Bagz.F

BAGZ.F, gusano de Correo deshabilita antivirus firewalls, etc. impide acceso a sitios web de antivirus.

W32/Bagz.F@mm, W32/Bagz.E@mm, I.worm.Bagz.F@mm

Bagz.F es un gusano reportado el 28 de Octubre del 2004, de propagación masiva a través de mensajes de correo con un archivo anexado de nombre aleatorio y extensión ZIP que contiene un EXE

Es un "dropper" que libera otros archivos. Termina los procesos de antivirus, firewalls y software de seguridad. Impide el acceso a una larga lista de portales de sistemas de seguridad.

Infecta únicamente a Windows Windows NT/2000/XP, incluyendo los servidores NT/2000/Server 2003, está desarrollado en Visual C++, con extensión variable y comprimido con el utilitario UPX (Ultimate Packer for eXecutables):

http://upx.sourceforge.net

Usando su propio SMTP (Simple Mail Transfer Protocol) se auto-envía a las direcciones de correo contenidas en los archivos con las siguientes extensiones:

Evita enviarse a las direcciones que contengan las cadenas:

@avp
@foo
@iana
@messagelab
@microsoft
abuse
admin
administrator@
all@
anyone@
bsd
bugs@
cafee
certific
certs@
contact@
contract@
feste
free-av
f-secur
gold-
gold-certs@
google
help@
hostmaster@
icrosoft
info@
kasp
linux
listserv
local
netadmin@
news
nobody@
noone@
noreply
ntivi
Oocies
panda
pgp
postmaster@
rating@
root@
samples
sopho
spam
support
support@
unix
update
webmaster@
winrar
winzip

El mensaje tiene las siguientes características:

Remitente, usa la técnica Spoofing que suplanta la identidad de los verdaderos remitentes.

Asunto, aleatoriamente uno de los siguientes:

ASAP
please responce
Read this
urgent
toxic
contract
Money
office
Have a nice day
Hello
Russian's
Amirecans
attachments
attach
waiting
best regards
Administrator
Warning
text
Vasia
re: Andrey
re: please
re: order
Allert!
Att

Contenido, uno de los siguientes:

I made a mistake and forgot to click attach on the previous email I sent you. Please give me your opinion on this opportunity when you get a chance.
Best Regards
I was supposed to send you this document yesterday. Sorry for the delay, please forward this to your family if possible. It contains important info for both of you.
Sorry, I forgot to send an important document to you in that last email. I had an important phone call. Please checkout attached doc file when you have a moment.
Best Regards
I was in a rush and I forgot to attach an important document. Please see attached doc file.
Best Regards,
Sorry to bother you, but I am having a problem receiving your emails. I am responding to your last email in the attached file. Please get back to me if there is any problem reading the attachment.
I am responding to your last email in the attached file. I had a delivery problem with your inbox, so maybe you'll receive this now. Can you please check out the email I have attached?
For some reason, I received only part of your last several emails. I want to make sure that there are no problems with either of our accounts.
This email is being sent as attachment because it was previously blocked by your email filters. Please view the attachment and respond. Thanks
I resent this email as attachment because it was previously blocked by your email filters. Please read the attachment and respond. Thanks
I apologize, but I need you to verify that I have the correct contact info for you. My system crashed last weekend and I lost most of my friends and work contacts. Please check the attached (.pdf) and please let me know if your info is current.
My last email to you was returned. The reason is that I am not currently added to your "allowed" contact list. Please add my updated contact info provided in the attached (.pdf) file so I can send you emails in the future.
Sincerely
I have updated my email address See the (.pdf) file attached and please respond if you have any questions.
We have made recent updates to our database. Please verify your mailing address on file is correct. We have attached a (.pdf) sheet for you to use for your response.
Hello Our contact information has changed. See the attached (.pdf) sheet for details.
Sincerely,
***URGENT: SERVICE SHUTDOWN NOTICE*** Due to your failure to comply with our email Rules and Regulations, your email account has been temporarily suspended for 24 hours unless we are contacted regarding this situation. You must read the attached document for further instructions. Failure to comply will result in termination of your account.
Regards,
Net Operator
***URGENT: SERVICE SHUTDOWN NOTICE***
***ATTENTION: YOUR EMAIL IS NOT BEING DELIVERED!***
You are currently unable to send emails. This may be a billing issue. Please call the billing center. The # for the billing office is located in the attached contact list for your convenience.
***ATTENTION: YOUR EMAIL IS NOT BEING DELIVERED!***
***YOUR MESSAGE HAS BEEN RECOGNIZED AS SPAM***
Hello, The previous email you sent has been recognized as spam. This means your email was not delivered to your friend or client. You must open the attached file to receive more information.
***YOUR MESSAGE HAS BEEN RECOGNIZED AS SPAM***
Hello, What version of windows you are using? This last document I received from you came out weird. Please see the attached word file and resend the file to me.
Many thanks,
Hello, My PC crashed while I was sending that last email. I have re-attached the document of yours that I discovered. Please read attached document and respond ASAP.
Sincerely,
Hello, Your email was sent in an INVALID format. To verify this email was sent from you, simply open the attached email (.eml) file and click yes in the sender options box.
Thank You,
Hello, Your email was received. YOUR REPLY IS URGENT! Please view the attached text file for instructions.
Regards,
Hello, I was in a hurry and I forgot to attach an important document. Please see attached.
Best Regards,
Hello, I resent this email as attachment because it was previously blocked by your email filters. Please read the attachment and respond.
Thanks,User
Hello, Sorry, I forgot to attach the new contact information. Please view the attached (.pdf) contact sheet.
Sincerely,
User

Anexado, uno de los siguientes con extensión ZIP:

about.zip
admin.zip
archivator.zip
archives.zip
ataches.zip
backup.zip
docs.zip
documentation.zip
help.zip
inbox.zip
manual.zip
outbox.zip
payment.zip
photos.zip
rar.zip
readme.zip
save.zip
zip.zip

estos archivos empaquetados en formato ZIP contienen uno de los siguientes ejecutables:

about.doc .exe
admin.doc .exe
archivator.doc .exe
archives.doc .exe
ataches.doc .exe
backup.doc .exe
docs.doc .exe
documentation.doc .exe
help.doc .exe
inbox.doc .exe
manual.doc .exe
outbox.doc .exe
payment.doc .exe
photos.doc .exe
rar.doc .exe
readme.doc .exe
save.doc .exe
sqlssl.doc .exe
zip.doc .exe

Al activarse el gusano se copia a la carpeta %System% con el nombre del archivo anexado recibido y para ejecutarse la próxima vez que se inicie el sistema genera la siguiente llave de registro:

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services]
"Alexora" = "%System%\[nombre_de_archivo_anexado]"

%System% es la variable C:\Windows\System para Windows 95/98/Me, C:\Winnt\System32 para Windows NT/2000 y C:\Windows\System32 para Windows XP y Windows Server 20003.

Al siguiente re-inicio libera los siguientes archivos:

%System%\trace32.exe
%System%\sysinfo32.exe
%System%\sqlssl.doc[espacios_en_blanco].exe

El archivo trace32.exe es instalado como un servicio con las propiedades:

Nombre: Windows Secure SSL
Ruta de imagen: %System%\trace32.exe
Descripción:

This service implements the secure hypertext transfer protocol (HTTPS) for the HTTP service.

Termina los procesos de una larga lista de antivirus, firewalls y software de seguridad.

Luego sobre-escribe el archivo HOSTS en las carpetas Windows y Winnt\System32\drivers\etc\, respectivamente impidiendo el acceso a los siguientes portales, la mayoría pertenecientes a sistemas de seguridad con lo cual el gusano intenta que los usuarios actualicen sus antivirus:

ad.doubleclick.net
ad.fastclick.net
ads.fastclick.net
ar.atwola.com
atdmt.com
avp.ch
avp.com
avp.ru
awaps.net
banner.fastclick.net
banners.fastclick.net
ca.com
click.atdmt.com
clicks.atdmt.com
dispatch.mcafee.com
download.mcafee.com
download.microsoft.com
downloads.microsoft.com
engine.awaps.net
fastclick.net
f-secure.com
ftp.f-secure.com
ftp.sophos.com
go.microsoft.com
liveupdate.symantec.com
mast.mcafee.com
mcafee.com
media.fastclick.net
msdn.microsoft.com
my-etrust.com
nai.com
networkassociates.com
office.microsoft.com
phx.corporate-ir.net
secure.nai.com
securityresponse.symantec.com
service1.symantec.com
sophos.com
spd.atdmt.com
support.microsoft.com
symantec.com
update.symantec.com
updates.symantec.com
us.mcafee.com
vil.nai.com
viruslist.ru
windowsupdate.microsoft.com
www.avp.ch
www.avp.com
www.avp.ru
www.awaps.net
www.ca.com
www.fastclick.net
www.f-secure.com
www.kaspersky.ru
www.mcafee.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.ru
www3.ca.com

Sus payloads son los siguientes:

Se propaga masivamente en mensajes de correo con un archivo aleatorio de extensión ZIP que contiene uno de extensión .EXE
Actúa como "dropper" liberando varios archivos.
Usa su propio SMTP para enviarse a direcciones extraídas a archivos de determinadas extensiones.
Evita enviarse a direcciones con ciertas cadenas.
Termina los procesos de antivirus, firewalls, archivos de seguridad y control.
Sobre-escribe el archivo HOSTS e impide el acceso a múltiples sitios en la web pertenecientes a sistemas de seguridad.

PER ANTIVIRUS® versión 8.9 con registro de virus al 28 de Octubre del 2004 detecta y elimina eficientemente este gusano.