Home / malware Win32.Worm.Bagle.FJ
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Win32.Worm.Bagle.FJ.
Explanation :
This is a mass mailer / downloader malware. It arrives in the form of an archive which contains two files: an executable and an other one containing random characters. The executable has a similar icon with a text document and when first executed it copies itself in the system directory with the name sysformat.exe and then launches notepad.exe.
It drops a hosts file in the System32Drivers subdirectory of the windows directory of size 1,771 which disables the access to certain anti-virus related sites. This can result in the anti-virus beeing unable to perform an update.
It disables the built-in firewall and security center on machines running Windows XP Service Pack 2.
It kills several security (anti-virus and firewall) products.
It tries to download files from a predefined list of sites and to execute them.
It searches the available hard-disks (removable media or network drives won't be searched) for files having the extension:
.wab
.txt
.msg
.htm
.shtm
.stm
.xml
.dbx
.mbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.pl
.wsh
.adb
.tbb
.sht
.xls
.oft
.uin
.cgi
.mht
.dhtm
.jsp
These files will be searched for e-mail addresses and the worm will send itself to these addresses if they don't contain one of the following substrings:
@microsoft
rating@
f-secur
news
update
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
sopho
@foo
@iana
free-av
@messagelab
winzip
winrar
samples
abuse
panda
cafee
spam
pgp
@avp.
noreply
local
root@
postmaster@
The worm will also search the hard drives for folders which contain the substring "shar" in them (for example "My Shared Documents") and will copy itself there under these names:
1.exe
2.exe
3.exe
4.exe
5.scr
6.exe
7.exe
8.exe
9.exe
10.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe
The subject of the sent mail contains the following words:
price
February price
pricelst
pricelist
price_lst
new_price
February_price
21_priceLast update 21 November 2011
