|
|||||||
|
|
|
 |
|
|
Strumenti |
20-01-2004, 12:12
|
#1 |
|
Senior Member
Iscritto dal: Jun 2003
Città: "Mantua me genuit" Trattative concluse: 1 fracco!!! Devianze: MacTard iMac 27" i5 2,8Ghz 4GB IPHONE 5 32GB Black Iscritto dal: Nov 2002
Messaggi: 4426
|
Win32/Bagle.A
Win32/Bagle.A is a worm spreading in the form of a file in the attachment of an e-mail. Its body is not compressed, it has a random file name with the “exe“ extension and it‘s size is 15872 bytes. The sender address is a random e-mail address, which means it is not the address of the actual infected computer spreading the worm. The worm arrives with a Subject line: „Hi“. The body contains the following text:
Test =) amjscyqovdejfpxt -- Test, yep. The string in the second line is random string changing each time the worm spread itself. The icon of the attached file is a calculator and upon its opening, besides its harmful activities, it also launches the system calculator (calc.exe). The worm is active only if the system date is set to be prior January 28 th 2004. The worm copies itself on the disk with the file name “bbeagle.exe“. The worm registers itself in the following registry: [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "d3dupdate.exe" = " %systemdir% \bbeagle.exe" And it creates a new key: [HKEY_CURRENT_USER\Software\Windows98] "uid"= random number "frun"=dword:00000001 The worm acquires addresses for its spreading from files with the following extensions: wab, txt, htm and html. It skips the addresses containing the following strings: „@hotmail.com“, „@msn.com“, „@microsoft“, „@avp“ and „r1“. The worm is capable of downloading an executable file from the internet and run on the infected computer. The worm connects to the following web sites: h*tp://www.elrasshop.de/1.php h*tp://www.it-msc.de/1.php h*tp://www.getyourfree.net/1.php h*tp://www.dmdesign.de/1.php h*tp://64.176.228.13/1.php h*tp://www.leonzernitsky.com/1.php h*tp://216.98.136.248/1.php h*tp://216.98.134.247/1.php h*tp://www.cdromca.com/1.php h*tp://www.kunst-in-templin.de/1.php h*tp://vipweb.ru/1.php h*tp://antol-co.ru/1.php h*tp://www.bags-dostavka.mags.ru/1.php h*tp://www.5x12.ru/1.php h*tp://bose-audio.net/1.php h*tp://www.sttngdata.de/1.php h*tp://wh9.tu-dresden.de/1.php h*tp://www.micronuke.net/1.php h*tp://www.stadthagen.org/1.php h*tp://www.beasty-cars.de/1.php h*tp://www.polohexe.de/1.php h*tp://www.bino88.de/1.php h*tp://www.grefrathpaenz.de/1.php h*tp://www.bhamidy.de/1.php h*tp://www.mystic-vws.de/1.php h*tp://www.auto-hobby-essen.de/1.php h*tp://www.polozicke.de/1.php h*tp://www.twr-music.de/1.php h*tp://www.sc-erbendorf.de/1.php h*tp://www.montania.de/1.php h*tp://www.medi-martin.de/1.php h*tp://vvcgn.de/1.php h*tp://www.ballonfoto.com/1.php h*tp://www.marder-gmbh.de/1.php h*tp://www.dvd-filme.com/1.php h*tp://www.smeangol.com/1.php h*tp://www.elrasshop.de/1.php h*tp://www.it-msc.de/1.php h*tp://www.getyourfree.net/1.php h*tp://www.dmdesign.de/1.php h*tp://64.176.228.13/1.php h*tp://www.leonzernitsky.com/1.php h*tp://216.98.136.248/1.php h*tp://216.98.134.247/1.php h*tp://www.cdromca.com/1.php h*tp://www.kunst-in-templin.de/1.php h*tp://vipweb.ru/1.php h*tp://antol-co.ru/1.php h*tp://www.bags-dostavka.mags.ru/1.php h*tp://www.5x12.ru/1.php h*tp://bose-audio.net/1.php h*tp://www.sttngdata.de/1.php h*tp://wh9.tu-dresden.de/1.php h*tp://www.micronuke.net/1.php h*tp://www.stadthagen.org/1.php h*tp://www.beasty-cars.de/1.php h*tp://www.polohexe.de/1.php h*tp://www.bino88.de/1.php h*tp://www.grefrathpaenz.de/1.php h*tp://www.bhamidy.de/1.php h*tp://www.mystic-vws.de/1.php h*tp://www.auto-hobby-essen.de/1.php h*tp://www.polozicke.de/1.php h*tp://www.twr-music.de/1.php h*tp://www.sc-erbendorf.de/1.php h*tp://www.montania.de/1.php h*tp://www.medi-martin.de/1.php h*tp://vvcgn.de/1.php h*tp://www.ballonfoto.com/1.php h*tp://www.marder-gmbh.de/1.php h*tp://www.dvd-filme.com/1.php h*tp://www.smeangol.com/1.php http://www.nod32.it/pedia/b/bagle-a.htm -------------------------------------------------------------------------------------- http://www.trendmicro.com/vinfo/viru...e=WORM_BAGLE.A http://us.mcafee.com/virusInfo/defau...virus_k=100965 http://www.bitdefender.com/bd/site/v..._id=1&v_id=182 http://www.sophos.com/virusinfo/analyses/w32baglea.html http://[email protected] --------------------------------------------------------------------------------------- Tool di rimozione x W32/Bagle@MM: Bitdefener http://www.bitdefender.com/bd/site/v...id=1&v_id=182# Antivir http://www.antivir.de/vireninfo/bagle.htm#removal Panda http://www.pandasoftware.com/virus_i...s=43789&sind=0 http://www.pandasoftware.com/virus_i...&idvirus=43789 Symantec http://[email protected] Eset http://www.nod32.it/support/support.htm#freetools --------------------------------------------------------------------------------------------- (PS: @ qualke mod --> esisteva già 1 3d riguardo questo virus ma nn sono riuscito a trovarlo. Se lo trovate uniteli. Grazie) |
|
|
|
20-01-2004, 12:49
|
#2 |
|
Senior Member
Iscritto dal: Nov 2001
Città: Bastia Umbra (PG)
Messaggi: 6395
|
__________________
:: Il miglior argomento contro la democrazia è una conversazione di cinque minuti con l'elettore medio :: |
|
|
|
|
20-01-2004, 12:52
|
#3 | |
|
Senior Member
Iscritto dal: Jun 2003
Città: "Mantua me genuit" Trattative concluse: 1 fracco!!! Devianze: MacTard iMac 27" i5 2,8Ghz 4GB IPHONE 5 32GB Black Iscritto dal: Nov 2002
Messaggi: 4426
|
Quote:
 ... c'è 1 ke ci ha anticipato entrambi 
|
|
|
|
|
|
20-01-2004, 13:50
|
#4 |
|
Senior Member
Iscritto dal: Nov 2001
Città: Bastia Umbra (PG)
Messaggi: 6395
|
io dico tra noi due
__________________
:: Il miglior argomento contro la democrazia è una conversazione di cinque minuti con l'elettore medio :: |
|
|
|
|
20-01-2004, 14:11
|
#5 |
|
Senior Member
Iscritto dal: Feb 2003
Città: Torino
Messaggi: 3710
|
Sempre i soliti
|
|
|
|
|
|
| Strumenti | |
|
|
Tutti gli orari sono GMT +1. Ora sono le: 07:29.
