[virusinfo] Re: New Bagle Variant Spreads Via Email, Network Shares
- From: "Mike" <mikebike@xxxxxxxxx>
- To: virusinfo@xxxxxxxxxxxxx
- Date: Fri, 07 May 2004 13:50:43 -0700
From; eSecurityPlanet part of the Earthweb network;
New Bagle Variant Spreads Via Email, Network Shares
Trend Micro Friday issued a medium-level threat alert for Worm_Bagle.Z, a
memory-resident worm that spreads via email and network shares.
http://nl.internet.com/ct.html?rtr=on&s=1,vvf,1,ka16,648t,1std,6jmd
New Bagle Variant Spreads Via Email, Network Shares
May 7, 2004
Trend Micro Friday issued a medium-level threat alert for Worm_Bagle.Z, a
memory-resident worm that spreads via email and network shares. Upon
execution, it drops a copy of itself in the Windows system folder using any
of the following file names:
DRVDDLL.EXE
DRVDDLL.EXEOPEN
DRVDDLL.EXEOPENOPEN It uses its own Simple Mail Transfer Protocol (SMTP)
engine to propagate. The email it sends out contains a message body only if
its attachment is a password-protected .ZIP file.
View a sample email that this worm sends out and other information at this
Trend Micro page.
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.Z
Malware Has Several Malicious Capabilities
Bkdr_Spybot.ZA is malware usually downloaded from a particular FTP (File
Transfer Protocol) site by the malicious batch file detected as
BAT_SPYBOT.ZA. Similar to its earlier variants, this malware has the
following capabilities:
Terminate processes
Log keystrokes
Execute programs
Obtain names of active windows/dialog boxes
Create/remove directories
Scan ports
Join/quit a channel
Join/quit an IRC server
Redirect packet from one port to another
Send raw message
List all running processes
Technical details are at this Trend Micro page.
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_SPYBOT.Z
A&VSect=T
Lovgate Variant Copies Itself to Windows Folder, Drops Files
W32/Lovgate-V is a variant of the W32/Lovgate family of worms that spread
via email, network shares and filesharing networks.
W32/Lovgate-V copies itself to the Windows system folder as the files
WinHelp.exe, iexplore.exe, kernel66.dll and ravmond.exe and to the Windows
folder as systra.exe. The worm also drops the files msjdbc11.dll,
mssign30.dll and odbc16.dll which provide unauthorised remote access to the
computer over a network.
The worm drops ZIP files containing a copy of the worm onto accessible
drives.
The ZIP file may also carry a RAR extension.
The name of the packed file is chosen from the following list:
WORK
setup
important
bak
letter
pass
The name of the contained unpacked file is either PassWord, email or book,
with a file extension of EXE, SCR, PIF or COM.
More information is at this Sophos page.
http://www.sophos.com/virusinfo/analyses/w32lovgatev.html
Worm Copies Itself to Temp Folder, Drops Files
W32/Famus-C will make an additional copy of itself as Red7324.exe in the
Temp folder along with other files which are used for mailing the worm.
Among these will be the file SMTP.OCX, which is a freeware SMTP engine used
in the mailing of W32/Famus-C to email addresses found on the computer.
Other dropped files include:
c:/En Cuba no hay libertad de expresion - an empty file
/temp/Casper9247.exe - used by the worm
/temp/att1.att1 - contains the email's file attchment name
/temp/msg.msg - contains the email's message text
/temp/sub.sub - contains the email's subject line
The email sent by the worm will have the following characteristics:
Subject line:
Famous / Famosos
Message Text:
?Sabes por que los famosos son famosos?
?Do you know why the famous are famous?
Password: "123"
Attachment:
Famous.exe
Another email may also be sent out without a copy of the worm with certain
characteristics. View them and other information at this Sophos page.
http://www.sophos.com/virusinfo/analyses/w32famusc.html
Sdbot Worm Variant Sets Registry Entries to Run at System Logon
Sophos also issued an alert for W32/Sdbot-JT, a member of the W32/Sdbot
family of worms. W32/Sdbot-JT copies itself to the Windows system folder as
nmsmtp32.exe and sets the following registry entries to ensure it is run at
system logon:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Windows driver update = \nmsmtp32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows driver update = \nmsmtp32.exe
--Compiled by Esther Shein ~ eSecurityPlanet
*********** MIKE"S REPLY SEPARATOR ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance and OWTA Charter Member
Other related posts:
- » [virusinfo] Re: New Bagle Variant Spreads Via Email, Network Shares
