Aangezien er nogal wat reports van binnenkomen, leek het me een goed idee om iedereen alvast te waarschuwen.
Het is een e-mailer, dus de meeste mensen hier kunnen weer een ander topic gaan opzoeken.
Zelfs RAV heeft een e-mail gemaakt/verstuurd, wat al ontzettend lang niet meer gebeurd is. Heb dan ook de write-up van RAV gebruikt.
This is a new internet worm reported in the wild. It arrives in a system as an executable attachment randomly named, having around 15Kb. The e-mail has the following pattern:
From: might be spoofed
Subject: Hi
Body:
Test =)
[Random Characters][Random Characters]
--
Test, yep
Bagle starts by checking if the current date is January 28, 2004 or later. If it is so, it will attempt to delete itself using a temporary batch file. This means that if the worm is executed only on or after that specific date it will try to stop its spreading.
If the registry key HKCU\Software\Windows98 exists, a randomly generated 9 digit number will be stored for later use.
Then, an unnamed mutex will be created to avoid multiple instances of the worm running in the same time. A copy of itself, named bbeagle.exe will be dropped inside the %SYSTEM% directory and a registry key value named "d3dupdate.exe" will be added to the HKLM\Software\Microsoft\Windows\CurrentVersion\Run, pointing to bbeagle.exe - this way, the worm will be executed each time a user logs on.
Another registry value will be set inside HKCU\Software\Windows98\Ffrun will be set to TRUE.
If the worm is not running from the %SYSTEM% directory and the "-upd" parameter was not specified (when the attachment is executed) the worm will spawn a copy of "calc.exe" - most likely, to seem less suspicious.
Then, a backdoor component will be spawned to local port 6777 and the author will be notified - by posting data to the following remote web sites (a remote script named 1.php will be invoked with parameters containing information about the local IP and the local port used by the backdoor, helping the author to track the infected computers and connect to the backdoor):
[lijstje servers]
If running for the first time, all the .WAB, .TXT, .HTM and .HTML files from all the fixed drives will be searched for valid e-mail addresses - these addresses will be used by the replication routine.
The backdoor is able to accept remote commands - the only implemented command in this version is "Update" - the author can connect and send binary executables to the infected computer - this can be used to update the worm, but also to deploy other malwares.
Lijstje met links naar write-ups van wat andere vendors:
http://www.viruslist.com/eng/alert.html?id=783050
http://us.mcafee.com/viru...escription&virus_k=100965
http://www.f-secure.com/v-descs/bagle.shtml
http://securityresponse.s...data/w32.beagle.a@mm.html
http://www.trendmicro.com...t5.asp?VName=WORM_BAGLE.A
/u/28468/librarian2.png?f=community)
:strip_exif()/u/28805/Icon_Sad.gif?f=community){kind=icon}
Hoe komt die email dan toch in de mailbox van mijn ouders?:strip_exif()/u/46648/psycho.gif?f=community)
Dit topic is gesloten.