Home / malware Win32.Bagle.AD@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Win32.Bagle.AD@mm.
Explanation :
The virus arrives via e-mail in the following formats:
Subject: (one of the following)
Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks :)
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
RE: Incoming Msg
RE: Message Notify
Notification
Changes..
Update
Fax Message
Protected message
RE: Protected message
Forum notify
Site changes
Re: Hi
Encrypted document
Body: (one of the following)
Read the attach.
Your file is attached.
More info is in attach
See attach.
Please, have a look at the attached file.
Your document is attached.
Please, read the document.
Attach tells everything.
Attached file tells everything.
Check attached file for details.
Check attached file.
Pay attention at the attach.
See the attached file for details.
Message is in attach
Here is the file.
Attachment's name is one of the following:
Information
Details
Updates
Readme
Document
Info
MoreInfo
Message
Sources
Attachment's extension may be:
.exe
.scr
.com
.zip
.vbs
.hta
.cpl
If the attachment is in a password protected zip file, following messages can also be found in the Body:
For security reasons attached file is password protected. The password is ...
For security purposes the attached file is password protected. Password -- ...
Note: Use password ... to open archive.
Attached file is protected with the password for security reasons. Password is ...
In order to read the attach you have to use the following password: ...
Archive password: ...
Password - ...
Password: ...
When run, the virus will do the following:
1. Displays a fake error message: "Can't find a viewer associated with the file"
2. Creates aforementioned registry entry to run at computer startup
3. Creates aforementioned files in %SYSTEM% folder
4. Scans for e-mail addresses on all fixed drives in files matching:
.wab, .txt, .msg, .htm, .shtm, .stm, .xml, .dbx, .mbx, .mdx, .eml, .nch, .mmf, .ods, .cfg, .asp, .php, .pl, .wsh, .adb, .tbb, .sht, .xls, .oft, .uin, .cgi, .mht, .dhtm, .jsp
5. Scans on all fixed drives for folders whose names contain "shar" and creates copies of the virus as:
Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe
6. Deletes registry keys created by variants of NetSky virus
7. Creates mutexes so that variants of Netsky virus will not run
8. Uses its own smtp engine to send itself to harvested e-mails; avoids sending to e-mail addresses containing:
@hotmail, @msn, @microsoft, rating@, f-secur, news, update, anyone@, bugs@, contract@, feste, gold-certs@, help@, info@, nobody@, noone@, kasp, admin, icrosoft, support, ntivi, unix, bsd, linux, listserv, certific, sopho, @foo, @iana, free-av, @messagelab, winzip, google, winrar, samples, abuse, panda, cafee, spam, pgp, @avp., noreply, local, root@, postmaster@
9. Opens a backdoor on port 1234Last update 21 November 2011
