Selected viruses, spyware, and other threats: sorted alphabetically
Win32/Bagle.AI is an internet worm spreading as an e-mail attachment. It arrives in a ZIP file containing two files: price.html and price.exe
When price.html is opened, it executes the price.exe file.
Price.exe has 14848 bytes. When executed, it copies itself into the %system% directory using a name WINDirect.exe. It creates a value with name win_upd2.exe in the following Registry keys:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunThe value points to WINDirect.exe.
Then a 11776 bytes long downloader is dropped into %system%\_dll.exe. This downloader is executed by injecting code into the explorer.exe process. It tries to terminate following processes:
It has a list of 204 URLs it repeatedly tries to download, save as "~.exe" in %windir% and execute. This way, the Win32/Bagle.AI executable is downloaded and launched. Size of this file is about 19 kB. It copies itself into %system%/windll.exe. Two other files, named "windll.exeopen" and "windll.exeopenopen" are created in the same directory. These files are identical to the windll.exe
The worm searches for addresses for further spreading in files with one of these extensions:
It contains a list of strings it compares against found addresses. This way it avoids sending itself to addresses containing some of the following:
Win32/Bagle.AI starts sending e-mails to addressess it found.
Subject of the message is blank. Body of the message is either "price" or "new price".
The messages carry the ZIP archive mentioned earlier as an attachment. Its name is picked from the following list:
The worm is also able to spread by copying itself into directories with names that contain a substring "shar". It uses the following filenames:
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
Kaspersky Antivirus 5.0
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Opera 8 New!.exe
Porno pics arhive, xxx.exe
Porno, sex, oral, anal cool, awesome!!.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe
Besides the Bagle mailer executable, the downloader is also able to download another executable. The file is 2052 bytes long. When it's started for the first time, it visits http://www.die-cliquee.de/get.php. Whatever there is, it is downloaded, saved into %windir% with random filename, and executed. However, this URL might only be used for notification purposes. The executable also listens on TCP port 12345, but it closes incoming connections after a short delay.
NOD32 detected Win32/Bagle.AI worm using advanced heuristics without an update.
Detection using a sample is added since version 1.836.
Š 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.