From; McAfee Dispatch ------------------------------------------------------------ ** VIRUS ADVISORY - W32/Bagle.z@MM ** ------------------------------------------------------------ http://us.mcafee.com/root/campaign.asp?cid=3D10110 Virus Information Name: W32/Bagle.z@MM Risk Assessment - Home Users: Medium - Corporate Users: Medium Date Discovered: 4/26/2004 Date Added: 4/26/2004 Origin: Unknown Length: Various (Appended garbage) Type: Virus SubType: E-mail worm DAT Required: 4353 Virus Characteristics - Update 26th April 11:50 a.m PST -- The EXTRA.DAT packages have been updated for enhanced detection. -- - Update 26th April 09:37 PST -- Due to increased prevalence, this threat has had its risk assessment raised to medium. -- This is a new variant of W32/Bagle@MM. It is packed using UPX. It is not polymorphic and a static MD5 is not suitable as garbage is always appended to the file. The following EXTRA.DAT packages are available, prior to the full DAT release. EXTRA.DAT SUPER EXTRA.DAT If you think that you may be infected with this threat, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present. This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information). Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address. This is a mass-mailing worm with the following characteristics: contains its own SMTP engine to construct outgoing messages harvests email addresses from the victim machine the From: address of messages is spoofed attachment can be a password-protected zip file, with the password included in the message body. contains a remote access component (notification is sent to hacker) copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc) When executed it will display a false message as follows: Mail Propagation The details are as follows: From : (address is spoofed) It may use the following strings at times: lizie@ annie@ ann@ christina@ secretGurl@ jessie@ christy@ Subject : Hello! Hey! Let's socialize, my friend! Let's talk, my friend! I'm bored with this life Notify from a known person ;-) I like you I just need a friend I'm a sad girl... Re: Msg reply Re: Hello Re: Yahoo! Re: Thank you! Re: Thanks :) RE: Text message Re: Document Incoming message Re: Incoming Message Re: Incoming Fax Hidden message Fax Message Received Protected message RE: Protected message Forum notify Request response Site changes Re: Hi Encrypted document Body Text: Uses various constructed strings Attachment: May be one of the follwing: Script dropper - using one of the following file extensions: HTA VBS Password-protected ZIP archive (detected as W32/Bagle.gen!pwdzip) Executable, using one of the following file extensions: exe scr com cpl Executable dropper, CPL file with .CPL file extension. The executable uses the following icon: The CPL file uses the following icon: The virus copies itself into the Windows System directory as drvsys.exe. For example: C:\WINNT\SYSTEM32\drvsys.exe It also creates other files in this directory to perform its functions: drvsys.exeopen (Copy of the worm) drvsys.exeopenopen (Copy of the worm) The following Registry key is added to hook system startup: HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run "drvsys.exe" =3D C:\WINNT\SYSTEM32\drvsys.exe This worm attempts to terminate the process of security programs with the the following filenames: AGENTSVR.EXE ANTI-TROJAN.EXE ANTIVIRUS.EXE ANTS.EXE APIMONITOR.EXE APLICA32.EXE APVXDWIN.EXE ATCON.EXE ATGUARD.EXE ATRO55EN.EXE ATUPDATER.EXE ATWATCH.EXE AUPDATE.EXE AUTODOWN.EXE AUTOTRACE.EXE AUTOUPDATE.EXE AVCONSOL.EXE AVGSERV9.EXE AVLTMAIN.EXE AVPUPD.EXE AVSYNMGR.EXE AVWUPD32.EXE AVXQUAR.EXE AVprotect9x.exe BD_PROFESSIONAL.EXE BIDEF.EXE BIDSERVER.EXE BIPCP.EXE BIPCPEVALSETUP.EXE BISP.EXE BLACKD.EXE BLACKICE.EXE BOOTWARN.EXE BORG2.EXE BS120.EXE CDP.EXE CFGWIZ.EXE CFIADMIN.EXE CFIAUDIT.EXE CFINET.EXE CFINET32.EXE CLEAN.EXE CLEANER.EXE CLEANER3.EXE CLEANPC.EXE CMGRDIAN.EXE CMON016.EXE CPD.EXE CPF9X206.EXE CPFNT206.EXE CV.EXE CWNB181.EXE CWNTDWMO.EXE DEFWATCH.EXE DEPUTY.EXE DPF.EXE DPFSETUP.EXE DRWATSON.EXE DRWEBUPW.EXE ENT.EXE ESCANH95.EXE ESCANHNT.EXE ESCANV95.EXE EXANTIVIRUS-CNET.EXE FAST.EXE FIREWALL.EXE FLOWPROTECTOR.EXE FP-WIN_TRIAL.EXE FRW.EXE FSAV.EXE FSAV530STBYB.EXE FSAV530WTBYB.EXE FSAV95.EXE GBMENU.EXE GBPOLL.EXE GUARD.EXE GUARDDOG.EXE HACKTRACERSETUP.EXE HTLOG.EXE HWPE.EXE IAMAPP.EXE IAMSERV.EXE ICLOAD95.EXE ICLOADNT.EXE ICMON.EXE ICSSUPPNT.EXE ICSUPP95.EXE ICSUPPNT.EXE IFW2000.EXE IPARMOR.EXE IRIS.EXE JAMMER.EXE KAVLITE40ENG.EXE KAVPERS40ENG.EXE KERIO-PF-213-EN-WIN.EXE KERIO-WRL-421-EN-WIN.EXE KERIO-WRP-421-EN-WIN.EXE KILLPROCESSSETUP161.EXE LDPRO.EXE LOCALNET.EXE LOCKDOWN.EXE LOCKDOWN2000.EXE LSETUP.EXE LUALL.EXE LUCOMSERVER.EXE LUINIT.EXE MCAGENT.EXE MCUPDATE.EXE MFW2EN.EXE MFWENG3.02D30.EXE MGUI.EXE MINILOG.EXE MOOLIVE.EXE MRFLUX.EXE MSCONFIG.EXE MSINFO32.EXE MSSMMC32.EXE MU0311AD.EXE NAV80TRY.EXE NAVAPW32.EXE NAVDX.EXE NAVSTUB.EXE NAVW32.EXE NC2000.EXE NCINST4.EXE NDD32.EXE NEOMONITOR.EXE NETARMOR.EXE NETINFO.EXE NETMON.EXE NETSCANPRO.EXE NETSPYHUNTER-1.2.EXE NETSTAT.EXE NISSERV.EXE NISUM.EXE NMAIN.EXE NORTON_INTERNET_SECU_3.0_407.EXE NPF40_TW_98_NT_ME_2K.EXE NPFMESSENGER.EXE NPROTECT.EXE NSCHED32.EXE NTVDM.EXE NUPGRADE.EXE NVARCH16.EXE NWINST4.EXE NWTOOL16.EXE OSTRONET.EXE OUTPOST.EXE OUTPOSTINSTALL.EXE OUTPOSTPROINSTALL.EXE PADMIN.EXE PANIXK.EXE PAVPROXY.EXE PCC2002S902.EXE PCC2K_76_1436.EXE PCCIOMON.EXE PCDSETUP.EXE PCFWALLICON.EXE PCIP10117_0.EXE PDSETUP.EXE PERISCOPE.EXE PERSFW.EXE PF2.EXE PFWADMIN.EXE PINGSCAN.EXE PLATIN.EXE POPROXY.EXE POPSCAN.EXE PORTDETECTIVE.EXE PPINUPDT.EXE PPTBC.EXE PPVSTOP.EXE PROCEXPLORERV1.0.EXE PROPORT.EXE PROTECTX.EXE PSPF.EXE PURGE.EXE PVIEW95.EXE QCONSOLE.EXE QSERVER.EXE RAV8WIN32ENG.EXE REGEDIT.EXE REGEDT32.EXE RESCUE.EXE RESCUE32.EXE RRGUARD.EXE RSHELL.EXE RTVSCN95.EXE RULAUNCH.EXE SAFEWEB.EXE SBSERV.EXE SD.EXE SETUPVAMEEVAL.EXE SETUP_FLOWPROTECTOR_US.EXE SFC.EXE SGSSFW32.EXE SH.EXE SHELLSPYINSTALL.EXE SHN.EXE SMC.EXE SOFI.EXE SPF.EXE SPHINX.EXE SPYXX.EXE SS3EDIT.EXE ST2.EXE SUPFTRL.EXE SUPPORTER5.EXE SYMPROXYSVC.EXE SYSEDIT.EXE TASKMON.EXE TAUMON.EXE TAUSCAN.EXE TC.EXE TCA.EXE TCM.EXE TDS-3.EXE TDS2-98.EXE TDS2-NT.EXE TFAK5.EXE TGBOB.EXE TITANIN.EXE TITANINXP.EXE TRACERT.EXE TRJSCAN.EXE TRJSETUP.EXE TROJANTRAP3.EXE UNDOBOOT.EXE UPDATE.EXE VBCMSERV.EXE VBCONS.EXE VBUST.EXE VBWIN9X.EXE VBWINNTW.EXE VCSETUP.EXE VFSETUP.EXE VIRUSMDPERSONALFIREWALL.EXE VNLAN300.EXE VNPC3000.EXE VPC42.EXE VPFW30S.EXE VPTRAY.EXE VSCENU6.02D30.EXE VSECOMR.EXE VSHWIN32.EXE VSISETUP.EXE VSMAIN.EXE VSMON.EXE VSSTAT.EXE VSWIN9XE.EXE VSWINNTSE.EXE VSWINPERSE.EXE W32DSM89.EXE W9X.EXE WATCHDOG.EXE WEBSCANX.EXE WGFE95.EXE WHOSWATCHINGME.EXE WINRECON.EXE WNT.EXE WRADMIN.EXE WRCTRL.EXE WSBGATE.EXE WYVERNWORKSFIREWALL.EXE XPF202EN.EXE ZAPRO.EXE ZAPSETUP3001.EXE ZATUTOR.EXE ZAUINST.EXE ZONALM2601.EXE ZONEALARM.EXE The worm opens port 2535 (TCP) on the victim machine. Indications of Infection Port 2535 (TCP) open on the victim machine Outgoing messages matching the described characteristics Files/Registry keys as described Method of Infection Mail Propagation This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine: .adb .asp .cfg .cgi .dbx .dhtm .eml .htm .jsp .mbx .mdx .mht .mmf .msg .nch .ods .oft .php .pl .sht .stm .tbb .shtm .txt .uin .wab .wsh .xls .xml The virus spoofs the sender address by using a harvested address in the From: field. The virus avoids sending itself to addresses containing the following: @hotmail @msn @microsoft rating@ f-secur news update anyone@ bugs@ contract@ feste gold-certs@ help@ info@ nobody@ noone@ kasp admin icrosoft support ntivi unix bsd linux listserv certific sopho @foo @iana free-av @messagelab winzip google winrar samples abuse panda cafee spam pgp @avp. noreply local root@ postmaster@ Peer To Peer Propagation Files are created in folders that contain the phrase shar : Microsoft Office 2003 Crack, Working!.exe Microsoft Windows XP, WinXP Crack, working Keygen.exe Microsoft Office XP working Crack, Keygen.exe Porno, sex, oral, anal cool, awesome!!.exe Porno Screensaver.scr Serials.txt.exe KAV 5.0 Kaspersky Antivirus 5.0 Porno pics arhive, xxx.exe Windows Sourcecode update.doc.exe Ahead Nero 7.exe Windown Longhorn Beta Leak.exe Opera 8 New!.exe XXX hardcore images.exe WinAmp 6 New!.exe WinAmp 5 Pro Keygen Crack Update.exe Adobe Photoshop 9 full.exe Matrix 3 Revolution English Subtitles.exe ACDSee 9.exe Remote Access Component The virus listens on TCP port 2535 for remote connections. It attempts to notify the author that the infected system is ready to accept commands, by contacting various websites, calling a PHP script on the remote sites. At the time of this writing this script does not exist on any of these sites. http://www.spiegel.de/5.php http://www.leipziger-messe.de/5.php http://www.mobile.de/5.php http://www.neformal.de/5.php http://www.avh.de/5.php http://www.goethe.de/5.php http://www.degruyter.de/5.php http://www.heise.de/5.php http://www.autoscout24.de/5.php http://www.russische-botschaft.de/5.php http://www.bmbf.de/5.php http://www.berlinale.de/5.php http://www.hamann-motorsport.de/5.php http://Spaceclub.de/5.php http://www.fracht-24.de/5.php http://www.loveparade.de/5.php http://www.dalnoboyshik.de/5.php http://www.deutschland.de/5.php http://www.ac-schnitzer.de/5.php http://abakan.strana.de/5.php http://www.emis.de/5.php http://www.dwd.de/5.php http://www.ifdesign.de/5.php http://www.beckers-systems.de/5.php http://www.pri-wo-hamburg.de/5.php http://virtualzone.de/5.php http://www.mitsumi.de/5.php http://www.fu-berlin.de/5.php http://www.nabu.de/5.php http://www.tekeli.de/5.php http://www.welt.de/5.php http://www.gospel-nations.de/5.php http://www.neznakomez.de/5.php http://www.tecchannel.de/5.php http://www.php-resource.de/5.php http://www.windac.de/5.php http://www.gsi.de/5.php http://www.turism.de/5.php http://jakimov.golos.de/5.php http://www.www.mirko-becker.gmxhome.de/5.php http://vg.xtonne.de/5.php http://www.go-amman.de/5.php http://3treepoint.com/5.php http://www.restarted-alliance.de/5.php http://2udar.ligakvn.de/5.php http://www.sprach-zertifikat.de/5.php http://www.dfg.de/5.php http://www.kliniken.de/5.php http://www.winfuture.de/5.php http://www.hamburg.de/5.php http://www.auma.de/5.php http://www.teac.de/5.php http://www.eumetsat.de/5.php http://www.documenta.de/5.php http://hardvision.ru/5.php http://www.bruecke-osteuropa.de/5.php http://www.mk-motorsport.de/5.php http://www.bundesregierung.de/5.php http://ditec.um.es/5.php http://www.insel-ruegen-hotel.de/5.php http://www.tib.uni-hannover.de/5.php http://www.chugai.de/5.php http://www.blauer-engel.de/5.php http://www.partner-inform.de/5.php http://250x.com/5.php http://villakinderbunt.de/5.php http://s318.evanzo-server.de/5.php http://andimeisslein.de/5.php http://tobimayer.de/5.php http://markusgimenez.de/5.php http://www.fiz-karlsruhe.de/5.php http://www.gdch.de/5.php http://www.intermatgmbh.de/5.php http://www.hotel-pension-spree.de/5.php http://vg.xtonne.de/5.php http://www.low-spirit.de/5.php http://www.red-dot.de/5.php http://www.fernuni-hagen.de/5.php http://www.ruletka.de/5.php http://www.deutsch-als-fremdsprache.de/5.php http://www.uni-oldenburg.de/5.php http://fotos.schneider.bards.de/5.php http://www.deutsches-museum.de/5.php http://www.de-bug.de/5.php http://www.uni-stuttgart.de/5.php http://www.embl-heidelberg.de/5.php http://www.mdz-moskau.de/5.php http://www.mitsubishi-evs.de/5.php http://www.siegenia-aubi.com/5.php http://www.cicv.fr/5.php http://www.paromi.de/5.php http://www.jura.uni-sb.de/5.php http://www.exactaudiocopy.de/5.php Removal Instructions All Users : Use the specified DAT files for detection and removal. Alternatively, the following EXTRA.DAT packages are available. EXTRA.DAT SUPER EXTRA.DAT Additional Windows ME/XP removal considerations Stinger Stinger has been updated to assist in detecting and repairing this threat. Manual Removal Instructions To remove this virus "by hand", follow these steps: Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode. Delete the file following from your WINDOWS System directory (typically C:\Windows\System or C:\Winnt\System32) drvsys.exe drvsys.exeopen drvsys.exeopenopen Edit the registry Delete the "drvsys.exe" value from HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Run Reboot the system into Default Mode Aliases I-Worm/Bagle.AA (GRISoft), W32/Bagle.Y@mm (F-PROT) Scan for W32/Bagle.z@MM: http://us.mcafee.com/root/campaign.asp?cid=3D10111 Sign up for Free Virus News: McAfee is a business unit of Network Associates, Inc. Copyright =A9 2003, 2004, Networks Associates Technology, Inc. All Rights Reserved. McAfee Security for Consumer Privacy Policy. *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=3Dsubscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=3Dsubscribe> A Technical Support Alliance and OWTA Charter Member