Threat behavior
Win32/Bagle.BA@mm is a mass-mailing worm that spreads by sending itself via email and also by copying itself to folders containing the string 'shar' in the folder name. When a file infected with Win32/Bagle.BA@mm is opened, it takes the following actions:
-
Drops itself to <system folder>\winhost.exe and runs this copy of the worm
-
Downloads files from two remote websites and saves those files to %windir%\test.exe
-
Drops multiple copies of itself to any folder containing the string "shar" in the folder name. Dropped copies may be named any of the following:
Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr',0
Serials.txt<empty spaces>.exe
text.txt<empty spaces>.exe
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc<empty spaces>.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
New document.doc<empty spaces>.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
hardcore arhive.exe
install.exe
important.exe
important update.exe
update.exe
patch.exe
New patch.exe
setup.exe
message.msg<empty spaces>.exe
Adds value: "winhost.exe"
With data: "%System%\winhost.exe"
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"Port" = "dword:0x00002346"
"Pid" = ""
"Uid" = ""
Where the UID and PID change from infection to infection
.wab
.txt
.msg
.htm
.html
.shtm
.stm
.xml
.dbx
.mbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.pl
.wsh
.adb
.tbb
.sht
.xls
.oft
.uin
.cgi
.mht
.dhtm
.jsp
virus
norton
@msn
@microsoft
rating@
f-secur
news
update
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
sopho
@foo
@iana
free-av
@messagelab
winzip
google
winrar
samples
abuse
panda
cafee
spam
pgp
@avp.
noreply
local
root@
postmaster@
Subject (any of the following):
-
Re: Msg reply
-
Re: Hello
-
Re:
- Re: Yahoo!
- Re: Thank you!
- Re: Thanks :)
- RE: Text message
- Re: Document
- Incoming message
- Re: Incoming Message
- RE: Incoming Msg
- RE: Message Notify
- Notification
- Changes..
- Update
- Fax Message
- Protected message
- RE: Protected message
- Forum notify
- Site changes
- Re: Hi
- Encrypted document
Message Body (any of the following):
- Read the attach.
- Your file is attached.
- Try this.
- More info is in attach
- See attach.
- Please, have a look at the attached file.
- Your document is attached.
- Please, read the document.
- Attach tells everything.
- Attached file tells everything.
- Check attached file for details.
- Check attached file.
- Pay attention at the attach.
- See the attached file for details.
- Message is in attach
- Here is the file.
- For security reasons attached file is password protected. The password is <image>
- For security purposes the attached file is password protected. Password -- <image>
- Note: Use password <image> to open archive.
- Attached file is protected with the password for security reasons. Password is <image>
- In order to read the attach you have to use the following password: <image>
- Archive password: <image>
- Password - <image>
- Password: <image>
Attachment (any of the following):
Information.exe
Details.exe
text_document.exe
Updates.exe
Readme.exe
Document.exe
Info.exe
Details.exe
MoreInfo.exe
Message.exe
Prevention
Take the following steps to help prevent infection on your system:
Enable a firewall on your computer.
Get the latest computer updates.
Use up-to-date antivirus software.
Use caution with attachments and file transfers.
Enable a firewall on your computer
Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.
To turn on the Internet Connection Firewall in Windows XP
Click Start, and click Control Panel.
Click Network and Internet Connections. If you do not see Network and Internet Connections, click Switch to Category View.
Click Change Windows Firewall Settings.
Select On.
Click OK.
Get the latest computer updates
Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Windows XP to download future Microsoft security updates automatically while your computer is on and connected to the Internet.
To turn on Automatic Updates in Windows XP
Click Start, and click Control Panel.
Click System.
Click Automatic Updates.
Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.
Use up-to-date antivirus software
Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software that is updated with the latest signature files. Antivirus software is available from several sources. For more information, see http://www.microsoft.com/athome/security/downloads/default.mspx
Use caution with attachments and file transfers
Exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources. Use extreme caution when accepting file transfers from known or unknown sources.
