SecureScoutLogo.jpg
W32/Bagle.bn Worm (Registry Check)



Go to Vulnerabilities List


General Info


TC: 14476
Description: This is a mass-mailing worm with the following characteristics:

* contains its own SMTP engine to construct outgoing messages
* the From: address of messages is spoofed
* attachment may be a password-protected zip file, with the password included in the message body
* contains a remote access component (notification is sent to hacker)
* uses various mutex names selected from those W32/Netsky variants have used, in order to prevent those W32/Netsky variants running on infected machines
* deletes registry entries of security programs and other worms

** Messages are constructed as follows **
The details are as follows:

From : (address is spoofed)
Subject : (blank)

Body Text:

* Password:
* Pass -
* Password -
* new price
* price
* The password is
* Password:

Attachment:

* price.zip
* price2.zip
* price_new.zip
* price_08.zip
* 08_price.zip
* newprice.zip
* new_price.zip
* new__price.zip

Within the ZIP file is an executable file named doc_01.exe.

The virus copies itself into the Windows System directory as windlhhl.exe. For example:

* C:\WINDOWS\SYSTEM32\windlhhl.exe

** Method of Infection

** Mail Propagation

This virus constructs messages using its own SMTP engine. It may try to download a file which contains a list of email addresses to send to, but at the time of writing this file was unavailable.

** Remote Access Component

The virus listens on TCP port 80 for remote connections. It attempts to open a file, script1.php, on the localhost.
TC Impact: Gather Info



Specific Operations and Actions:


Vulnerability Publication: March 1, 2005
Advisory Copyright: Unknown
Summary: This is a mass-mailing worm with the following characteristics:

* contains its own SMTP engine to construct outgoing messages
* the From: address of messages is spoofed
* attachment may be a password-protected zip file, with the password included in the message body
* contains a remote access component (notification is sent to hacker)
* uses various mutex names selected from those W32/Netsky variants have used, in order to prevent those W32/Netsky variants running on infected machines
* deletes registry entries of security programs and other worms

** Messages are constructed as follows **
The details are as follows:

From : (address is spoofed)
Subject : (blank)

Body Text:

* Password:
* Pass -
* Password -
* new price
* price
* The password is
* Password:

Attachment:

* price.zip
* price2.zip
* price_new.zip
* price_08.zip
* 08_price.zip
* newprice.zip
* new_price.zip
* new__price.zip

Within the ZIP file is an executable file named doc_01.exe.

The virus copies itself into the Windows System directory as windlhhl.exe. For example:

* C:\WINDOWS\SYSTEM32\windlhhl.exe

** Method of Infection

** Mail Propagation

This virus constructs messages using its own SMTP engine. It may try to download a file which contains a list of email addresses to send to, but at the time of writing this file was unavailable.

** Remote Access Component

The virus listens on TCP port 80 for remote connections. It attempts to open a file, script1.php, on the localhost.
Risk: Medium
CVSS 2.0 metrics: N.A.
CVSS 2.0 Base Score: 5.0 (Approximated)
Vulnerability Impact: Attack
Host Impact: * Arbitrary command execution(backdoor) * Mass mailing * Peer-To-Peer
Nature of Remediation: Uninstall the Software.
Step required to fix the reported vulnerability:

***** Solution type: Update Configuration *****

To remove this virus "by hand", follow these steps:

1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.

2. Delete the following files from your WINDOWS System directory (typically C:\Windows\System or C:\Winnt\System32)

windlhhl.exe

3. Edit the registry Delete the "erghgjhgdr" value from HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

4. Reboot the system into Default Mode



Glossary and References :


References:
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=132120

CVE Link: GENERIC-MAP-NOMATCH
CVE Compatible

Glossary: Backdoor
Mail Relay
Peer to Peer
Remote Command Execution
Spam
Spoofing
Worm


© 2003-2010 NexantiS Corporation (www.securescout.com)
SecureScout is a trademark of NexantiS
All Rights Reserved
All products names referenced herein are trademarks of their respective companies

SecureScout products are certified:
CVE Compatible
SANS TOP 20 Compatible
CVSS Compatible (Common Vulnerability Scoring System)