July 04, 2009

Hot topics :

All Alerts»

Bagle Variants J,K Begin Spreading

The Bagle worm continued making its way through the alphabet Wednesday as two more variants, W32/Bagle.j@MM and W32/Bagle-K began spreading. W32/Bagle.j@MM is a mass-mailing worm with the following characteristics:

contains its own SMTP engine to construct outgoing messages

harvests email addresses from the victim machine

the From: address of messages is spoofed

attachment can be a password-protected zip file, with the password included in the message body.

contains a remote access component (notification is sent to hacker)

copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc.)

The message-bodies are constructed with several parts, to effectively customize the email, to make it appear to be a legitimate warning notification. The details are as follows:

From: (address is spoofed)
Subject:

E-mail account security warning.

Notify about using the e-mail account.

Warning about your e-mail account.

Important notify about your e-mail account.

Email account utilization warning.

Notify about your e-mail account utilization.

E-mail account disabling warning.

Body Text:
Greeting--

Dear user of (user's domain),

Dear user of (user's domain) gateway e-mail server,

Dear user of e-mail server "(user's domain) ",

Hello user of (user's domain) e-mail server,

Dear user of "(user's domain) " mailing system,

Dear user, the management of (user's domain) mailing system wants to let you know that, (Where the user's domain is chosen from the To: address. For example the user's domain for user@mail.com would be "mail.com")

Threat Alerts

Latest Malware

Most Dangerous Malware

Email Article
Print Article
Comment on this article
Share Articles
- Digg
- DZone
- Reddit
- Slashdot
- StumbleUpon
- del.icio.us
- Facebook
- FriendFeed
- Furl

Main message body-

Your e-mail account has been temporary disabled because of unauthorized access.

Our main mailing server will be temporary unavailable for next two days, to continue receiving mail in these days you have to configure our free auto-forwarding service.

Your e-mail account will be disabled because of improper using in next three days, if you are still wishing to use it, please, resign your account information.

We warn you about some attacks on your e-mail account. Your computer may contain viruses, in order to keep your computer and e-mail account safe, please, follow the instructions.

Our antivirus software has detected a large amount of viruses outgoing from your email account, you may use our free anti-virus tool to clean up your computer software.

Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to keep your computer safe, follow the instructions.

Attachment explanation-

For more information see the attached file.

Further details can be obtained from attached file.

Advanced details can be found in attached file.

For details see the attach.

For details see the attached file.

For further details see the attach.

Please, read the attach for further details.

Pay attention on attached

For more information visit this Network Associates page.

W32/Bagle-J is an email worm that sends itself via its own SMTP engine to addresses harvested from a hard disk. The worm searches for files with the extensions WAB, TXT, MSG, HTM, XML, DBX, MDX, EML, NCH, MMF, ODS, CFG, ASP, PHP, PL, ADB, TBB, SHT, UIN and CGI.

The worm copies itself to the Windows system folder as IRUN4.EXE and creates the file IRUN4.EXEOPEN (a copy of the worm in a password protected ZIP format) in the same folder.

W32/Bagle-J adds the value:
ssate.exe = \irun4.exe
to the registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

This means that W32/Bagle-J runs every time a user logons to his or her computer.

Emails have the following characteristics:
Subject lines:
E-mail account security warning.
Notify about using the e-mail account.
Warning about your e-mail account.
Important notify about your e-mail account.
Email account utilization warning.
Notify about your e-mail account utilization.
E-mail account disabling warning.

Message texts (constructed from a choice of the following):
"Dear user of ,"
"Dear user of gateway e-mail server,"
"Dear user of e-mail server "","
"Hello user of e-mail server,"
"Dear user of "" mailing system,"
"Dear user, the management of mailing system wants to let you know that," and
"Your e-mail account has been temporary disabled because of unauthorized access."
"Our main mailing server will be temporary unavaible for next two days, to continue receiving mail in these days you have to configure our free auto-forwarding service."
"Your e-mail account will be disabled because of improper using in next three days, if you are still wishing to use it, please, resign your account information."
"We warn you about some attacks on your e-mail account. Your computer may contain viruses, in order to keep your computer and e-mail account safe, please, follow the instructions."
"Our antivirus software has detected a large ammount of viruses outgoing from your email account, you may use our free anti-virus tool to clean up your computer software."
"Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay Trojan server. In order to keep your computer safe, follow the instructions."
and
"For more information see the attached file."
"Further details can be obtained from attached file."
"Advanced details can be found in attached file."
"For details see the attach."
"For details see the attached file."
"For further details see the attach."
"Please, read the attach for further details."
"Pay attention on attached file."
and
"For security reasons attached file is password protected. The password is ""."
"For security purposes the attached file is password protected. Password is ""."
"Attached file protected with the password for security reasons. Password is ."
"In order to read the attach you have to use the following password: ."
and
"Sincerely,"
"Best wishes,"
"Have a good day,"
"Cheers,"
"Kind regards,"
"The Management,"
and
"The team, http://www."
Attached file (a password protected ZIP archive):
Attach
Information
Readme
Document
TextDocument
TextFile
MoreInfo
Message
More information is at this Sophos page.

According to Central Command, Worm/Bagle.J is an Internet worm that spreads through e-mail by using addresses it collects from files it searches with the following file extensions, *.wab, *.txt, *.htm, *.html, *.dbx, *.mdx, *.eml, *.nch, *.mmf, *.ods, *.cfg, *.asp, *.php, *.pl, *.adb, *.sht. The worm does not propagate to the following email adresses: @avp, @hotmail.com, @microsoft, @msn.com, local, noreply, postmaster@, root@.

It arrives with either a EXE, PIF or ZIP file. More information is at this Central Command page.

Bagle K Worm Similar to J Variant

W32/Bagle-K is an email worm that sends itself via its own SMTP engine to addresses harvested from a user's hard disk, Sophos reports. The worm searches for files with the extensions WAB, TXT, HTM, XML, DBX, MDX, EML, NCH, MMF, ODS, CFG, ASP, PHP, PL, ADB, TBB and SHT.

When run, the worm opens copies itself to the Windows system folder as winsys.exe and creates the following files in the same folder:
W32/Bagle-K adds the value ssate.exe = \winsys.exe to the registry entry HKCU\Software\Microsoft\Windows\CurrentVersion\Run.

This means that W32/Bagle-K runs every time a user logons to his or her computer.

Emails have the following characteristics:
Sender: One of:
management@(recipient_internet_domain)
administration@(recipient_internet_domain)
staff@(recipient_internet_domain)
noreply@(recipient_internet_domain)
support@(recipient_internet_domain)
Subject lines:
E-mail account security warning
Notify about using the e-mail account.
Warning about your e-mail account.
Important notify about your e-mail account.
Email account utilization warning.
Notify about your e-mail account utilization.
E-mail account disabling warning.
Message text: Randomly combined by taking one string from each of the following paragraphs:
Dear user of (recipient_internet_domain)
Dear user of (recipient_internet_domain) e-mail server gateway,
Dear user of e-mail server (recipient_internet_domain)",
Hello user of (recipient_internet_domain) e-mail server,
Dear user of (recipient_internet_domain)" mailing system,
Dear user, the management of mailing system wants to let you know that,
and
Your e-mail account has been temporary disabled because of unauthorized access. Our main mailing server will be temporary unavaible for next two days, to continue receiving mail in these days you have to configure our free auto-forwarding service.
Your e-mail account will be disabled because of improper using in next three days, if you are still wishing to use it, please, resign your account information.
We warn you about some attacks on your e-mail account. Your computer may contain viruses, in order to keep your computer and e-mail account safe, please, follow the instructions.
Our antivirus software has detected a large ammount of viruses outgoing from your email account, you may use our free anti-virus tool to clean up your computer software. Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to keep your computer safe, follow the instructions.
and
For more information see the attached file.
Further details can be obtained from attached file.
Advanced details can be found in attached file.
For details see the attach.
For details see the attached file.
For further details see the attach.
Please, read the attach for further details.
Pay attention on attached file.
and
For security reasons attached file is password protected. The password is "(randomly_generated_numeric_pasword)".
For security purposes the attached file is password protected. Password is "(randomly_generated_numeric_pasword)".
Attached file is protected with the password for security reasons. Password is "(randomly_generated_numeric_pasword).
In order to read the attach you have to use the following password: "(randomly_generated_numeric_pasword).
and
The Management,
Sincerely,
Best wishes,
Have a good day,
Cheers,
Kind regards,
and
The (recipient_internet_domain> team http://www. Attached file: a randomly named ZIP archive. The name is chosen from:
Attach
Information
Readme
Document
Info
TextDocument
Text
MoreInfo
Message

View an example of how the worm could appear if a company's domain name was XYZCORP.COM at this Sophos page.

According to Symantec, the W32.Beagle.K@mm worm:

Is a variant of W32.Beagle.J@mm that opens a backdoor on TCP port 2745 and uses its own SMTP engine to spread through email.

Sends the attacker the port on which the backdoor listens, as well as the IP address.

Attempts to spread through file-sharing networks, such as Kazaa and iMesh, by dropping itself into the folders that contain "shar" in their names.

The email has the following characteristics:
From: Spoofed to appear as though its coming from the one of the following addresses at the recipient's domain:

management

administration

staff

noreply

support

Attachment: A randomly named .exe file, inside a .zip file, or a .pif file. The zip file will be password-protected.

Technical details are at this Symantec page.

Worm_Bagle.K has both worm and backdoor functionalities, and is similar to WORM_BAGLE.J, according to Trend Micro. It spreads by sending itself via email to addresses it gathers from certain files in the infected machine. The email message it sends out has varying subjects, message bodies, and attachment file names. It usually arrives bearing the Wordpad icon.

It opens port 2745, enabling it to download and execute an updated copy of itself. This UPX-compressed worm also terminates certain processes and runs on Windows 95, 98, ME, NT, 2000, and XP.

Technical details are at this Trend Micro page.

--Compiled by Esther Shein

IT Offers