La mia libreria
La mia libreria

+ Aggiungi alla libreria

Supporto
Supporto 24/7 | Regole per contattare

Richieste

Profile

Win32.HLLM.Beagle.57450

(WORM_Bagle.DAM, Win32.Bagle.10.Gen@mm, W32/Bagle@MM!vbs, I-Worm/Bagle.AA, MalwareScope.Trojan-PSW.Pinch.1, Worm/Bagle.Z.VBS, WORM_BAGLE.X, Parser error, Email-Worm.Win32.Bagle.y, Worm/Bagle.Z, Worm:Win32/Bagle.W@mm, Win32.Worm.Bagle.y.dr, Win32.Bagle.W@mm.damaged, W32/Bagle.z@MM!vbs, Win32/Bagle.W@mm, WORM_Bagle.GEN, VBS_Generic, Win32.Bagle.Z@mm.VBS, W32/Bagle.z@MM, I-Worm/Bagle)

Aggiunto al database dei virus Dr.Web: 2005-04-22

La descrizione è stata aggiunta:

Description

Win32.HLLM.Beagle.57450 is a mass-mailing worm which affects computers running under Windows 95/98/Me/NT/2000/XP operating systems. It is packed with UPX compression utility.
It disseminates via e-mail and file-sharing networks. Sometimes it may arrive to computers as Zip-archive.
It opens port TCP\\\\\\\\ 2535 in the affected system, which leads to system’s compromising.
The worm terminates different security related programs.

Spreading

In search of mail addresses for its propagation the worm scans drives of the victimized machine. The files with the following extensions are revised:

     .wab 
     .txt 
     .msg 
     .htm 
     .shtm 
     .stm 
     .xml
     .dbx 
     .mbx 
     .mdx 
     .eml 
     .nch 
     .mmf 
     .ods 
     .cfg 
     .asp 
     .php 
     .pl 
     .wsh 
     .adb 
     .tbb 
     .sht 
     .xls 
     .oft 
     .uin 
     .cgi 
     .mht 
     .dhtm 
     .jsp
     
It avoids sending its viral copies to the addresses which have the following strings:
     @hotmail 
     @msn 
     @microsoft 
     rating@ 
     f-secur 
     news 
     update 
     anyone@ 
     bugs@ 
     contract@ 
     feste 
     gold-certs@ 
     help@
     info@ 
     nobody@ 
     noone@ 
     kasp 
     admin 
     icrosoft 
     support 
     ntivi 
     unix 
     bsd 
     linux 
     listserv 
     certific 
     sopho 
     @foo 
     @iana 
     free-av 
     @messagelab 
     winzip 
     google 
     winrar 
     samples 
     abuse 
     panda 
     cafee 
     spam 
     pgp 
     @avp. 
     noreply 
     local 
     root@ 
     postmaster@  
     
The sender’s address is spoofed, or it may be one of the following:
     lizie@ 
     annie@ 
     ann@ 
     christina@ 
     secretGurl@ 
     jessie@ 
     christy@
     
The subject is chosen from the following list of possible subjects:
     Hello! 
     Hey! 
     Let\\\\\\\'s socialize, my friend! 
     Let\\\\\\\'s talk, my friend! 
     I\\\\\\\'m bored with this life 
     Notify from a known person ;-)
     I like you
     I just need a friend 
     I\\\\\\\'m a sad girl...      
     Re: Msg reply 
     Re: Hello 
     Re: Yahoo! 
     Re: Thank you! 
     Re: Thanks :) 
     RE: Text message 
     Re: Document Incoming message 
     Re: Incoming Message 
     Re: Incoming Fax 
     Hidden message 
     Fax Message Received 
     Protected message 
     RE: Protected message 
     Forum notify 
     Request response
     Site changes 
     Re: Hi 
     Encrypted document      
     Hello %s, 
     Dear %s, 
     Dear %s,

It\\\\\\\'s me ;-) Hi %s, Hey %s,

It\\\\\\\'s me -> Hi,

It\\\\\\\'s me %s, Hey %s, Hey, Hi, Hello, I Like You!

where %s is a name

The message body is composed from several parts. Part 1

     Don\\\\\\\'t you remember me?

Kewl :-)

I need a friend...

I just want to talk with someone...

I like reading the books and socializing, let me talk with you...

It\\\\\\\'s time to find a friend!

Ready to accept a new friend? :-)

Like me, odore me! ;-)

I study at school, I like to spend time cheerfully even if not all
so well, I hompe and trust, that all bad when nibud will pass and necessarily
nastanet there would be a desire.

I like to feel protected, to understand, that near to me the man,
which both in sex, and in life knows what to do. It is possible to fall
in love with such the man for ever.

Cometime I write a poem, play the gitar. I love a traveling,
I like a romantice and I want to meet, comeday, my big love!

I am kind, fair, careful, gentle also want to create family.
I love animal (cats, dogs), the literature, theatre, cinema, music,
walks in park .

I very much love productive leisure, to prepare for new exotic
dishes, at leisure to leave with friends on the nature, to float,
I like to go for a drive on mountain skiing, to visit excursions, travel. Very easy going.

I have recently got demobilize from army and also I am going to act
in a higher educational institution

Searching for the right person,for real man, who will really cares and
love me.

I am a honest, kind,loving,with good sense of humor...etc.,looking
for true love... or maybe for pen friend.I like cats.

I am looking for a serious relationship. I am NOT interested in
flirt and short-term love adventure.

I love, as the good company, and I dream about romantic appointment
at candles with loved. I still believe in love.

I like an active life... and interesting people...

i am honest, responsible, romantic person. iwould like to find my
only love,to find my destiny.

I\\\\\\\'m a young lady of 20 years old i\\\\\\\'d like to find my second part!!!

I am simple girl who are looking for serious relation with
responsible and confident man. I am ready to give all my love and
carering for a right person who is going to love and respect me

I am a beautiful, sexual girl with very big ambitions and dreams.
I can make happy anyone man...

I am a student. I\\\\\\\'m studying international relationships. I would
like to find an interesting and active man for serious relations.
Sitting at home it is not for me. I like to go out to the
theater, cinema, and nightclubs.

I love productive leisure, to travel, communicate with friends.

I very much love new acquaintances, I love music, meetings with
friends. I go on night clubs, except for parties I sometimes
visit theatres and I love cinema. In general I only shall be glad
to new acquaintance and class dialogue...

I\\\\\\\'m so bored, let me talk with you...

You are my prince :-)

You are cool :-)

Read the attach.

Your file is attached.

Part 2
      More info is in attach

See attach.

Please, have a look at the attached file.
See the attached file for details.

Message is in attach

Here is the file.

For more information see the attached file. Attached file will tell you everything. For details see the attach. Attached file tells everything. Further details are in attach.
Part 3
     Sincerely, %s 
     Best wishes, %s 
     Yours, %s 
     Have a good day, %s 
     Cheers, %s 
     Kind regards, %s   
     
If the attached file is a ZIP-atchive, the message bidy may end with one of the following:
     For security reasons attached file is password protected. The password is 

For security purposes the attached file is password protected. Password --

Note: Use password to open archive.

Attached file is protected with the password for security reasons. Password is

In order to read the attach you have to use the following password:

Archive password:

Password -

Password:
Attachment:
     Information 
     Details 
     Readme 
     Document 
     Info 
     Details 
     MoreInfo 
     Message  
     
The extensions of the attachment may be .com, .cpl, .exe, .scr,.zip, .vbs or .hta.

The message body may also be accompanied with pictures of girls. The possible file names are:

     Photo
     image12 
     myphoto4 
     myphoto7 
     me3 
     me2   
     
The worm can also spread across the shared resources. It scans the system in search of directories containing the string “shar” and copies itself there as follows:
     Microsoft Office 2003 Crack, Working!.exe 
     Microsoft Windows XP, WinXP Crack, working Keygen.exe 
     Microsoft Office XP working Crack, Keygen.exe 
     Porno, sex, oral, anal cool, awesome!!.exe 
     Porno Screensaver.scr Serials.txt.exe 
     KAV 5.0 Kaspersky Antivirus 5.0 Porno pics arhive, xxx.exe 
     Windows Sourcecode update.doc.exe 
     Ahead Nero 7.exe 
     Windown Longhorn Beta Leak.exe 
     Opera 8 New!.exe 
     XXX hardcore images.exe 
     WinAmp 6 New!.exe 
     WinAmp 5 Pro Keygen Crack Update.exe 
     Adobe Photoshop 9 full.exe 
     Matrix 3 Revolution English Subtitles.exe 
     ACDSee 9.exe  
     

Action

Будучи активированным, червь демонстрирует на экране дисплея окно с ложным сообщением об ошибке:

    Заголовок: Error!
    Текст: Can\'t find a viewer associated with the file
Далее, он помещает в системную директорию (в Windows 9x и Windows ME это C:\\Windows\\System, в Windows NT/2000 это C:\\WINNT\\System32, в Windows XP это C:\\Windows\\System32) несколько файлов:
  drvsys.exe 
  drvsys.exeopen 
  drvsys.exeopenopen
  
Чтобы обеспечить свой запуск в пораженной системе червь вносит данные
drvsys.exe = \"%SysDir%\\drvsys.exe\"
в реестровую запись
HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run

В пораженной системе червь «слушает» порт TCP 2535. Чтобы сообщить своему создателю о проведенном инфицировании, червь предпринимает попытки установить связь со следующими сайтами:

  http://www.spiegel.de/5.php
  http://www.leipziger-messe.de/5.php
  http://www.mobile.de/5.php
  http://www.neformal.de/5.php
  http://www.avh.de/5.php
  http://www.goethe.de/5.php
  http://www.degruyter.de/5.php
  http://www.heise.de/5.php
  http://www.autoscout24.de/5.php
  http://www.russische-botschaft.de/5.php
  http://www.bmbf.de/5.php
  http://www.berlinale.de/5.php
  http://www.hamann-motorsport.de/5.php
  http://Spaceclub.de/5.php
  http://www.fracht-24.de/5.php
  http://www.loveparade.de/5.php
  http://www.dalnoboyshik.de/5.php
  http://www.deutschland.de/5.php
  http://www.ac-schnitzer.de/5.php
  http://abakan.strana.de/5.php
  http://www.emis.de/5.php
  http://www.dwd.de/5.php
  http://www.ifdesign.de/5.php
  http://www.beckers-systems.de/5.php
  http://www.pri-wo-hamburg.de/5.php
  http://virtualzone.de/5.php
  http://www.mitsumi.de/5.php
  http://www.fu-berlin.de/5.php
  http://www.nabu.de/5.php
  http://www.tekeli.de/5.php
  http://www.welt.de/5.php
  http://www.gospel-nations.de/5.php
  http://www.neznakomez.de/5.php
  http://www.tecchannel.de/5.php
  http://www.php-resource.de/5.php
  http://www.windac.de/5.php
  http://www.gsi.de/5.php
  http://www.turism.de/5.php
  http://jakimov.golos.de/5.php
  http://www.www.mirko-becker.gmxhome.de/5.php
  http://vg.xtonne.de/5.php
  http://www.go-amman.de/5.php
  http://3treepoint.com/5.php
  http://www.restarted-alliance.de/5.php
  http://2udar.ligakvn.de/5.php
  http://www.sprach-zertifikat.de/5.php
  http://www.dfg.de/5.php
  http://www.kliniken.de/5.php
  http://www.winfuture.de/5.php
  http://www.hamburg.de/5.php
  http://www.auma.de/5.php
  http://www.teac.de/5.php
  http://www.eumetsat.de/5.php
  http://www.documenta.de/5.php
  http://hardvision.ru/5.php
  http://www.bruecke-osteuropa.de/5.php
  http://www.mk-motorsport.de/5.php
  http://www.bundesregierung.de/5.php
  http://ditec.um.es/5.php
  http://www.insel-ruegen-hotel.de/5.php
  http://www.tib.uni-hannover.de/5.php
  http://www.chugai.de/5.php
  http://www.blauer-engel.de/5.php
  http://www.partner-inform.de/5.php
  http://250x.com/5.php
  http://villakinderbunt.de/5.php
  http://s318.evanzo-server.de/5.php
  http://andimeisslein.de/5.php
  http://tobimayer.de/5.php
  http://markusgimenez.de/5.php
  http://www.fiz-karlsruhe.de/5.php
  http://www.gdch.de/5.php
  http://www.intermatgmbh.de/5.php
  http://www.hotel-pension-spree.de/5.php
  http://vg.xtonne.de/5.php
  http://www.low-spirit.de/5.php
  http://www.red-dot.de/5.php
  http://www.fernuni-hagen.de/5.php
  http://www.ruletka.de/5.php
  http://www.deutsch-als-fremdsprache.de/5.php
  http://www.uni-oldenburg.de/5.php
  http://fotos.schneider.bards.de/5.php
  http://www.deutsches-museum.de/5.php
  http://www.de-bug.de/5.php
  http://www.uni-stuttgart.de/5.php
  http://www.embl-heidelberg.de/5.php
  http://www.mdz-moskau.de/5.php
  http://www.mitsubishi-evs.de/5.php
  http://www.siegenia-aubi.com/5.php
  http://www.cicv.fr/5.php
  http://www.paromi.de/5.php
  http://www.jura.uni-sb.de/5.php
  http://www.exactaudiocopy.de/5.php
  
В тексте червь содержится следующее послание:
  UNIQUE PEOPLE MAKE UNIQUE THINGS
  THAT THINGS STAY BEYOND THE NORMAL LIFE AND COMMON UNDERSTANDING
  THE PROBLEM IS THAT PEOPLE DON\'T UNDERSTAND SUCH WILD THINGS,
  LIKE A MAN DID NEVER UNDERSTAND THE WILD LIFE
                                                 -- Author of Bagle
  
  
  

Червь останавливает процессы, принадлежащие различным антивирусным программам, сетевым экранам и другим программам, связанным с вопросами обеспечения компьютерной безопасности:

  OUTPOST.EXE
  NMAIN.EXE 
  NORTON_INTERNET_SECU_3.0_407.EXE 
  NPF40_TW_98_NT_ME_2K.EXE 
  NPFMESSENGER.EXE 
  NPROTECT.EXE 
  NSCHED32.EXE 
  NTVDM.EXE 
  NVARCH16.EXE 
  KERIO-WRP-421-EN-WIN.EXE 
  KILLPROCESSSETUP161.EXE 
  LDPRO.EXE LOCALNET.EXE 
  LOCKDOWN.EXE 
  LOCKDOWN2000.EXE
  LSETUP.EXE 
  CLEANPC.EXE 
  AVprotect9x.exe 
  CMGRDIAN.EXE 
  CMON016.EXE 
  CPF9X206.EXE 
  CPFNT206.EXE 
  CV.EXE 
  CWNB181.EXE 
  CWNTDWMO.EXE
  ICSSUPPNT.EXE 
  DEFWATCH.EXE 
  DEPUTY.EXE 
  DPF.EXE 
  DPFSETUP.EXE
  DRWATSON.EXE 
  ENT.EXE 
  ESCANH95.EXE 
  AVXQUAR.EXE 
  ESCANHNT.EXE 
  ESCANV95.EXE 
  AVPUPD.EXE 
  EXANTIVIRUS-CNET.EXE 
  FAST.EXE 
  FIREWALL.EXE 
  FLOWPROTECTOR.EXE 
  FP-WIN_TRIAL.EXE 
  FRW.EXE FSAV.EXE
  AUTODOWN.EXE 
  FSAV530STBYB.EXE 
  FSAV530WTBYB.EXE 
  FSAV95.EXE 
  GBMENU.EXE 
  GBPOLL.EXE 
  GUARD.EXE 
  GUARDDOG.EXE
  HACKTRACERSETUP.EXE 
  HTLOG.EXE 
  HWPE.EXE 
  IAMAPP.EXE 
  IAMAPP.EXE 
  IAMSERV.EXE 
  ICLOAD95.EXE 
  ICLOADNT.EXE 
  ICMON.EXE 
  ICSUPP95.EXE 
  ICSUPPNT.EXE 
  IFW2000.EXE 
  IPARMOR.EXE 
  IRIS.EXE 
  JAMMER.EXE 
  ATUPDATER.EXE 
  AUPDATE.EXE 
  KAVLITE40ENG.EXE 
  KAVPERS40ENG.EXE 
  KERIO-PF-213-EN-WIN.EXE 
  KERIO-WRL-421-EN-WIN.EXE 
  BORG2.EXE 
  BS120.EXE 
  CDP.EXE 
  CFGWIZ.EXE 
  CFIADMIN.EXE 
  CFIAUDIT.EXE 
  AUTOUPDATE.EXE 
  CFINET.EXE 
  NAVAPW32.EXE 
  NAVDX.EXE 
  NAVSTUB.EXE 
  NAVW32.EXE 
  NC2000.EXE 
  NCINST4.EXE 
  AUTOTRACE.EXE 
  NDD32.EXE 
  NEOMONITOR.EXE 
  NETARMOR.EXE 
  NETINFO.EXE 
  NETMON.EXE 
  NETSCANPRO.EXE 
  NETSPYHUNTER-1.2.EXE 
  NETSTAT.EXE 
  NISSERV.EXE 
  NISUM.EXE 
  CFIAUDIT.EXE 
  LUCOMSERVER.EXE 
  AGENTSVR.EXE 
  ANTI-TROJAN.EXE 
  ANTI-TROJAN.EXE 
  ANTIVIRUS.EXE 
  ANTS.EXE 
  APIMONITOR.EXE 
  APLICA32.EXE 
  APVXDWIN.EXE 
  ATCON.EXE 
  ATGUARD.EXE 
  ATRO55EN.EXE 
  ATWATCH.EXE 
  AVCONSOL.EXE 
  AVGSERV9.EXE 
  AVSYNMGR.EXE 
  BD_PROFESSIONAL.EXE 
  BIDEF.EXE BIDSERVER.EXE 
  BIPCP.EXE 
  BIPCPEVALSETUP.EXE 
  BISP.EXE BLACKD.EXE 
  BLACKICE.EXE 
  BOOTWARN.EXE 
  NWINST4.EXE 
  NWTOOL16.EXE 
  OSTRONET.EXE 
  OUTPOSTINSTALL.EXE 
  OUTPOSTPROINSTALL.EXE 
  PADMIN.EXE 
  PANIXK.EXE 
  PAVPROXY.EXE 
  DRWEBUPW.EXE 
  PCC2002S902.EXE 
  PCC2K_76_1436.EXE 
  PCCIOMON.EXE 
  PCDSETUP.EXE 
  PCFWALLICON.EXE 
  PCFWALLICON.EXE 
  PCIP10117_0.EXE 
  PDSETUP.EXE 
  PERISCOPE.EXE 
  PERSFW.EXE 
  PF2.EXE 
  AVLTMAIN.EXE 
  PFWADMIN.EXE 
  PINGSCAN.EXE 
  PLATIN.EXE 
  POPROXY.EXE 
  POPSCAN.EXE 
  PORTDETECTIVE.EXE 
  PPINUPDT.EXE 
  PPTBC.EXE 
  PPVSTOP.EXE 
  PROCEXPLORERV1.0.EXE 
  PROPORT.EXE 
  PROTECTX.EXE 
  PSPF.EXE 
  WGFE95.EXE 
  WHOSWATCHINGME.EXE 
  AVWUPD32.EXE 
  NUPGRADE.EXE 
  WHOSWATCHINGME.EXE 
  WINRECON.EXE 
  WNT.EXE 
  WRADMIN.EXE 
  WRCTRL.EXE 
  WSBGATE.EXE 
  WYVERNWORKSFIREWALL.EXE 
  XPF202EN.EXE 
  ZAPRO.EXE 
  ZAPSETUP3001.EXE 
  ZATUTOR.EXE 
  CFINET32.EXE 
  CLEAN.EXE 
  CLEANER.EXE 
  CLEANER3.EXE 
  CLEANPC.EXE 
  CMGRDIAN.EXE 
  CMON016.EXE 
  CPD.EXE 
  CFGWIZ.EXE 
  CFIADMIN.EXE 
  PURGE.EXE 
  PVIEW95.EXE 
  QCONSOLE.EXE 
  QSERVER.EXE 
  RAV8WIN32ENG.EXE 
  REGEDT32.EXE 
  REGEDIT.EXE 
  UPDATE.EXE 
  RESCUE.EXE 
  RESCUE32.EXE 
  RRGUARD.EXE 
  RSHELL.EXE 
  RTVSCN95.EXE 
  RULAUNCH.EXE 
  SAFEWEB.EXE 
  SBSERV.EXE 
  SD.EXE 
  SETUP_FLOWPROTECTOR_US.EXE 
  SETUPVAMEEVAL.EXE 
  SFC.EXE 
  SGSSFW32.EXE 
  SH.EXE 
  SHELLSPYINSTALL.EXE 
  SHN.EXE 
  SMC.EXE 
  SOFI.EXE 
  SPF.EXE 
  SPHINX.EXE 
  SPYXX.EXE 
  SS3EDIT.EXE 
  ST2.EXE 
  SUPFTRL.EXE 
  LUALL.EXE 
  SUPPORTER5.EXE 
  SYMPROXYSVC.EXE 
  SYSEDIT.EXE 
  TASKMON.EXE 
  TAUMON.EXE 
  TAUSCAN.EXE 
  TC.EXE 
  TCA.EXE 
  TCM.EXE 
  TDS2-98.EXE 
  TDS2-NT.EXE 
  TDS-3.EXE 
  TFAK5.EXE 
  TGBOB.EXE 
  TITANIN.EXE 
  TITANINXP.EXE 
  TRACERT.EXE 
  TRJSCAN.EXE 
  TRJSETUP.EXE 
  TROJANTRAP3.EXE 
  UNDOBOOT.EXE 
  VBCMSERV.EXE 
  VBCONS.EXE 
  VBUST.EXE 
  VBWIN9X.EXE 
  VBWINNTW.EXE 
  VCSETUP.EXE 
  VFSETUP.EXE 
  VIRUSMDPERSONALFIREWALL.EXE 
  VNLAN300.EXE 
  VNPC3000.EXE 
  VPC42.EXE 
  VPFW30S.EXE 
  VPTRAY.EXE 
  VSCENU6.02D30.EXE 
  VSECOMR.EXE 
  VSHWIN32.EXE 
  VSISETUP.EXE 
  VSMAIN.EXE 
  VSMON.EXE 
  VSSTAT.EXE 
  VSWIN9XE.EXE 
  VSWINNTSE.EXE 
  VSWINPERSE.EXE 
  W32DSM89.EXE 
  W9X.EXE 
  WATCHDOG.EXE 
  WEBSCANX.EXE 
  CFIAUDIT.EXE 
  CFINET.EXE 
  ICSUPP95.EXE 
  MCUPDATE.EXE 
  CFINET32.EXE 
  CLEAN.EXE 
  CLEANER.EXE 
  LUINIT.EXE 
  MCAGENT.EXE 
  MCUPDATE.EXE 
  MFW2EN.EXE 
  MFWENG3.02D30.EXE 
  MGUI.EXE 
  MINILOG.EXE 
  MOOLIVE.EXE 
  MRFLUX.EXE 
  MSCONFIG.EXE 
  MSINFO32.EXE 
  MSSMMC32.EXE 
  MU0311AD.EXE 
  NAV80TRY.EXE 
  ZAUINST.EXE 
  ZONALM2601.EXE 
  W32DSM89.EXE
  W9X.EXE
  WATCHDOG.EXE
  WEBSCANX.EXE
  CFIAUDIT.EXE
  CFINET.EXE
  ICSUPP95.EXE
  MCUPDATE.EXE
  CFINET32.EXE
  CLEAN.EXE
  CLEANER.EXE
  LUINIT.EXE
  MCAGENT.EXE
  MCUPDATE.EXE
  MFW2EN.EXE
  MFWENG3.02D30.EXE
  MGUI.EXE
  MINILOG.EXE
  MOOLIVE.EXE
  MRFLUX.EXE
  MSCONFIG.EXE
  MSINFO32.EXE
  MSSMMC32.EXE
  MU0311AD.EXE
  NAV80TRY.EXE
  ZAUINST.EXE
  ZONALM2601.EXE
  ZONEALARM.EXE
  

После 25 января 2005 года червь прекратит свою деятельность.