SecurityHome.eu Bagle.FY

Home / malware PDF

Bagle.FY

First posted on 13 September 2006.
Source: SecurityHome
Aliases :
Bagle.FY is also known as W32/Bagle.fb@MM, W32.Beagle.FF@mm, WORM_BAGLE.FN, Email-Worm.Win32.Bagle.fy.
Explanation :
Bagle.FY is an e-mail worm that uses its own SMTP engine to send and propagate copies of itself.

his e-mail worm uses its own SMTP engine to send copies of itself with the following set of characteristics:

E-mail attachments are named from one of the following strings using .zip as the file name extension:

Alice Alice Alyce Andrew Androw Androwe Annes Anthonie Anthony Anthonye Avice Bennet Bennet Bennett Christean Christian Christian Constance Cybil Daniel Daniel Danyell Dorithie Dorothee Dorothy Edmond Edmonde Edmund Edmund Edward Edward Edwarde Elizabeth Elizabeth Elizabethe Ellen Ellen Ellyn Emanual Emanuel Emanuell Ester Frances Francis Francis Fraunces Gabriell Geoffraie George Grace Harry Harry Harrye Henrie Henry Henry Henrye Hughe Humphrey Humphrey Humphrie Isabel Isabell Isabell James James Jeames Jeffrey Jeffrye Joane Johen Josias Judeth Judith Judith Judithe Katherine Katherine Katheryne Leonard Leonard Leonarde Margaret Margaret Margarett Margerie Margerye Margret Margrett Marie Martha Marye Michael Michael Mychaell Nathaniel Nathaniel Nathaniell Nathanyell Nicholas Nicholas Nicholaus Nycholas Peter Ralph Rebecka Richard Richard Richarde Robert Robert Roberte Roger Rycharde Samuell Sidney Sindony Stephen Susan Susanna Susanna Suzanna Sybell Sybyll Syndony Thomas Valentyne William Winifred Wynefrede Wynefreed Wynnefreede

The list above is also used to generate the subject of the e-mail.

The Body of the e-mail usually contains one of the following strings:

I love you To the beloved

Followed by one of these:

archive password: [password] Password - [password] Password -- [password] Password is [password] Password: [password] The password is [password] Use password [password] to open archive. Zip password: [password]

Where [password] is a password image stored remotely in the following links:

http://1point2.iae.nl/777.gif http://5050clothing.com/777.gif http://appaloosa.no/777.gif http://apromed.com/777.gif http://arborfolia.com/777.gif http://areal-realt.ru/777.gif http://art4u1.superhost.pl/777.gif http://art-bizar.foxnet.pl/777.gif http://asdesign.cz/777.gif http://avenue.ee/777.gif http://axelero.hu/777.gif http://bartex-cit.com.pl/777.gif http://bazarbekr.sk/777.gif http://bid-usa.com/777.gif http://biliskov.com/777.gif http://biomedpel.cz/777.gif http://bitel.ru/777.gif http://blackbull.cz/777.gif http://bohuminsko.cz/777.gif http://bonsai-world.com.au/777.gif http://bpsbillboards.com/777.gif http://cadinformatics.com/777.gif http://calamarco.com/777.gif http://canecaecia.com/777.gif http://ceramax.co.kr/777.gif http://charlesspaans.com/777.gif http://chatsk.wz.cz/777.gif http://checkalertusa.com/777.gif http://cibernegocios.com.ar/777.gif http://cof666.shockonline.net/777.gif http://comaxtechnologies.net/777.gif http://compucel.com/777.gif http://concellodesandias.com/777.gif http://continentalcarbonindia.com/777.gif http://dev.jintek.com/777.gif http://dogoodesign.ch/777.gif http://donchef.com/777.gif http://erich-kaestner-schule-donaueschingen.de/777.gif http://foxvcoin.com/777.gif http://ftp-dom.earthlink.net/777.gif http://gnu.univ.gda.pl/777.gif http://grupdogus.de/777.gif http://hotchillishop.de/777.gif http://ilikesimple.com/777.gif http://innovation.ojom.net/777.gif http://kisalfold.com/777.gif http://knickimbit.de/777.gif http://kremz.ru/777.gif http://massgroup.de/777.gif http://ouarzazateservices.com/777.gif http://pawlacz.com/777.gif http://poliklinika-vajnorska.sk/777.gif http://prime.gushi.org/777.gif http://stats-adf.altadis.com/777.gif http://svatba.viskot.cz/777.gif http://systemforex.de/777.gif http://ujscie.one.pl/777.gif http://uwua132.org/777.gif http://vanvakfi.com/777.gif http://vega-sps.com/777.gif http://vidus.ru/777.gif http://viralstrategies.com/777.gif http://Vivamodelhobby.com/777.gif http://vkinfotech.com/777.gif http://vproinc.com/777.gif http://v-v-kopretiny.ic.cz/777.gif http://vytukas.com/777.gif http://waisenhaus-kenya.ch/777.gif http://watsrisuphan.org/777.gif http://wbecanada.com/777.gif http://web-comp.hu/777.gif http://webfull.com/777.gif http://welvo.com/777.gif http://wvpilots.org/777.gif http://www.ag.ohio-state.edu/777.gif http://www.ag.ohio-state.edu/777.gif http://www.artbed.pl/777.gif http://www.aureaorodeley.com/777.gif http://www.autoekb.ru/777.gif http://www.autovorota.ru/777.gif http://www.avinpharma.ru/777.gif http://www.castnetnultimedia.com/777.gif http://www.chapisteriadaniel.com/777.gif http://www.chittychat.com/777.gif http://www.cort.ru/777.gif http://www.crfj.com/777.gif http://www.jonogueira.com/777.gif http://www.kersten.de/777.gif http://www.kljbwadersloh.de/777.gif http://www.voov.de/777.gif http://www.walsch.de/777.gif http://www.wchat.cz/777.gif http://www.wg-aufbau-bautzen.de/777.gif http://www.wzhuate.com/777.gif http://xotravel.ru/777.gif http://yeniguntugla.com/777.gif http://yetii.no-ip.com/777.gif http://zebrachina.net/777.gif http://zsnabreznaknm.sk/777.gif

This e-mail worm avoids mailing copies of itself to addresses that have the following substrings:

@avp. @iana @messagelab abuse admin anyone@ bugs@ cafee certific contract@ feste free-av f-secur gold-certs@ google help@ icrosoft info@ linux listserv local nobody@ noone@ noreply ntivi panda postmaster@

It searches and gathers e-mail addresses from files with the follow extensions found on the system:

.adb .asp .cfg .cgi .dbx .dhtm .eml .htm .jsp .mbx .mdx .mht .mmf .msg .nch .ods .oft .php .pl .sht .shtm .stm .tbb .txt .uin .wab .wsh .xls .xml
Last update 13 September 2006

TOP

Malware :

Last 20

Bagle.FY

Aliases :

Explanation :

Malware :

Family: