wipe-deletion-erasure-purge


Email-Worm.Win32.Bagle.bj

Email-Worm.Win32.Bagle.bj

CyberScrub AntiVirus
Research Bank

This modification of Bagle has all the functionality of other Bagle worms except that it is unable to self-replicate. It was mass mailed using spamming technologies.

The worm itself is a Windows PE EXE file, packed using PEX. The packed files is approximately 38KB in size, and the unpacked file is approximately 65KB in size.

Once launched, the worm creates a text file in the Windows temporary directory. The file name begins with a tilde (~) and has a .txt extension. The file contains the following text:

The worm will cause the default text editing program to open and display the contents of this file. (In the majority of cases, this will be Notepad.)

When installing itself, the worm creates files named "winshost.exe" and "wiwshost.exe" in the Windows system directory:

  • %System%\winshost.exe
  • %System%\wiwshost.exe

It then creates the following values in the system registry, ensuring that a copy of the worm will be launched each time Windows is rebooted on the victim machine:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"winshost.exe" = "%System%\winshost.exe"
Propagation

This version of Bagle is unable to self-replicate. It arrives as an attachment to infected messages which were mass mailed using spamming technologies. Infected messages have an empty subject field and an empty message body.

Payload

The worm alters the %System%\drivers\etc\hosts file so that users of the infected machine will be unable to access the following sites:

127.0.0.1 localhost
127.0.0.1 updates1.kaspersky-labs.com
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad.fastclick.net
127.0.0.1 ads.fastclick.net
127.0.0.1 ar.atwola.com
127.0.0.1 atdmt.com
127.0.0.1 avp.ch
127.0.0.1 avp.com
127.0.0.1 avp.ru
127.0.0.1 awaps.net
127.0.0.1 banner.fastclick.net
127.0.0.1 banners.fastclick.net
127.0.0.1 ca.com
127.0.0.1 click.atdmt.com
127.0.0.1 clicks.atdmt.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 download.microsoft.com
127.0.0.1 downloads.microsoft.com
127.0.0.1 engine.awaps.net
127.0.0.1 fastclick.net
127.0.0.1 f-secure.com
127.0.0.1 ftp.f-secure.com
127.0.0.1 ftp.sophos.com
127.0.0.1 go.microsoft.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 media.fastclick.net
127.0.0.1 msdn.microsoft.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 office.microsoft.com
127.0.0.1 phx.corporate-ir.net
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 service1.symantec.com
127.0.0.1 sophos.com
127.0.0.1 spd.atdmt.com
127.0.0.1 support.microsoft.com
127.0.0.1 symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 vil.nai.com
127.0.0.1 viruslist.ru
127.0.0.1 windowsupdate.microsoft.com
127.0.0.1 www.avp.ch
127.0.0.1 www.avp.com
127.0.0.1 www.avp.ru
127.0.0.1 www.awaps.net
127.0.0.1 www.ca.com
127.0.0.1 www.fastclick.net
127.0.0.1 www.f-secure.com
127.0.0.1 www.kaspersky.ru
127.0.0.1 www.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.ru
127.0.0.1 ftp.kasperskylab.ru
127.0.0.1 ftp.avp.ch
127.0.0.1 www.kaspersky.ru
127.0.0.1 updates1.kaspersky-labs.com
127.0.0.1 updates3.kaspersky-labs.com
127.0.0.1 updates4.kaspersky-labs.com
127.0.0.1 updates2.kaspersky-labs.com
127.0.0.1 updates5.kaspersky-labs.com
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 www.kaspersky-labs.com
127.0.0.1 updates3.kaspersky-labs.com/updates
127.0.0.1 downloads1.kaspersky-labs.com/updates
127.0.0.1 www3.ca.com
127.0.0.1 ids.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 downloads3.kaspersky-labs.com
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 download.mcafee.com
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 downloads-us1.kaspersky-labs.com
127.0.0.1 downloads-us2.kaspersky-labs.com
127.0.0.1 downloads-us3.kaspersky-labs.com
127.0.0.1 ftp.downloads2.kaspersky-labs.com

The worm also deletes the following system registry keys. This means that antivirus solutions will not automatically be launched when Windows is rebooted. 

[HKLM\SOFTWARE\Agnitum]
[HKLM\SOFTWARE\KasperskyLab]
[HKLM\SOFTWARE\McAfee]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\APVXDWIN]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\avg7_cc]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\avg7_emc]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ccApp]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KAV50]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\McAfee Guardian]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\McAfee.InstantUpdate.Monitor]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NAV CfgWiz]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SSC_UserPrompt]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Symantec NetDriver Monitor]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client]
[HKLM\SOFTWARE\Panda Software]
[HKLM\SOFTWARE\Symantec]
[HKLM\SOFTWARE\Zone Labs]

It also deletes processes which contain the following text strings in their names:

Ahnlab task Scheduler
alerter
AlertManger
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVExch32Service
avg7alrt
avg7updsvc
AvgCore
AvgFsh
AvgServ
AVPCC
avpcc
AVPUPD.EXE
AVUPDService
AVWUPD32.EXE
AvxIni
AVXQUAR.EXE
awhost32
BackWeb Client - 7681197
backweb client-4476822
BlackICE
CAISafe
ccEvtMgr
ccPwdSvc
ccSetMgr
ccSetMgr.exe
CFIAUDIT.EXE
DefWatch
DRWEBUPW.EXE
dvpapi
dvpinit
ESCANH95.EXE
ESCANHNT.EXE
FIREWALL.EXE
fsbwsys
FSDFWD
fsdfwd
F-Secure Gatekeeper Handler Starter
FSMA
ICSSUPPNT.EXE
ICSUPP95.EXE
KAVMonitorService
kavsvc
KLBLMain
LUALL.EXE
McAfee Firewall
McAfeeFramework
McShield
McTaskManager
MCUPDATE.EXE
mcupdmgr.exe
MCVSRte
MonSvcNT
navapsvc
Network Associates Log Service
NISSERV
NISUM
NOD32ControlCenter
NOD32Service
Norman NJeeves
Norman ZANDA
Norton Antivirus Server
NPFMntor
NProtectService
NSCTOP
NUPGRADE.EXE
nvcoas
NVCScheduler
nwclntc
nwclntd
nwclnte
nwclntf
nwclntg
nwclnth
NWService
Outbreak Manager
Outpost Firewall
OUTPOST.EXE
PASSRV
PAVFNSVR
Pavkre
PavProt
PavPrSrv
PAVSRV
PCCPFW
PersFW
Plug-in
PREVSRV
PSIMSVC
ravmon8
SAVFMSE
SAVScan
SAVScan
SBService
schscnt
sharedaccess
SharedAccess
SmcService
SNDSrvc
SPBBCSvc
SweepNet
SWEEPSRV.SYS
Symantec AntiVirus Client
Symantec Core LC
Tmntsrv
UPDATE.EXE
UPGRADER.EXE
V3MonNT
V3MonSvc
VexiraAntivirus
VisNetic AntiVirus
vsmon
wscsvc
wuauserv
XCOMM

Check out if we have free removal tool for this virus


CyberScrub AntiVirus provides state of the art security protection for five years- at one low price. Our award winning technology ensures protection against viruses, worms and trojans backed by top customer support and value.
 
Five Year Cost Comparison
Product Initial Cost Yearly Subscription X Four Years Total
Norton 2004 AntiVirus $49.95* $29.95 $119.80 $169.75
McAfee VirusScan $49.95* $19.95 $79.80 $129.75
CyberScrub AntiVirus $49.95 Included No Additional Cost $49.95
*All prices MSRP as published on respective sites.



It is only a matter of time before a virus, worm or Trojan horse wrecks havoc on your important data. Important files, records, family pictures- all at risk. Some dangerous programs can even ruin your hard drive beyond repair.

CyberScrub AntiVirus offers the most effective protection from all known and unknown viruses.

CyberScrub AntiVirus is powered by a unique integrated technology for virus detection, based on principles of multi-generation heuristic analysis. This allows the program to protect you from suspect “viral behavior”. This highly effective methodology repelled all attacks of each “I LOVEYOU’ viral variation without any additional antivirus database updates. No other technology, including Norton, Trend, or McAfee was able to accomplish this.

CyberScrub AntiVirus is powerful, yet its exceptional ease of use and installation make it acceptable for beginner to pro


CyberScrub Antivirus constantly scans your hard drive and files to identify, clean and destroy infected objects. With updates available every three hours, 24 hours a day, 365 days a year, you can count on CyberScrub to protect your valued data.

CyberScrub AntiVirus
Lifetime Edition

"For the Life of Your Computer"
Save $10 Now!
Limited Time

 

Email-Worm.Win32.Bagle.bj

Symantec Warns Of Flaw In Antivirus Program. More>>

CNN Legend Lynne Russell reports on CyberScrub AntiVirus for Tech Headline News.


















 
 

delete,deletion, file deletion, Internet clean up,privacy, HIPAA, Internet privacy, cookies, erase, erasure, shredder, wipe, overwrite, purge, deletion, security, file wipe, data destruction