Virus

W32/Bagle.AZ!worm

Analysis

This variant of the 32-bit Bagle family is packed with a packed file size of at least 25,064 bytes - the virus may have appended garbage or random data beyond hex offset 0X61E8 (25,064 bytes). This threat contains instructions to send itself by SMTP email and copy itself to folders with the string "shar", and to network folders.
On an infected system, these files may exist in the System or System32 folder -
bawindo.exe - 25,064+ bytes - copy of the virus
bawindo.exeopen - 18,690+ bytes - copy of the virus
bawindo.exeopenopen - 18,690+ bytes - copy of the virus
The virus may send itself as a file attachment with any of these extensions -
.exe
.scr
.com
.cpl
This variant implements use of several Mutex references in an effort to not be removed by variants of W32/Netsky family of viruses. By creating Mutex names that resemble ones already in use by variants of Netsky, this variant of Bagle practically ensures that its threads will not be terminated by certain variants of Netsky, if they were to be run on the infected system. These are the Mutex references created -
MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
'D'r'o'p'p'e'd'S'k'y'N'e't'
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
[SkyNet.cz]SystemsMutex
AdmSkynetJklS003
____--->>>>U _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
Load at Windows Startup
If this virus is run, it will copy itself to the System or System32 folder as "bawindo.exe" and then it will modify the registry to auto run at next Windows startup -
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"bawindo" = C:\WINNT\System32\bawindo.exe
Email Spreading
When this virus is run, it harvests email addresses by searching files with specific extensions. Next, the virus constructs an email message with an infected attachment and varied subject lines and body text. The file names used are varied, and are at least 25,064 bytes in size. The "From" address is spoofed as with other Bagle variants.
Email Formats
The virus may send itself in varied formats and configurations, based on random selection of hard-coded tables.
Remote Access Capability
This virus will open a connection on TCP port 81 and possibly allow functionality as an SMTP email proxy server. Port 81 is also used by secure HTTP protocol (HTTPS).
"Shar" Folder Propagation
The virus will copy itself to folders, in all fixed drives connected to the infected system, which have the string "shar" in its name. The virus will copy itself to these folders as these file names -
ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
KAV 5.0
Kaspersky Antivirus 5.0
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Opera 8 New!.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno pics arhive, xxx.exe
Porno Screensaver.scr
Serials.txt.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Windows Sourcecode update.doc.exe
Windown Longhorn Beta Leak.exe
XXX hardcore images.exe

Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  • Using the FortiGate manager, enable blocking of these extensions -
    .COM
    .SCR
    .EXE
    .CPL
    across SMTP, POP3 and IMAP - it may require adding some of these extensions to the list