The Computer Guys

Miami to Fort Lauderdale Since 1994 - Thank You!

 

 

We Build the Best & Repair the Rest! ©

 

Alerts February 2005

FAQ Search Virus Alerts Hardware Faqs

 

 

Computer Repair
PC Maintenance
Disaster Recovery
SpyWare Removal
Company Profile
Disclaimer
Contact Information
Home Users

 

 


Alerts 2004 Alerts January 2005 Alerts February 2005 Alerts March 2005 Alerts April 2005 Alerts May 2005 Alerts June 2005 Alerts July 2005 Alerts August 2005 Alerts September 2005 Alerts October 2005 Alerts November 2005 Alerts December 2005

 

 

 

 

Top 10 malware reported to Sophos in February 2005

Position Last
month		 Malware Percentage of reports
1 1 W32/Zafi-D
   30.8%
2 3 W32/Netsky-P
   22.3%
3 4 W32/Zafi-B
   9.7%
4 New W32/Bagle-BK
   5.2%
5 5 W32/Netsky-D
   4.2%
6 6 W32/Netsky-Z
   3.8%
7 New W32/Sober-K
   3.4%
8 Re-entry W32/Sobig-F
   2.5%
9 8 W32/Netsky-B
   2.4%
10 9 W32/MyDoom-O
   1.5%
Others 14.2%

 

W32/Bagle-BK is an email and P2P worm.

The dropper component of W32/Bagle-BK drops the main file to the Windows folder with the filename CJECTOR.EXE. The dropped component then copies itself to the Windows system folder with the filename SYSFORMAT.EXE. In order to run automatically each time a user logs in, W32/Bagle-BK periodically sets the following registry entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
sysformat
<Windows system folder>\sysformat.exe

W32/Bagle-BK also copies itself to folders on the infected computer which contain the string "shar" in the name, copying itself with the following filenames:

1.exe
2.exe
3.exe
4.exe
5.scr
6.exe
7.exe
8.exe
9.exe
10.exe
ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
Matrix 3 Revolution English Subtitles.exe
Opera 8 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
XXX hardcore images.exe

W32/Bagle-BK may also copy itself to the Windows system folder with the filenames SYSFORMAT.EXEOPEN and SYSFORMAT.EXEOPENOPEN.

W32/Bagle-BK attempts to delete entries in the registry located at

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
and
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

which have the following values, so as to disable other malware variants:

My AV
ICQ Net

W32/Bagle-BK attempts to disable services with the display name of "SharedAccess" or "wscsvc".

W32/Bagle-BK sets the following time-related registry entry:

HKCU\Software\Microsoft\Params\riga

W32/Bagle-BK attempts to download and execute a number of files from remote websites to RE_FILE.EXE in the Windows system folder. At the time of writing, these files were unavailable for download.

W32/Bagle-BK attempts to send itself via email to addresses harvested from files found on the infected computer with the following extensions:

WAB, TXT, MSG, HTM, SHTM, STM, XML, DBX, MBX, MDX, EML, NCH, MMF, ODS, CFG, ASP, PHP, PL, WSH, ADB, TBB, SHT, XLS, OFT, UIN, CGI, MHT, DHTM, JSP

The emails have the following characteristics:

Subject line:

Delivery service mail
Delivery by mail
Registration is accepted
Is delivered mail
You are made active

Message text:

Thanks for use of our software.
Before use read the help

Attached filename:

wsd01
viupd02
siupd02
guupd02
zupd02
upd02
Jol03

Attachment extension:

EXE
SCR
COM
CPL

W32/Bagle-BK will not send itself to addresses containing the following strings:

@avp., @foo, @iana, @messagelab, @microsoft, abuse, admin, anyone@, bsd, bugs@, cafee, certific, contract@, f-secur, feste, free-av, gold-certs@, google, help@, icrosoft, info@, kasp, linux, listserv, local, news, nobody@, noone@, noreply, ntivi, panda, pgp, postmaster@, rating@, root@, samples, sopho, spam, support, unix, update, winrar, winzip

W32/Bagle-BK attempts to terminate the following processes:

alogserv.exe, APVXDWIN.EXE, ATUPDATER.EXE, ATUPDATER.EXE, AUPDATE.EXE, AUTODOWN.EXE, AUTOTRACE.EXE, AUTOUPDATE.EXE, Avconsol.exe, AVENGINE.EXE, AVPUPD.EXE, Avsynmgr.exe, AVWUPD32.EXE, AVXQUAR.EXE, AVXQUAR.EXE, bawindo.exe, blackd.exe, ccApp.exe, ccEvtMgr.exe, ccProxy.exe, ccPxySvc.exe, CFIAUDIT.EXE, DefWatch.exe, DRWEBUPW.EXE, ESCANH95.EXE, ESCANHNT.EXE, FIREWALL.EXE, FrameworkService.exe, ICSSUPPNT.EXE, ICSUPP95.EXE, LUALL.EXE, LUCOMS~1.EXE, mcagent.exe, mcshield.exe, MCUPDATE.EXE, mcvsescn.exe, mcvsrte.exe, mcvsshld.exe, navapsvc.exe, navapsvc.exe, navapsvc.exe, navapw32.exe, NISUM.EXE, nopdb.exe, NPROTECT.EXE, NPROTECT.EXE, NUPGRADE.EXE, NUPGRADE.EXE, OUTPOST.EXE, PavFires.exe, pavProxy.exe, pavsrv50.exe, Rtvscan.exe, RuLaunch.exe, SAVScan.exe, SHSTAT.EXE, SNDSrvc.exe, symlcsvc.exe, UPDATE.EXE, UpdaterUI.exe, Vshwin32.exe, VsStat.exe, VsTskMgr.exe

W32/Bagle-BK contains a backdoor that can be used to run executable files sent to the infected machine.

Sophos's anti-virus products include proactive protection technology, which can defend against new threats without requiring an update. Sophos customers have been protected against W32/Bagle-BK (detected as W32/Bagle-Gen) since version 3.86.
 

Google
 
This web is optimized for 800 x 600 monitor resolution or above and the latest web browser.  Get the latest IE or Netscape web browser. (you need to connect to the internet first)

 

 

Copyright © 1998 The Computer Guys

 Back Home Up Next