CME-473: Beagle/Bagle worm variant (11/22/2004)
CME-473: Beagle\Bagle worm variant
Date added to list: 11/22/2004
Aliases:
- Computer Associates: Win32.Bagle.AQ
- Kaspersky Lab: Email-Worm.Win32.Bagle.at
- McAfee: W32/Bagle.bb@MM
- Norman: W32/Bagle.AQ@mm
- Sophos: W32/Bagle-AU
- Symantec: W32.Beagle.AV@mm
- Trend Micro: WORM_BAGLE.AT
- F-Secure: Bagle.AT
- Panda: Bagle.BC
- Secunia: Bagle.AQ
Removal Tools:
Virus Characteristics(from sources above):
- Creates these files :
- %System%\wingo.exe
- %System%\wingo.exeopen
- %System%\wingo.exeopenopen
- May also create these files:
- %System%\wingo.exeopenopenopen
- %System%\wingo.exeopenopenopenopen
- Creates the following Registry key
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run “wingo” = C:\WINNT\SYSTEM32\WINGO.EXE - Adds the value
- “Timekey” = “[Random variables]” to HKEY_CURRENT_USER\Software\Microsoft\Params
- Termitates processes of security programs
- Tries to download and run that %System%\re_file.exe file from various websites coded into the virus.
- Searches the hard disk for folders containing the string “shar” and copies various files that are infected with the virus as to spread through peer-to-peer networks
- Tries to stop operating system services:
- SharedAccess” – Internet Connection Sharing
- “wscsvc” – MS security center
- Opens backdoors on TCP port 81
- Deletes values from the Run section of the Registry, pertaining to certain security programs, to prevent them from running at startup
- Searches for e-mail addresses contained in various files located on infected computer.
- Use its own built in SMTP server to send e-mails with spoofed addresses that it found on the infected computer, but skipping some with that contain certain strings. These e-mails have a .com, .cpl, .exe, or, . scr file extension and are infected by the virus.
- Also deletes registry entires related to the Netsky virus, and creates mutexes to keep that virus from running and to keep multiple copies of itself from running.
Trend Micro Behavior Diagram
Please report in errors or broken links in the comments section.
-
Recent
- SANS Internet Storm Center – "Malicious" Websites
- SANS – Internet Storm Center – CME-24 (Blackworm) Analysis: The destruction does not appear to spread across Windows network shares
- F-Secure : News from the Lab – Nyxem on a world map
- SANS – Internet Storm Center – Prepraring for Feb 3rd(CME-24\Blackworm)
- Microsoft Security Advisory Notification – Update for Security Advisory (904420) – Win32/Mywife.E@mm
- F-Secure : News from the Lab – First reports of Nyxem damage
- Microsoft Security Advisory (904420): Win32/Mywife.E@mm (aka Blackworm)
- SANS – Internet Storm Center – BlackWorm Summary – Updated Info
- SANS – Internet Storm Center – BlackWorm Summary – Updated Info
- SANS – Internet Storm Center – More on Nyxem
- SANS – Internet Storm Center – What’s the threat? And who is noticing it? Nyxem_e versus CME 508
- SANS – Internet Storm Center – New mass mailer spreading (Blackmal/Grew/Nyxem) – With updated info
-
Links
- WordPress.com
- WordPress.org
- Symantec Security Response
- Secunia – Virus Information
- McAfee – Newly Discovered Threats
- SANS Internet Storm Center
- Trend Micro-Virus Information
- F-Secure: News from the Lab
- F-Secure: 50 latest virus descriptions
- VirusTotal.com
- Common Malware Enumeration (CME)
- worm blog
- Computer Associates Virus Information Center
- Kaspersky Analyst’s Diary
- Kaspersky’s Viruslist.com
- Panda Software Latest Threats
- Norman: Virus and Security
- Sophos Virus Info
- F-Prot Virus Information
- Sybari Threat Info Center
- Anti-Malware Engineering Team
-
Archives
- November 2007 (1)
- February 2006 (8)
- January 2006 (33)
- December 2005 (30)
- November 2005 (5)
-
Categories
-
RSS
Entries RSS
Comments RSS
The Antivirus Guy Blog 
