W32/Bagle-C, D, E, F i G
(1. ožujka 2004., 8. ožujka 2004.)

 

Sophos nas je obavijestio o pojačanoj aktivnosti crva iz obitelji W32/Bagle (C, D, E, F, G) za koji je primio veći broj prijava otkrivanja. Qubis d.o.o. je do primio nekoliko dojava otkrivanja ovog crva u Hrvatskoj. Crve W32/Bagle-* prepoznavat će Sophos Anti-Virus za travanj 2004. (v.3.80).

Instalacije svih korisnika koji koriste EMLibrary, Sophosov alat za automatizirano dograđivanje putem Interneta, dograđene su automatski 28. veljače 2004., kada je objavljena prva verzija ove dogradnje ili nakon toga, ovisno o tome kako je podešena učestalost dograđivanja.

Svim korisnicima preporučujemo da, ako već nisu, svoje programe Sophos Anti-Virus odmah dograde hitnom dogradnjom za prepoznavanje ovog crva, koju možete naći na http://www.sophos.com/downloads/ide/.

Vrsta

Win32 crv

Način širenja

Širi se elektroničkom poštom kao privitak s nastavkom .EXE (inačice crva C, D, i E) ili .EXE, .SCR, .ZIP (inačice F i G). Koristi vlastiti SMTP mehanizam, a u polja From: i To: stavlja adrese koje pronađe na disku inficiranog računala.

Inačice F i G se šire i 'peer-to-peer' mrežama.

Aktivnosti / Simptomi / Posljedice

Elektronička poruka

Elektronička poruka s inficiranom datotekom može sadržavati sljedeće dijelove:

W32/Bagle-C, D, E

Pošiljatelj (From:)
(slučajno odabrana adresa)
Primatelj (To:)
(slučajno odabrana adresa)
Subjekt (Subject:)
  • Price
  • New Price-list
  • Hardware devices price-list
  • Weekly activity report
  • Daily activity report
  • Maria
  • Jenny
  • Jessica
  • Registration confirmation
  • USA government abolishes the capital punishment
  • Freedom for everyone
  • Flayers among us
  • From Hair-cutter
  • Melissa
  • Camila
  • Price-list
  • Pricelist
  • Price list
  • Hello my friend
  • Hi!
  • Well...
  • Greet the day
  • The account
  • Looking for the report
  • You really love me? he he
  • You are dismissed
  • Accounts department
  • From me
  • Monthly incomings summary
  • The summary
  • Proclivity to servitude
  • Ahtung!
  • The employee
Poruka (Message:)
(nema poruke)
Privitak (Attachment:)
  • <slučajno odabrani znakovi>.zip

W32/Bagle-F, G

Pošiljatelj (From:)
(slučajno odabrana adresa)
Primatelj (To:)
(slučajno odabrana adresa)
Subjekt (Subject:)
  • Hokki =)
  • Weah, hello! :-)
  • Weeeeee! :)))
  • Hi! :-)
  • My Name is Frenk
  • groom
  • Fotograf
  • Photoalbum
  • My photoalbum
  • Myphotos
  • My photos
  • My beautiful person
  • beautiful
  • Wau... beautiful (-:
  • Gallery photos
  • caroline
  • Katrina
  • kleopatra
  • Caitie
  • Mary-Anne
  • Lisa
  • Bad girl
  • Julie
  • Aline
  • Anna
  • Barbi
  • Katrina
  • Juli
  • Mary
  • Mandy
  • Sara
  • rebecca
  • Jammie
  • kate
  • Audra
  • stacy
  • Rena
  • Kelley
  • Tammy
  • ello! =))
  • Hey, ya! =))
  • ^_^ meay-meay!
  • ^_^ meay-meay!
  • ^_^ mew-mew (-:
  • Hey, dude, it's me ^_^ :P
Poruka (Message:)
  • Argh, i don't like the plaintext :)
    Fell free to chat with me I accept all ages. Don't worry I don't bite........
    hope to hear from you soon!
  • If you are going to make me cry, at least be there to wipe away the tears
    *Right now the worst thing for you to tell me that I can find someone better
    thanyou, especially when you are all I want
  • You don't know what you've got till it's gone *You hurt me more than I
    deserve, how can you be so cruel? I love you more thanyou deserve, how can
    I be such a fool?
  • I sit with elders of a gentle race, whose world is seldom seen.Who sit and
    talk of days for which they wait, when all will be revealed. These are song
    lyrics.
  • I'm a social butterfly and a natural flirt. Very hard to get my complete
    attention. Very open and will answer almost anything. But please don't piss
    me off.I can be sweet and cuddly or a whatever mood I am in that day so
    everyday
  • Love the outdoors, literature, writing, and athletics
  • When The Trust is Gone So Is The Love That Fades Like the Rain Washing Away
    All The Sorrows Of Yesterday Why I Ask Myself Must It End Like This
    Tomorrow, I Tell Myself, I'll Be Okay For Now, I'll Just Live In The
    Memories Of Our Life Together
  • I enjoy clean conversations but am open to conversing with women and men
    with little ones as well. I am very open-minded. All authorization requests
    will be denied if I don't receive messages and get to know you first.
  • I love camping, dirt track racing, going for walks, and I have 2 cats -
    HotRod and Deebo (named from the movie 'Friday' and he lives up to it!).Life
    is ever changing, never always easy...
  • i love to chat to just about anyone!!
  • If I'm online, it problably means I'm pretty bored....so feel free to message
    me and say hi or whatever else comes to mind at the moment.
  • Hey people whats goin on? If there is anything you want to know about me ask
    me... I am pretty easygoing I won't bite....not at first anywayz hahaa.....
    one thing I will say on here tho I am not into the Cyber thing so don't even
    ask.....Ciao...
  • Hi! My name is Shreya and I am a goof off!!! So,If you love the outdoors,
    travelling, books, music, movies, laffing, teasingand/or can poke fun at
    yourself... please come a hollerin'!!
  • Hi! My name is Shreya and I am a goof off!!! So,If you love the outdoors,
    travelling, books, music, movies, laffing, teasingand/or can poke fun at
    yourself... please come a hollerin'!!
  • Single Mom of 3,Full time college student, Graduate in December with an
    Associates of Applied Science in Computer Information Systems Love the
    internet.
  • My hobbies include crochet, sewing, painting lead figures and playing AD&D.
    Favorite activities include fishing and camping. I love cats, unicorns(go
    figure), and fantasy in general.
  • I like to be in a company of smart, delicate, and with a good sense of
    humor people. I am Bulgarian, currently getting my Master's in International
    Business in USA. Favorite actor: Michael Dudikoff
  • i'm tall and skiny I'm studying in Pharm. D program in FL. i like music,
    movie, dancing, sports, SCUBA diving, traveling and make a lot friends.
  • Nice friends, nice men, nice sex and feeling great. I don't mind the odd
    bout of cybersex as I love to use my imagination when I masterbate.
  • Hey, guys! by the way, I have no problems with my sexual life, soit's
    absolutly useless try to have icq sex or things like that. Thanks
  • I'm an open minded person and enjoy chatting w/ other people.I'm free and
    willing to chat about anything.So feel free to Imed me if you wanna chat.
  • I love meeting new people and making new friends. I am a Mary Kay Beauty
    Consultant. I am married to a wonderful man. We have no children, exept for
    a minature schnauzer that thinks he is a child. Looking forward to meeting
    you.
  • I am from Taiwan but I study in Camden, New Jersey now. I like to know people
    from different places .
  • I'm married and I stay at home. And I don't do cyber sex so leave me the fuck
    alone
  • Looking forward for a response :P
Ako je datoteka u privitku zaštićena zaporkom poruka može završavati sljedećim tekstom:

archive password: <number>
password: <number>
pass: <number>
password for archive: <number>

 

Privitak (Attachment:)
Naziv datoteke:

  • Picture
  • caroline
  • Katrina
  • kleopatra
  • Caitie
  • Mary-Anne
  • Lisa
  • Bad girl
  • Julie
  • Aline
  • Anna
  • Barbi
  • Katrina
  • Juli
  • Mary
  • Mandy
  • Sara
  • rebecca
  • Jammie
  • kate
  • Audra
  • stacy
  • Rena
  • Kelley
  • Tammy
  • myfotos
  • Gallery
  • It_I
  • Photoalbum
  • Photomontage

Nastavak:

  • .EXE
  • .SCR
  • .ZIP

Kada se pokrene pristigla datoteka, na računalu pretražuje datoteke i iz njih uzima elektroničke adrese.

Inficirane datoteke

W32/Bagle-C, D

W32/Bagle-E

W32/Bagle-F, G

Registry

W32/Bagle-C, D

W32/Bagle-E

W32/Bagle-F, G

Varijante F i G ostavljaju sljedeće datoteke s tijelom crva u mape koje u nazivu imaju riječ 'Shared' (npr. "C:\Program files\Common files\Microsoft shared"):

Zaustavlja sljedeće procese:

Na određenu URL lokaciju sprema podatak o lokaciji i otvorenom portu inficiranog računala. Otvara port 2745 na kojem očekuje određenu naredbu po primitku koje će preuzeti i pokrenuti datoteku.

Uklanjanje

Automatsko uklanjanje

W32/Bagle-C i D - nakon 14. ožujka 2004. prestaju s aktivnostima i uklanjaju svoje zapise iz registry-ja.
W32/Bagle-E, F i G - nakon 25. ožujka 2004. prestaju s aktivnostima i uklanjaju svoje zapise iz registry-ja.

Alat za uklanjanje crva W32/Bagle (od A do G)

Ručno uklanjanje

Windows 9X klasa:

Windows NT-klasa:

Zaštita od infekcije

Ostalo

Sažetak svojstava

Širenje
Elektroničkom poštomR
Lažna adresa u polju 'From:'R
Dijeljene mrežne mapeQ
'Peer-2-peer' mrežeR
OstaloQ
Aktivnost
Zaustavlja Sophosove serviseR
Mijenja registryR
Kreira / mijenja datotekeR
Omogućava  backdoor pristupR
Otvara port (2745)R
Bilježi aktivnosti tipkovnice (KeyLogging)Q
Automatski se obnavlja?
Uklanjanje
Sophosovim alatom za uklanjanje crvaR
Uklanjanjem (DOS ili Safe mode + cmd prompt)R
Promjenom registry-jaR
Čišćenjem datotekaQ
Uklanjanjem datotekaR
Zaštita
Primjenom servisnog paketa ili sigurnosne zakrpe za OS ili napadnutu aplikaciju?
Filtriranjem sadržaja na proxy poslužiteljuQ
Filtriranjem sadržaja na poslužitelju elektroničke pošteR
Aktiviranjem vatrozida (port: 2745)R
Podukom korisnika o sigurnom korištenju InternetaR