[Alsfastball] New Bagle Threat Spreading Quickly, Quietly

Al Doran aldoran at pmihrm.com
Wed Sep 1 14:34:03 EDT 2004 

New Bagle Threat Spreading Quickly, Quietly
By Jay Munro, <http://www.pcmag.com/>PC Magazine
August 31, 2004 <http://www.eweek.com/article2/#talkback>
[]



Like Bagle.AQ infected messages of two weeks ago, a flood of infected 
e-mails started hitting users' mailboxes Tuesday bearing the subject line 
"foto", and an unencrypted zip file "foto.zip". However, it doesn't seem to 
be able to get much farther than the initial spam.

The zip file contains an HTML file that when executed drops downloader 
component on the victim's machine, which attempts to connect to one of many 
web sites to download the worm portion The new virus, first identified by 
<http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.AI>Trend 
Micro Inc. as Worm_Bagle.AI appeared to have been seeded, or spammed to 
many users, but due to problems with the web sites that carry the 
propagation code, it hasn't spread further.


How to prevent it: Do not open attachments, especially foto.zip. Get the 
latest updates from your antivirus company.

Bagle.AI was first discovered on August 31st, and the attack slipped in 
under the radar of our own corporate antivirus. The virus arrives by an 
e-mail with the subject "foto", and a spoofed "from" address. The 
attachment is an un-encrypted Zip file named "foto.zip"

The zip file contains two files, foto.html and foto1.exe. When a user 
clicks on the HTML file, it executes the foto1.exe file. The HTML file 
contains JavaScript that is detected as JS/IllWill. The foto1.exe initially 
drops a file named DORIOT.EXE (note, it has the creation date of 9/1/04, 
which was a day ahead of the start of the outbreak) into the Window system 
folder, along with a companion file GDQFW.EXE. It creates the following value:

Wersds.exe = "%system%\doriot.exe

In the following registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsCurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\WindowsCurrentVersion\Run

(%system% is the Windows System folder and is usually C:\Windows\System on 
Windows 9x/ME, C:\WINNT\System32 on Windows NT/2000, or C:\Windows\System32 
on Windows XP.)



According to 
<http://www.sarc.com/avcenter/venc/data/download.ject.d.html>Symantec, the 
gdqfw.exe file is injected into Explorer.exe and runs as a thread that 
stops the service "Shared Access" and then sets the startup type to 
'disabled'. It then attempts to stop security software 
<http://www.eweek.com/article2/#Processes>processes.

The gdqfw.exe is also the downloader, which attempts to contact one of over 
130 web sites to download the actual worm propagation code. For the full 
list, see 
<http://www.sarc.com/avcenter/venc/data/download.ject.d.html>Symantec's 
analysis.

The files are saved as "_re_file.exe" in the Windows installation folder 
and then executed. However, at this time, all the sites appear to be 
inoperable, leaving the victim's machine with only a few installed files 
and registry entries. If the web sites do become active, Bagle.AI may 
spread quickly.

In PCMag.com's tests, we noticed that the firewall recognized Explorer.exe 
trying to get to the web. Since this is a normal occurrence, detection by a 
firewall (as Bagle.AQ was detectable), may not be possible.


  Als Fastball List
*Email: fastball at pmihrm.com
http://www.alsfastball.com/
http://www.ISCfastball.com/
NEWS: http://www.escribe.com/sports/alsfastball/
TEMP: http://www.fastpitchwest.com/alsfastball.htm

More information about the Alsfastball mailing list