each time the worm spread itself. The icon of the attached file is a calculator and upon its opening, besides its harmful activities, it also launches the system calculator (calc.exe). The worm is active only if the system date is set to be prior January 28 th 2004. The worm copies itself on the disk with the file name “bbeagle.exe“.
The worm registers itself in the following registry:
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"d3dupdate.exe" = " %systemdir% \bbeagle.exe"
And it creates a new key:
[HKEY_CURRENT_USER\Software\Windows98]
"uid"= random number
"frun"=dword:00000001
The worm acquires addresses for its spreading from files with the following extensions: wab, txt, htm and html. It skips the addresses containing the following strings: „@hotmail.com“, „@msn.com“, „@microsoft“, „@avp“ and „r1“.
The worm is capable of downloading an executable file from the internet and run on the infected computer. The worm connects to the following web sites:
h*tp://www.elrasshop.de/1.php
h*tp://www.it-msc.de/1.php
h*tp://www.getyourfree.net/1.php
h*tp://www.dmdesign.de/1.php
h*tp://64.176.228.13/1.php
h*tp://www.leonzernitsky.com/1.php
h*tp://216.98.136.248/1.php
h*tp://216.98.134.247/1.php
h*tp://www.cdromca.com/1.php
h*tp://www.kunst-in-templin.de/1.php
h*tp://vipweb.ru/1.php
h*tp://antol-co.ru/1.php
h*tp://www.bags-dostavka.mags.ru/1.php
h*tp://www.5x12.ru/1.php
h*tp://bose-audio.net/1.php
h*tp://www.sttngdata.de/1.php
h*tp://wh9.tu-dresden.de/1.php
h*tp://www.micronuke.net/1.php
h*tp://www.stadthagen.org/1.php
h*tp://www.beasty-cars.de/1.php
h*tp://www.polohexe.de/1.php
h*tp://www.bino88.de/1.php
h*tp://www.grefrathpaenz.de/1.php
h*tp://www.bhamidy.de/1.php
h*tp://www.mystic-vws.de/1.php
h*tp://www.auto-hobby-essen.de/1.php
h*tp://www.polozicke.de/1.php
h*tp://www.twr-music.de/1.php
h*tp://www.sc-erbendorf.de/1.php
h*tp://www.montania.de/1.php
h*tp://www.medi-martin.de/1.php
h*tp://vvcgn.de/1.php
h*tp://www.ballonfoto.com/1.php
h*tp://www.marder-gmbh.de/1.php
h*tp://www.dvd-filme.com/1.php
h*tp://www.smeangol.com/1.php
h*tp://www.elrasshop.de/1.php
h*tp://www.it-msc.de/1.php
h*tp://www.getyourfree.net/1.php
h*tp://www.dmdesign.de/1.php
h*tp://64.176.228.13/1.php
h*tp://www.leonzernitsky.com/1.php
h*tp://216.98.136.248/1.php
h*tp://216.98.134.247/1.php
h*tp://www.cdromca.com/1.php
h*tp://www.kunst-in-templin.de/1.php
h*tp://vipweb.ru/1.php
h*tp://antol-co.ru/1.php
h*tp://www.bags-dostavka.mags.ru/1.php
h*tp://www.5x12.ru/1.php
h*tp://bose-audio.net/1.php
h*tp://www.sttngdata.de/1.php
h*tp://wh9.tu-dresden.de/1.php
h*tp://www.micronuke.net/1.php
h*tp://www.stadthagen.org/1.php
h*tp://www.beasty-cars.de/1.php
h*tp://www.polohexe.de/1.php
h*tp://www.bino88.de/1.php
h*tp://www.grefrathpaenz.de/1.php
h*tp://www.bhamidy.de/1.php
h*tp://www.mystic-vws.de/1.php
h*tp://www.auto-hobby-essen.de/1.php
h*tp://www.polozicke.de/1.php
h*tp://www.twr-music.de/1.php
h*tp://www.sc-erbendorf.de/1.php
h*tp://www.montania.de/1.php
h*tp://www.medi-martin.de/1.php
h*tp://vvcgn.de/1.php
h*tp://www.ballonfoto.com/1.php
h*tp://www.marder-gmbh.de/1.php
h*tp://www.dvd-filme.com/1.php
h*tp://www.smeangol.com/1.php
http://www.nod32.it/pedia/b/bagle-a.htm
--------------------------------------------------------------------------------------
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.A
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100965
http://www.bitdefender.com/bd/site/virusinfo.php?menu_id=1&v_id=182
http://www.sophos.com/virusinfo/analyses/w32baglea.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.a@mm.html
---------------------------------------------------------------------------------------
Tool di rimozione x W32/Bagle@MM:
Bitdefener
http://www.bitdefender.com/bd/site/virusin..._id=1&v_id=182#
Antivir
http://www.antivir.de/vireninfo/bagle.htm#removal
Panda
http://www.pandasoftware.com/virus_info/en...us=43789&sind=0
http://www.pandasoftware.com/virus_info/en...l&idvirus=43789
Symantec
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.a@mm.htm
Eset
http://www.nod32.it/support/support.htm#freetools
---------------------------------------------------------------------------------------------
(PS: @ qualke mod --> esisteva già 1 3d riguardo questo virus ma nn sono riuscito a trovarlo. Se lo trovate uniteli. Grazie)