|
BAGZ.D,
gusano de Correo deshabilita antivirus firewalls, etc. impide acceso a
sitios web de antivirus.
|
|
©
Jorge Machado Lima-Perú
|
|
W32/Bagz.D@mm,
I.worm.Bagz.D@mm
 |
|
Bagz.D es
un gusano reportado el 21 de Octubre del
2004, de propagación masiva a través de mensajes de Correo con un archivo
anexado de nombre aleatorio de extensión EXE
o ZIP.
Es un "dropper" que libera otros
archivos. Termina los procesos de antivirus, firewalls y software de
seguridad. Impide el acceso a una larga lista de portales de sistemas de
seguridad. |
Es
un PE (Portable
Ejecutable) e infecta Windows
95/98/NT/Me/2000/XP,
incluyendo los servidores NT/2000/Server
2003, está desarrollado en Visual C++, con una
extensión de 153 KB y comprimido con el utilitario UPX (Ultimate
Packer for eXecutables):
http://upx.sourceforge.net
Usando su propio SMTP (Simple
Mail Transfer Protocol) se auto-envía a las direcciones de correo
contenidas en la Libreta de Direcciones de Windows
(WAB) o de archivos con las siguientes extensiones:
- TBB
- tbb
- TBI
- tbi
- DBX
- dbx
- HTM
- htm
- TXT
- txt
Evita
enviarse a las direcciones que contengan las cadenas:
- winzip
- winrar
- webmaster@
- update
- unix
- support@
- support
- spam
- sopho
- samples
- root@
- rating@
- postmaster@
- pgp
- panda
- ntivi
- noreply
- noone@
- nobody@
- news
- netadmin@
- local
- listserv
- linux
- kasp
- info@
- icrosoft
- hostmaster@
- help@
- google
- gold-certs@
- gold-
- free-av
- feste
- f-secur
- contract@
- contact@
- certs@
- certific
- cafee
- bugs@
- bsd
- anyone@
- all@
- administrator@
- admin
- abuse
- @microsoft
- @messagelab
- @iana
- @foo
- @avp
- oocies
El
mensaje tiene las siguientes características:
Remitente, cualquiera de
los extraídos en el sistema infectado.
Asunto, aleatoriamente
uno de los siguientes:
- ASAP
- please responce
- Read this
- urgent
- toxic
- contract
- Money
- office
- Have a nice day
- Hello
- Russian's
- Amirecans
- attachments
- attach
- waiting
- best regards
- Administrator
- Warning
- text
- Vasia
- re: Andrey
- re: please
- re: order
- Allert!
- Att
Contenido, uno de los
siguientes:
- Hi
Did you get the previous document I attached for you?
I resent it in this email just in case, because I
really need you to check it out asap.
Best Regards
- Hi
I made a mistake and forgot to click attach
on the previous email I sent you. Please give me
your opinion on this opportunity when you get a chance.
Best Regards
- Hi
I was supposed to send you this document yesterday.
Sorry for the delay, please forward this to your family if possible.
It contains important info for both of you.
- Hi
Sorry, I forgot to send an important
document to you in that last email. I had an important phone call.
Please checkout attached doc file when you have a moment.
Best Regards
- Hi
I was in a rush and I forgot to attach an important
document. Please see attached doc file.
Best Regards,
- Sorry to bother you, but I am having a problem receiving your emails.
I am responding to your last email in the attached file.
Please get back to me if there is any problem reading the attachment.
- I am responding to your last email in the attached file.
I had a delivery problem with your inbox, so maybe you'll receive this
now.
- Can you please check out the email I have attached?
For some reason, I received only part of your last several emails.
I want to make sure that there are no problems with either of our
accounts.
- This email is being sent as attachment because
it was previously blocked by your email filters.
Please view the attachment and respond.
Thanks
- I resent this email as attachment because
it was previously blocked by your email filters.
Please read the attachment and respond.
Thanks
- I apologize, but I need you to verify
that I have the correct contact info for you.
My system crashed last weekend and
I lost most of my friends and work contacts.
Please check the attached (.pdf) and
please let me know if your info is current.
- My last email to you was returned.
The reason is that I am not currently
added to your "allowed" contact list.
Please add my updated contact info
provided in the attached (.pdf) file
so I can send you emails in the future.
Sincerely
- I have updated my email address
See the (.pdf) file attached and
please respond if you have any questions.
- We have made recent updates to our database.
Please verify your mailing address on file is correct.
We have attached a (.pdf) sheet for you to use for your response.
- Hello
Our contact information has changed.
See the attached (.pdf) sheet for details.
Sincerely,
- ***URGENT: SERVICE SHUTDOWN NOTICE***
Due to your failure to comply with our email
Rules and Regulations, your email account has been
temporarily suspended for 24 hours unless we are contacted regarding
this situation.
You must read the attached document for further
instructions. Failure to comply will result in termination of your
account.
Regards,
Net Operator
***URGENT: SERVICE SHUTDOWN NOTICE***
- ***ATTENTION: YOUR EMAIL IS NOT BEING DELIVERED!***
You are currently unable to send emails.
This may be a billing issue.
Please call the billing center.
The # for the billing office is located in the attached
contact list for your convenience.
***ATTENTION: YOUR EMAIL IS NOT BEING DELIVERED!***
- ***YOUR MESSAGE HAS BEEN RECOGNIZED AS SPAM***
Hello,
The previous email you sent has been recognized as spam.
This means your email was not delivered to your friend or client.
You must open the attached file to receive more information.
***YOUR MESSAGE HAS BEEN RECOGNIZED AS SPAM***
- Hello,
What version of windows you are using?
This last document I received from you came out weird.
Please see the attached word file and resend the file to me.
Many thanks,
User
- Hello,
My PC crashed while I was sending that last email.
I have re-attached the document of yours that I discovered.
Please read attached document and respond ASAP.
Sincerely,
User
- Hello,
Your email was sent in an INVALID format.
To verify this email was sent from you,
simply open the attached email (.eml) file
and click yes in the sender options box.
Thank You,
User
- Hello,
Your email was received.
YOUR REPLY IS URGENT!
Please view the attached text file for instructions.
Regards,
User
- Hello,
I was in a hurry and I forgot to attach an important
document. Please see attached.
Best Regards,
User
- Hello,
I resent this email as attachment because
it was previously blocked by your email filters.
Please read the attachment and respond.
Thanks,User
- Hello,
Sorry, I forgot to attach the new contact information.
Please view the attached (.pdf) contact sheet.
Sincerely,
User
Anexado, uno de los
siguientes con extensión EXE:
- backup.doc [espacios_en-blanco] .exe
- admin.doc [espacios_en-blanco] .exe
- archivator.doc [espacios_en-blanco] .exe
- about.doc [espacios_en-blanco] .exe
- readme.doc [espacios_en-blanco] .exe
- help.doc [espacios_en-blanco] .exe
- photos.doc [espacios_en-blanco] .exe
- payment.doc [espacios_en-blanco] .exe
- archives.doc [espacios_en-blanco] .exe
- manual.doc [espacios_en-blanco] .exe
- inbox.doc [espacios_en-blanco] .exe
- outbox.doc [espacios_en-blanco] .exe
- save.doc [espacios_en-blanco] .exe
- rar.doc [espacios_en-blanco] .exe
- zip.doc [espacios_en-blanco] .exe
- ataches.doc [espacios_en-blanco] .exe
- documentation.doc [espacios_en-blanco] .exe
- docs.doc [espacios_en-blanco] .exe
- sysboot.doc [espacios_en-blanco] .exe
o con extensión .ZIP:
- backup.zip
- admin.zip
- archivator.zip
- about.zip
- readme.zip
- help.zip
- photos.zip
- payment.zip
- archives.zip
- manual.zip
- inbox.zip
- docs.zip
- outbox.zip
- save.zip
- rar.zip
- zip.zip
- ataches.zip
- documentation.zip
Al activarse el gusano se copia a la carpeta %System%
con el nombre del archivo anexado recibido y para ejecutarse la próxima vez que
se inicie el sistema genera la siguiente llave de registro:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"default" =
"%System%\[nombre_de_archivo_anexado]"
%System% es la variable C:\Windows\System
para Windows 95/98/Me, C:\Winnt\System32
para Windows NT/2000 y C:\Windows\System32
para Windows XP y Windows Server 20003.
Al siguiente re-inicio libera los siguientes archivos:
%System%\rpc32.exe
%System%\run32.exe
%System%\sysboot.doc [espacios_en_blanco] .EXE
El archivo rpc32.exe es instalado como un
servicio con las propiedades:
Nombre: Network Explorer
Ruta de imagen: %System%\rpc32.exe
Descripción: se ejecuta y configura herramientas de acceso desde una
ventana.
Luego borra los procesos y claves de registro de los siguientes
archivos:
- pfwadmin.exe
- persfw.exe
- sched.exe
- aswupdsv.exe
- aswregsvr.exe
- aswboot.exe
- ashskpck.exe
- ashskpcc.exe
- ashsimpl.exe
- ashserv.exe
- ashquick.exe
- ashpopwz.exe
- ashmaisv.exe
- ashlogv.exe
- ashdisp.exe
- ashchest.exe
- ashbug.exe
- ashavast.exe
- symnavo.dll
- statushp.dll
- sdstp32i.dll
- sdsok32i.dll
- sdsnd32i.dll
- sdpck32i.dll
- scriptui.dll
- scanmgr.dll
- scandres.dll
- scandlvr.dll
- savscan.exe
- savrtpel.sys
- savrt32.dll
- savrt.sys
- s32navo.dll
- s32integ.dll
- quaropts.dat
- quarantine
- quar32.dll
- qspak32.dll
- qconsole.exe
- qconres.dll
- ptchinst.dll
- probegse.dll
- patch25d.dll
- opscan.exe
- officeav.dll
- oeheur.dll
- netbrext.dll
- navwnt.exe
- navw32.exe
- navuihtm.dll
- navui.nsi
- navui.dll
- navtskwz.dll
- navtasks.dll
- navstub.exe
- navstats.dll
- navshext.dll
- navprod.dll
- navopts.dll
- navoptrf.dll
- navntutl.dll
- navlucbk.dll
- navlogv.dll
- navlnch.dll
- navlcom.dll
- navevent.dll
- naverror.dll
- navcomui.dll
- navcfgwz.dll
- navapw32.exe
- navapw32.dll
- navapsvc.exe
- navapscr.dll
- navap32.dll
- n32exclu.dll
- n32call.dll
- ltchkres.dll
- djsalert.dll
- defalert.dll
- cfgwzres.dll
- cfgwiz.exe
- ccimscn.exe
- cimscan.dll
- ccavmail.dll
- bootwarn.exe
- avres.dll
- avcompbr.dll
- apwutil.dll
- apwcmdnt.dll
- aboutplg.dll
- zlparser.dll
- vsvault.dll
- sruledb.dll
- vsmon.exe
- vsdb.dll
- vsavpro.dll
- ssleay32.dll
- cerbprovider.pvx
- camupd.dll
- zonealarm.exe
- zl_priv.htm
- zlclient.exe
- zav.zap
- zauninst.exe
- zatutor.exe
- tutorwiz.dll
- security.zap
- programs.zap
- idlock.zap
- framewrk.dll
- firewall.zap
- filter.zap
- email.zap
- alert.zap
- wormres.dll
- vsowow.dll
- vsoupd.dll
- vsoui.dll
- mcshield.dll
- vsagntui.dll
- shlres.dll
- shextres.inf
- shextbin.inf
- scrstres.inf
- scrpsbin.inf
- scrpres.dll
- scanserv.dll
- scan.dat
- patchw32.dll
- outscres.dll
- outscan.dll
- ntclient.dll
- naievent.dll
- naiann.dll
- mcvsworm.dll
- mcvsskt.dll
- mcvsshld.exe
- mcvsshl.dll
- mcvsscrp.dll
- mcvsrte.exe
- mcvsmap.exe
- mcvsftsn.exe
- mcvsescn.exe
- mcvsctl.dll
- mcurial.dll
- mcshield.exe
- mcscan32.dll
- mcmnhdlr.exe
- mcavtsub.dll
- imscnres.inf
- imscnbin.inf
- ftscnres.dll
- emscnres.dll
- edisk.dll
- ashldres.dll
- appinit.ini
- 804mbd1.img
- 804mbd1.chk
- mghtml.exe
- mcinfo.exe
- mcappins.exe
- dunzip32.dll
- mvtx.exe
- mpfwizard.exe
- mpfupdchk.dll
- mpfui.dll
- mpftray.exe
- mpfservice.exe
- mpfconsole.exe
- mpfagent.exe
El gusano sobre-escribe el archivo HOSTS
en las carpetas Windows y Winnt\System32\drivers\etc\,
respectivamente.
El archivo HOSTS es renombrado como Bagz!hosts,
impidiendo el acceso a portales, la
mayoría pertenecientes a productos de seguridad:
- 127.0.0.1 ad.doubleclick.net
- 127.0.0.1 ad.fastclick.net
- 127.0.0.1 ads.fastclick.net
- 127.0.0.1 ar.atwola.com
- 127.0.0.1 atdmt.com
- 127.0.0.1 avp.ch
- 127.0.0.1 avp.com
- 127.0.0.1 avp.ru
- 127.0.0.1 awaps.net
- 127.0.0.1 banner.fastclick.net
- 127.0.0.1 banners.fastclick.net
- 127.0.0.1 ca.com
- 127.0.0.1 click.atdmt.com
- 127.0.0.1 clicks.atdmt.com
- 127.0.0.1 dispatch.mcafee.com
- 127.0.0.1 download.mcafee.com
- 127.0.0.1 download.microsoft.com
- 127.0.0.1 downloads.microsoft.com
- 127.0.0.1 engine.awaps.net
- 127.0.0.1 f-secure.com
- 127.0.0.1 fastclick.net
- 127.0.0.1 ftp.f-secure.com
- 127.0.0.1 ftp.sophos.com
- 127.0.0.1 go.microsoft.com
- 127.0.0.1 liveupdate.symantec.com
- 127.0.0.1 mast.mcafee.com
- 127.0.0.1 mcafee.com
- 127.0.0.1 media.fastclick.net
- 127.0.0.1 msdn.microsoft.com
- 127.0.0.1 my-etrust.com
- 127.0.0.1 nai.com
- 127.0.0.1 networkassociates.com
- 127.0.0.1 office.microsoft.com
- 127.0.0.1 phx.corporate-ir.net
- 127.0.0.1 secure.nai.com
- 127.0.0.1 securityresponse.symantec.com
- 127.0.0.1 service1.symantec.com
- 127.0.0.1 sophos.com
- 127.0.0.1 spd.atdmt.com
- 127.0.0.1 support.microsoft.com
- 127.0.0.1 symantec.com
- 127.0.0.1 vupdate.symantec.com
- 127.0.0.1 updates.symantec.com
- 127.0.0.1 us.mcafee.com
- 127.0.0.1 vil.nai.com
- 127.0.0.1 viruslist.ru
- 127.0.0.1 windowsupdate.microsoft.com
- 127.0.0.1 www.avp.ch
- 127.0.0.1 www.avp.com
- 127.0.0.1 www.avp.ru
- 127.0.0.1 www.awaps.net
- 127.0.0.1 www.ca.com
- 127.0.0.1 www.f-secure.com
- 127.0.0.1 www.fastclick.net
- 127.0.0.1 www.kaspersky.ru
- 127.0.0.1 www.mcafee.com
- 127.0.0.1 www.my-etrust.com
- 127.0.0.1 www.nai.com
- 127.0.0.1 www.networkassociates.com
- 127.0.0.1 www.sophos.com
- 127.0.0.1 www.symantec.com
- 127.0.0.1 www.trendmicro.com
- 127.0.0.1 www.viruslist.ru
- 127.0.0.1 www3.ca.com
Sus payloads
son los siguientes:
- Se propaga masivamente en mensajes de correo
con un archivo aleatorio de extensión EXE o ZIP.
- Actúa como "dropper" liberando
varios archivos.
- Usa su propio SMTP para enviarse a
direcciones extraídas de la libreta WAB o de archivos de determinadas
extensiones.
- Evita enviarse a direcciones
con ciertas cadenas.
- Termina los procesos y borra
las claves de registro de antivirus, firewalls y archivos de control.
- Sobre-escribe el archivo HOSTS e impide el
acceso a múltiples sitios en la web pertenecientes a sistemas de seguridad.
PER ANTIVIRUS®
versión 8.9 con registro de virus al 21 de Octubre del
2004 detecta y elimina eficientemente este gusano.
