Code:
Worm.Win32.Bagle.AF
Symptoms:
* Files:
%SYSDIR%\loader_name.exe
%SYSDIR%\loader_name.exeopen
%SYSDIR%\loader_name.exeopenopen
where %SYSDIR% is Windows System directory (eg. C:\Windows\System, C:\WinNT\System32)
* Registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
with the value:
"reg_key"="%SYSDIR%\loader_name.exe
* Port 1234 opened (see it using "netstat -a" at the command prompt)
Technical description:
The worm comes by mail in the following form:
From: [spoofed]
Subject: one of the following:
* Re: Msg reply
* Re: Hello
* Re: Yahoo!
* Re: Thank you!
* Re: Thanks 
* RE: Text message
* Re: Document
* Incoming message
* Re: Incoming Message
* RE: Incoming Msg
* RE: Message Notify
* Notification
* Changes..
* Update
* Fax Message
* Protected message
* RE: Protected message
* Forum notify
* Site changes
* Re: Hi
* Encrypted document
Attachment: has a .exe, .scr, .com, .zip, .vbs, .hta or .cpl extension and one of the following names:
* Information
* Details
* text_document
* Updates
* Readme
* Document
* Info
* Details
* MoreInfo
* Message
* Sources
Body text: may contain one or more of the following:
* Read the attach.
* Your file is attached.
* More info is in attach
* See attach.
* Please, have a look at the attached file.
* Your document is attached.
* Please, read the document.
* Attach tells everything.
* Attached file tells everything.
* Check attached file for details.
* Check attached file.
* Pay attention at the attach.
* See the attached file for details.
* Message is in attach
* Here is the file.
* For security reasons attached file is password protected. The password is [password]
* For security purposes the attached file is password protected. Password -- [password]
* Note: Use password [password] to open archive.
* Attached file is protected with the password for security reasons. Password is [password]
* In order to read the attach you have to use the following password: [password]
* Archive password: [password]
* Password - [password]
* Password: [password]
When ran, the worm displays a fake error message:
Can't find a viewer associated with the file
and creates one of the following mutexes:
* |MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
* 'D'r'o'p'p'e'd'S'k'y'N'e't'
* _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
* [SkyNet.cz]SystemsMutex
* AdmSkynetJklS003
* _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
then creates the following files:
* %SYSDIR%\loader_name.exe -- worm executable file
where %SYSDIR% is Windows System directory (eg. C:\Windows\System, C:\WinNT\System32)
*
* %SYSDIR%\loader_name.exeopen -- worm copy with some garbage appended
* %SYSDIR%\loader_name.exeopenopen -- worm zipped (may be password protected)
and creates the registry key:
* HKCU\Software\Microsoft\Windows\CurrentVersion\Run
with the value:
"reg_key"="%SYSDIR%\loader_name.exe
The key above is created ten times per second, so deleting it will not help unless the process (loader_name.exe) is killed.
The worm tries to remove the following registry keys:
* HKCU\Software\Microsoft\Windows\My AV
* HKCU\Software\Microsoft\Windows\Zone Labs Client Ex
* HKCU\Software\Microsoft\Windows\9XHtProtect
* HKCU\Software\Microsoft\Windows\Antivirus
* HKCU\Software\Microsoft\Windows\Special Firewall Service
* HKCU\Software\Microsoft\Windows\service
* HKCU\Software\Microsoft\Windows\Tiny AV
* HKCU\Software\Microsoft\Windows\ICQNet
* HKCU\Software\Microsoft\Windows\HtProtect
* HKCU\Software\Microsoft\Windows\NetDy
* HKCU\Software\Microsoft\Windows\Jammer2nd
* HKCU\Software\Microsoft\Windows\FirewallSvr
* HKCU\Software\Microsoft\Windows\MsInfo
* HKCU\Software\Microsoft\Windows\SysMonXP
* HKCU\Software\Microsoft\Windows\EasyAV
* HKCU\Software\Microsoft\Windows\PandaAVEngine
* HKCU\Software\Microsoft\Windows\Norton Antivirus AV
* HKCU\Software\Microsoft\Windows\KasperskyAVEng
* HKCU\Software\Microsoft\Windows\SkynetsRevenge
* HKCU\Software\Microsoft\Windows\ICQ Net
To mail itself, the worm searches the local hard-disk for e-mail addresses inside files with the following extensions:
.wab, .txt, .msg, .htm, .shtm, .stm, .xml, .dbx, .mbx, .mdx, .eml, .nch, .mmf, .ods, .cfg, .asp, .php, .wsh, .adb, .tbb, .sht, .xls, .oft, .uin, .cgi, .mht, .dhtm, .jsp
and uses its own SMTP engine to resolve the target mail server and to send mail to it, skipping e-mail addresses that contain:
@hotmail, @msn, @microsoft, rating@, f-secur, news, update, anyone@, bugs@, contract@, feste, gold-certs@, help@, info@, nobody@, noone@, kasp, admin, icrosoft, support, ntivi, unix, linux, listserv, certific, sopho, @foo, @iana, free-av, @messagelab, winzip, google, winrar, samples, abuse, panda, cafee, spam, @avp., noreply, local, root@, postmaster@.
Also the worm copies itself to directories that have shar in their names (for instance the P2P shared folders) with one of the following names:
* Microsoft Office 2003 Crack, Working!.exe
* Microsoft Windows XP, WinXP Crack, working Keygen.exe
* Microsoft Office XP working Crack, Keygen.exe
* Porno, sex, oral, anal cool, awesome!!.exe
* Porno Screensaver.scr
* Serials.txt.exe
* KAV 5.0
* Kaspersky Antivirus 5.0
* Porno pics arhive, xxx.exe
* Windows Sourcecode update.doc.exe
* Ahead Nero 7.exe
* Windown Longhorn Beta Leak.exe
* Opera 8 New!.exe
* XXX hardcore images.exe
* WinAmp 6 New!.exe
* WinAmp 5 Pro Keygen Crack Update.exe
* Adobe Photoshop 9 full.exe
* Matrix 3 Revolution English Subtitles.exe
* ACDSee 9.exe
The worm also runs as backdoor on port 1234.