キヤノンITソリューションズ株式会社 閉じる

ウイルス情報  
最新ウイルス定義ファイルバージョン : 12381
(2015/10/09 17:02)
最新ウイルス情報 : Win32/Bagle.EZ
公開日:2006年02月08日
このウイルスに関する危険度 :■■■□□

ウイルス名 Win32/Bagle.EZ
別名:W32/Bagle-CL , Win32.Worm.Bagle.CL , Email-Worm.Win32.Bagle.fj , W32.Beagle.DM@mm
対応定義ファイル 1.1392(20060202) 以降
ウイルスの対処方法 検出ファイルを削除してください
ウイルス駆除ツール 公開中 [ 駆除ツールについてはこちら ]
ウイルスに関する危険度 - 感染報告あり
:注意 2 :感染可能性あり :感染報告あり :感染が拡大している :深刻な被害が拡大中

※参考

以下の説明文では、Windowsオペレーティングシステムがインストールされたディレクトリを%windir% と表記しており、インストール時の設定により異なる場合があります。%windir% のサブディレクトリである"System"や"System32"は %system% と表記しています。

Virus description.

Bagle.EZ is a typical mass-mailing e-mail worm with peer-2-peer spreading functionality
and a downloader component, the worm is runtime compressed.


Installation and Autostart Techniques

Upon execution, the worm copies itself into the System32 folder as “ sysformat.exe”.

The worm creates several SkyNet Mutexes (“_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_”) to prevent
these worms from running and uses its own mutex “MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D”
to prevent multiple instances of the worm from running on one machine.

The worm adds the following key to the registry to make sure that it runs every time windows is started:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
“sysformat” = “%System%\sysformat.exe”

Bagle.EZ modifies also the following registry keys:

HKCU\Software\Microsoft\Params
"FirstRun" = "1"
"Riga" = "{Random}"

and

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
“Start” = “4”

in order to lower security settings on the compromised system and it also attempts to delete
“My AV” and “ICQ Net” from the following registry keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

The worm opens Notepad the first time it runs.


Process Termination

The worm tries to terminate several programs:

alogserv.exe
APVXDWIN.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
Avconsol.exe
AVENGINE.EXE
AVPUPD.EXE
Avsynmgr.exe
AVWUPD32.EXE
AVXQUAR.EXE
bawindo.exe
blackd.exe
ccApp.exe
ccEvtMgr.exe
ccProxy.exe
ccPxySvc.exe
CFIAUDIT.EXE
DefWatch.exe
DRWEBUPW.EXE
ESCANH95.EXE
ESCANHNT.EXE
FIREWALL.EXE
FrameworkService.exe
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
LUCOMS~1.EXE
mcagent.exe
mcshield.exe
MCUPDATE.EXE
mcvsescn.exe
mcvsrte.exe
mcvsshld.exe
navapsvc.exe
navapw32.exe
NISUM.EXE
nopdb.exe
NPROTECT.EXE
NUPGRADE.EXE
OUTPOST.EXE
PavFires.exe
pavProxy.exe
pavsrv50.exe
Rtvscan.exe
RuLaunch.exe
SAVScan.exe
SHSTAT.EXE
SNDSrvc.exe
symlcsvc.exe
UPDATE.EXE
UpdaterUI.exe
Vshwin32.exe
VsStat.exe
VsTskMgr.exe


E-mail harvesting

The worm scans all fixed disks and collects e-mail addresses from files which have one of the following file extensions:

.adb .asp .cfg .dbx .dhtm .eml .htm .html .jsp .mbx .mdx .mht .mmf .msg .nch .ods .oft
.php .sht .shtm .shtml .stm .tbb .txt .uin .wab.wsh .xls .xml

During scanning for these file-extensions the worm will delete files named “mysuperprog.exe”
and tries to find “aaa.exe” and “bbb.exe” in order to delete “mysuperprog1.exe” and “mysuperprog2.exe”.


DNS resolving

The worm performs DNS e-mail-exchange-queries to find an appropriate mail server for each domain it tries to send itself to.
Bagle.EZ performs in this case a so called “MX lookup”.

If this DNS request for the mail-server fails, the worm uses the following static DNS Server: 217.5.97.137,
which is located in Germany (t-online Name-Server):

E-mail Sender

The worm uses spoofed email addresses collected during E-mail harvesting.

It uses its own SMTP (Simple Mail Transfer Protocol) engine to mass-mail copies of itself to other e-mail addresses.

E-mail subjects

Bagle.EZ randomly selects an e-mail subject out of the following list:

Delivery service mail
Delivery by mail
Registration is accepted
Is delivered mail
You are made active

Message Body

The E-mail contains one of the following message texts:

Thanks for use of our software.
Before use read the help

E-mail Attachments

The worm attaches one of the following file names with a copy of itself as ZIP-File or as a plain executable:

wsd01
viupd02
siupd02
guupd02
zupd02
upd02
Jol03

Note: The worm might also use randomly generated attachment names and text.

The worm avoids e-mail addresses which contain parts of the following list:

@microsoft rating@ f-secur news update anyone@ bugs@ contract@ feste
gold-certs@ help@ info@ nobody@ noone@ kasp admin
icrosoft support ntivi unix bsd linux listserv certific sopho @foo @iana free-av
@messagelab winzip google winrar samples abuse panda cafee spam pgp @avp.
Noreply local root@ postmaster@

Note: The first missing character will match. For example, 'Microsoft' as well as 'microsoft' will match with "icrosoft".

Peer-2-Peer Network Spreading

During harvesting emails, the worm compares the directory names with “shar”.

If the directory name contains “shar” (for instance “My Shared Folder” for Kazaa, eDonkey etc.)
the worm then places selfcopies into this folder as:

1.exe
2.exe
3.exe
4.exe
5.scr
6.exe
7.exe
8.exe
9.exe
10.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe

Downloader Component

Bagle.EZ tries to download and to run an executable file from several webservers:

http://www.cnsrvr.com/{--Removed--}q.jpg
http://www.casinofunnights.com/{--Removed--}q.jpg
http://www.ec.cox-wacotrib.com/{--Removed--}q.jpg
http://www.crazyiron.ru/{--Removed--}q.jpg
http://www.uni-esma.de/{--Removed--}q.jpg
http://www.sorisem.net/{--Removed--}q.jpg
http://www.varc.lv/{--Removed--}q.jpg
http://www.belwue.de/{--Removed--}q.jpg
http://www.thetildegroup.com/{--Removed--}q.jpg
http://www.vybercz.cz/{--Removed--}q.jpg
http://www.kyno.cz/{--Removed--}q.jpg
http://www.forumgestionvilles.com/{--Removed--}q.jpg
http://www.campus-and-more.com/{--Removed--}q.jpg
http://www.capitalforex.com/{--Removed--}q.jpg
http://www.capitalspreadspromo.com/{--Removed--}q.jpg
http://www.prineus.de/{--Removed--}q.jpg
http://www.databoots.de/{--Removed--}q.jpg
http://www.steintrade.net/{--Removed--}q.jpg
http://www.njzt.net/{--Removed--}q.jpg
http://www.emarrynet.com/{--Removed--}q.jpg
http://www.zebrachina.net/{--Removed--}q.jpg
http://www.lxlight.com/{--Removed--}q.jpg
http://www.yili-lighting.com/{--Removed--}q.jpg
http://www.fachman.com/{--Removed--}q.jpg
http://www.q-serwer.net/{--Removed--}q.jpg
http://www.wellness-i.com/{--Removed--}q.jpg
http://www.newportsystemsusa.com/{--Removed--}q.jpg
http://www.westcoastcadd.com/{--Removed--}q.jpg
http://www.wing49.cz/{--Removed--}q.jpg
http://www.posteffects.com/{--Removed--}q.jpg
http://www.provax.sk/{--Removed--}q.jpg
http://www.casinobrillen.de/{--Removed--}q.jpg
http://www.duodaydream.nl/{--Removed--}q.jpg
http://www.finlaw.ru/{--Removed--}q.jpg
http://www.fitdina.com/{--Removed--}q.jpg
http://www.flashcardplayer.com/{--Removed--}q.jpg
http://www.flox-avant.ru/{--Removed--}q.jpg
http://www.lotslink.com/{--Removed--}q.jpg
http://www.algor.com/{--Removed--}q.jpg
http://www.gaspekas.com/{--Removed--}q.jpg
http://www.ezybidz.com/{--Removed--}q.jpg
http://www.genesisfinancialonline.com/{--Removed--}q.jpg
http://www.georg-kuenzle.ch/{--Removed--}q.jpg
http://www.girardelli.com/{--Removed--}q.jpg
http://www.rodoslovia.ru/{--Removed--}q.jpg
http://www.golden-gross.ru/{--Removed--}q.jpg
http://www.gregoryolson.com/{--Removed--}q.jpg
http://www.gtechna.com/{--Removed--}q.jpg
http://www.lunardi.com/{--Removed--}q.jpg
http://www.sgmisburg.de/{--Removed--}q.jpg
http://www.harmony-farms.net/{--Removed--}q.jpg
http://www.hftmusic.com/{--Removed--}q.jpg
http://www.hiwmreport.com/{--Removed--}q.jpg
http://www.horizonimagingllc.com/{--Removed--}q.jpg
http://www.hotelbus.de/{--Removed--}q.jpg
http://www.howiwinmoney.com/{--Removed--}q.jpg
http://www.ietcn.com/{--Removed--}q.jpg
http://www.import-world.com/{--Removed--}q.jpg
http://www.houstonzoo.org/{--Removed--}q.jpg
http://www.interorient.ru/{--Removed--}q.jpg
http://www.internalcardreaders.com/{--Removed--}q.jpg
http://www.interstrom.ru/{--Removed--}q.jpg
http://www.iutoledo.org/{--Removed--}q.jpg
http://www.wena.net/{--Removed--}q.jpg
http://www.iesgrantarajal.org/{--Removed--}q.jpg
http://www.alexandriaradiology.com/{--Removed--}q.jpg
http://www.booksbyhunter.com/{--Removed--}q.jpg
http://www.wxcsxy.com/{--Removed--}q.jpg
http://www.coupdepinceau.com/{--Removed--}q.jpg
http://www.erotologist.com/{--Removed--}q.jpg
http://www.jackstitt.com/{--Removed--}q.jpg
http://www.imspress.com/{--Removed--}q.jpg
http://www.digitalefoto.net/{--Removed--}q.jpg
http://www.josemarimuro.com/{--Removed--}q.jpg
http://www.eversetic.com/{--Removed--}q.jpg
http://www.curious.be/{--Removed--}q.jpg
http://www.kameo-bijux.ru/{--Removed--}q.jpg
http://www.karrad6000.ru/{--Removed--}q.jpg
http://www.kaztransformator.kz/{--Removed--}q.jpg
http://www.keywordthief.com/{--Removed--}q.jpg


Hostfile Manipulation

It overwrites the present hosts file with the following data to prevent access to these sites:

127.0.0.1 localhost
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad.fastclick.net
127.0.0.1 ads.fastclick.net
127.0.0.1 ar.atwola.com
127.0.0.1 atdmt.com
127.0.0.1 avp.ch
127.0.0.1 avp.com
127.0.0.1 avp.ru
127.0.0.1 awaps.net
127.0.0.1 banner.fastclick.net
127.0.0.1 banners.fastclick.net
127.0.0.1 ca.com
127.0.0.1 click.atdmt.com
127.0.0.1 clicks.atdmt.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 download.microsoft.com
127.0.0.1 downloads.microsoft.com
127.0.0.1 engine.awaps.net
127.0.0.1 fastclick.net
127.0.0.1 f-secure.com
127.0.0.1 ftp.f-secure.com
127.0.0.1 ftp.sophos.com
127.0.0.1 go.microsoft.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 media.fastclick.net
127.0.0.1 msdn.microsoft.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 office.microsoft.com
127.0.0.1 phx.corporate-ir.net
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 service1.symantec.com
127.0.0.1 sophos.com
127.0.0.1 spd.atdmt.com
127.0.0.1 support.microsoft.com
127.0.0.1 symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 vil.nai.com
127.0.0.1 viruslist.ru
127.0.0.1 windowsupdate.microsoft.com
127.0.0.1 www.avp.ch
127.0.0.1 www.avp.com
127.0.0.1 www.avp.ru
127.0.0.1 www.awaps.net
127.0.0.1 www.ca.com
127.0.0.1 www.fastclick.net
127.0.0.1 www.f-secure.com
127.0.0.1 www.kaspersky.ru
127.0.0.1 www.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.ru
127.0.0.1 www3.ca.com

NOD32アンチウイルスは、ウイルス定義ファイルのバージョン 1.1392(20060202) にて対応しています。

このページのトップへ

(C)Canon IT Solutions Inc.