[Alsfastball] New Bagle Threat Spreading Quickly, Quietly
Al Doran
aldoran at pmihrm.com
Wed Sep 1 14:34:03 EDT 2004
New Bagle Threat Spreading Quickly, Quietly
By Jay Munro, <http://www.pcmag.com/>PC Magazine
August 31, 2004 <http://www.eweek.com/article2/#talkback>
[]
Like Bagle.AQ infected messages of two weeks ago, a flood of infected
e-mails started hitting users' mailboxes Tuesday bearing the subject line
"foto", and an unencrypted zip file "foto.zip". However, it doesn't seem to
be able to get much farther than the initial spam.
The zip file contains an HTML file that when executed drops downloader
component on the victim's machine, which attempts to connect to one of many
web sites to download the worm portion The new virus, first identified by
<http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.AI>Trend
Micro Inc. as Worm_Bagle.AI appeared to have been seeded, or spammed to
many users, but due to problems with the web sites that carry the
propagation code, it hasn't spread further.
How to prevent it: Do not open attachments, especially foto.zip. Get the
latest updates from your antivirus company.
Bagle.AI was first discovered on August 31st, and the attack slipped in
under the radar of our own corporate antivirus. The virus arrives by an
e-mail with the subject "foto", and a spoofed "from" address. The
attachment is an un-encrypted Zip file named "foto.zip"
The zip file contains two files, foto.html and foto1.exe. When a user
clicks on the HTML file, it executes the foto1.exe file. The HTML file
contains JavaScript that is detected as JS/IllWill. The foto1.exe initially
drops a file named DORIOT.EXE (note, it has the creation date of 9/1/04,
which was a day ahead of the start of the outbreak) into the Window system
folder, along with a companion file GDQFW.EXE. It creates the following value:
Wersds.exe = "%system%\doriot.exe
In the following registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsCurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\WindowsCurrentVersion\Run
(%system% is the Windows System folder and is usually C:\Windows\System on
Windows 9x/ME, C:\WINNT\System32 on Windows NT/2000, or C:\Windows\System32
on Windows XP.)
According to
<http://www.sarc.com/avcenter/venc/data/download.ject.d.html>Symantec, the
gdqfw.exe file is injected into Explorer.exe and runs as a thread that
stops the service "Shared Access" and then sets the startup type to
'disabled'. It then attempts to stop security software
<http://www.eweek.com/article2/#Processes>processes.
The gdqfw.exe is also the downloader, which attempts to contact one of over
130 web sites to download the actual worm propagation code. For the full
list, see
<http://www.sarc.com/avcenter/venc/data/download.ject.d.html>Symantec's
analysis.
The files are saved as "_re_file.exe" in the Windows installation folder
and then executed. However, at this time, all the sites appear to be
inoperable, leaving the victim's machine with only a few installed files
and registry entries. If the web sites do become active, Bagle.AI may
spread quickly.
In PCMag.com's tests, we noticed that the firewall recognized Explorer.exe
trying to get to the web. Since this is a normal occurrence, detection by a
firewall (as Bagle.AQ was detectable), may not be possible.
Als Fastball List
*Email: fastball at pmihrm.com
http://www.alsfastball.com/
http://www.ISCfastball.com/
NEWS: http://www.escribe.com/sports/alsfastball/
TEMP: http://www.fastpitchwest.com/alsfastball.htm
More information about the Alsfastball
mailing list