Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

New Bagle variant

From: Tremaine <tremaine () gmail com>
Date: Mon, 9 Aug 2004 16:22:17 -0600
The worm itself is packed with PeX, uses its own SMTP engine and
contains a Mitglieder-like downloader.  It also opens a backdoor using
TCP and UDP port 2480 on the compromised machine.


The virus will transmit over SMTP, P2P and SMB.

The following reg keys will be present:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\win_upd2.
exe = %System%\WINdirect.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\erthgdr
 = %System%\windll.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n         


The zip file contains non-functional code to password protect the zip.

It will attempt to send itself to email addresses it gathers from the 
system from files with the following extensions on the compromised 
system:
.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.eml
.htm
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.pl
.sht
.shtm
.stm
.tbb
.txt
.uin
.wab
.wsh
.xls
.xml


-- 
Tremaine
IT Security Consultant

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: