[Full-Disclosure] New Bagle variant

From: Tremaine (tremaine_at_gmail.com)
Date: 08/10/04

  • Next message: Patrik Torin: "[Full-Disclosure] RE: Full-Disclosure digest, Vol 1 #1825 - 31 msgs"
    To: full-disclosure@lists.netsys.com
    Date: Mon, 9 Aug 2004 16:22:17 -0600
    
    

    The worm itself is packed with PeX, uses its own SMTP engine and
    contains a Mitglieder-like downloader. It also opens a backdoor using
    TCP and UDP port 2480 on the compromised machine.

    The virus will transmit over SMTP, P2P and SMB.

    The following reg keys will be present:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\win_upd2.
    exe = %System%\WINdirect.exe

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\erthgdr
     = %System%\windll.exe

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n

    The zip file contains non-functional code to password protect the zip.

    It will attempt to send itself to email addresses it gathers from the
    system from files with the following extensions on the compromised
    system:
    .adb
    .asp
    .cfg
    .cgi
    .dbx
    .dhtm
    .eml
    .htm
    .jsp
    .mbx
    .mdx
    .mht
    .mmf
    .msg
    .nch
    .ods
    .oft
    .php
    .pl
    .sht
    .shtm
    .stm
    .tbb
    .txt
    .uin
    .wab
    .wsh
    .xls
    .xml

    -- 
    Tremaine
    IT Security Consultant
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: Patrik Torin: "[Full-Disclosure] RE: Full-Disclosure digest, Vol 1 #1825 - 31 msgs"