|
BAGZ.I,
gusano de Correo infecta sin necesidad de abrir mensaje
aprovechando antigua vulnerabilidad.
|
|
©
Jorge Machado Lima-Perú
|
|
W32/Bagz.I@mm,
I.worm.Bagz.I@mm
Bagz.I es
un gusano reportado el 14 de Diciembre del
2004, de propagación masiva a través de mensajes de correo con archivo
anexados de nombre aleatorio y extensión ZIP
o de doble extensión con espacios en blanco.
Usa la técnica Spoofing
que disfraza el nombre del remitente, los Asuntos y Contenidos son
aleatorios.
Se ejecuta sin necesidad de abrir el mensaje,
aprovechando la vulnerabilidad IFRAME exploit
y el MIME exploit de MS
Outlook y Outlook Express.
Es un PE
(Portable
Ejecutable) e infecta Windows
95/98/NT/Me/2000/XP,
incluyendo los servidores NT/2000/Server
2003,
está desarrollado en Visual C++, con 160 KB de extensión y comprimido
con el utilitario UPX (Ultimate Packer for eXecutables):
http://upx.sourceforge.net
Usando su propio SMTP (Simple
Mail Transfer Protocol) se auto-envía a las direcciones de correo
contenidas en los archivos con las siguientes extensiones:
El
mensaje tiene las siguientes características:
Remitente, usa la
técnica Spoofing
que suplanta la identidad de los verdaderos remitentes.
Asunto, uno de los
siguientes:
- [Fwd: Broken link]
- big announcements
- building maintenance
- Cost Inquiry
- Deactivation Notice
- failure notice
- find a solution with this
customer
- Fwd: Password
- Fwd: Your Funds are Eligible
for Withdrawal
- Knowledge Base Article
- last request before
refunding
- Message recieved, please
confirm
- My funny stories
- Need help pls
- No Subject
- Open Invoices
- Order Approval
- progress news
- Questions
- Re: Help Desk Registration
- Re: payment
- RE: Re: A question
- Re: User ID Update
- referrences
- Returned mail: see
transcript for details
- troubles are back again
- units available
- Webmail Invite
- What is this ????
- when should i call you?
- WinXP
- You have recieved an eCard!
Contenido, uno de los
siguientes:
- Hello,
Sorry, I forgot to attach the new contact information.
Please view the attached (.pdf) contact sheet.
Sincerely,
User
- Hello,
I resent this email as attachment because
it was previously blocked by your email filters.
Please read the attachment and respond.
Thanks,User
- Hello,
I was in a hurry and I forgot to attach an important
document. Please see attached.
Best Regards,
User
- Hello,
Your email was received.
YOUR REPLY IS URGENT!
Please view the attached text file for instructions.
Regards,
User
- Hello,
Your email was sent in an INVALID format.
To verify this email was sent from you,
simply open the attached email (.eml) file
and click yes in the sender options box.
Thank You,
User
- Hello,
My PC crashed while I was sending that last email.
I have re-attached the document of yours that I discovered.
Please read attached document and respond ASAP.
Sincerely,
User
- Hello,
What version of windows you are using?
This last document I received from you came out weird.
Please see the attached word file and resend the file to me.
Many thanks,
User
***YOUR MESSAGE HAS BEEN RECOGNIZED AS SPAM***
Hello,
The previous email you sent has been recognized as spam.
This means your email was not delivered to your friend or client.
You must open the attached file to receive more information.
***YOUR MESSAGE HAS BEEN RECOGNIZED AS SPAM***
- ***ATTENTION: YOUR EMAIL IS
NOT BEING DELIVERED!***
You are currently unable to send emails.
This may be a billing issue.
Please call the billing center.
The # for the billing office is located in the attached
contact list for your convenience.
***ATTENTION: YOUR EMAIL IS NOT BEING DELIVERED!***
- ***URGENT: SERVICE SHUTDOWN
NOTICE***
Due to your failure to comply with our email
Rules and Regulations, your email account has been
temporarily suspended for 24 hours unless we are contacted regarding
this situation.
You must read the attached document for further
instructions. Failure to comply will result in termination of your account.
Regards,
Net Operator
***URGENT: SERVICE SHUTDOWN NOTICE***
last request before refunding
Anexado, uno de los
siguientes:
- account.doc .exe
- account.zip
- arch.doc .exe
- arch.zip
- archive.doc .exe
- archive.zip
- atach.doc .exe
- atach.zip
- att.doc .exe
- att.zip
- contact.doc .exe
- contact.zip
- db.doc .exe
- db.zip
- doc.doc .exe
- doc.zip
- documents.doc .exe
- documents.zip
- file.doc .exe
- file.zip
- mail.doc .exe
- mail.zip
- message.doc .exe
- message.zip
- messages.doc .exe
- messages.zip
- msg.doc .exe
- msg.zip
- read.doc .exe
- read.zip
- readme.doc .exe
- readme.zip
- support.doc .exe
- support.zip
- tutorial.doc .exe
- warning.doc .exe
- warning.zip
Al activarse el gusano se copia a la carpeta %System%
con los siguientes nombres:
- DL.EXE
- SYSLOGIN.EXE
- TUTORIAL.DOC [espacios_en_blanco]
.EXE
Inmediatamente ejecuta el archivo SYSLOGIN.EXE
y procede a su rutina de auto-envío masivo de mensajes y para ejecutarse la
próxima vez que se inicie el sistema genera la siguiente llave de registro:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"syslogin.exe" = "SYSLOGIN.EXE"
%System% es la variable C:\Windows\System
para Windows 95/98/Me, C:\Winnt\System32
para Windows NT/2000 y C:\Windows\System32
para Windows XP y Windows Server 20003.Termina los procesos de una larga lista
de antivirus, firewalls y software de seguridad.
Para evitar este tipo de infecciones se debe
deshabilitar la opción "Mostrar panel de
vista previa" en MS
Outlook y
Outlook Express del
siguiente modo:
Desmarque la opción Mostrar panel de vista previa,
haga click en "Aplicar"
y luego en "Aceptar".
El parche para tanto el IFRAME exploit y
el MIME exploit puede ser descargado de:
http://www.microsoft.com/technet/security/bulletin/ms01-020.mspx
PER ANTIVIRUS®
versión 9.0 con registro de virus al el 14 de Diciembre
del 2004 detecta y elimina este gusano.
