Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bagle.CF - New variant uses "Taxes" theme


  • Please log in to reply
7 replies to this topic

#1 harrywaldron

harrywaldron

    Security Reporter


  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:07:06 PM

Posted 12 August 2005 - 05:27 AM

This new variant uses a theme of "increases in taxes" in it's social engineering approach. F-Secure ranks this as 2 of 3 (Medium Risk)

Bagle.CF - New variant uses "Taxes" theme (medium at F-Secure)
http://www.f-secure.com/v-descs/bagle_cf.shtml
http://www3.ca.com/securityadvisor/virusin...s.aspx?id=43331
http://www.sarc.com/avcenter/venc/data/w32.beagle.ce@mm.html

F-Secure - Weblog Discussion (several new variants)
http://www.f-secure.com/weblog/

Another new Bagle variant - Bagle.CF has been found on August 11th, 2005. This variant is very similair to previous variant, Bagle.BY. Bagle.CF comes inside a RAR archive containing file 'Taxes.exe'. The name of the RAR archive can vary, but is somehow Tax-related, for example 'Increase_in_the_tax.rar'. Instead of picture icon, Bagle.CF uses text file icon.


E-mail Format

From:  <spoofed>

Subject: Blank

Message Body: Blank

Attachment name is selected from the following list:

Taxes.zip
The_taxation.zip
The_reporting_of_taxes.zip
Work and taxes.zip
Increase_in_the_tax.zip
To_reduce_the_tax.zip

The ZIP attachment contains:
Taxes.exe



BC AdBot (Login to Remove)

 


#2 Leurgy

Leurgy

    Voted most likely


  • Members
  • 3,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Collingwood, Ontario, Canada
  • Local time:06:06 PM

Posted 12 August 2005 - 11:01 AM

Thats interesting. I got that one this morning if anyone wants it.

When the only tool you own is a hammer, every problem begins to resemble a nail. Abraham Maslo

**** We use our powers for good, not evil ****

 Trying to remove your data from the web is like trying to remove pee from a swimming pool


#3 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:06 PM

Posted 12 August 2005 - 05:27 PM

Got one yesterday and two so far today.

Also interesting is I use two email addresses from my ISP and the third one was addressed to the main one I use where the first was to my mother's. And the spoofed From address actually takes the name of the address it's being sent to.

For example I'll make up some addresses. Say the first is JohnDoe3at domain name. And the Second is JaneDoe90 at domain name. The From address that I'm getting for the first email address I use is John, and the From from the second address is Jane. Or it may be JohnDoe and JaneDoe--I mix numbers into a nonexistant name in my actual adresses for security reasons so it may be that it's just stripping out the numbers.

How bout you Leurgy? You seeing the same thing?

The thing about people

is they change

when they walk away.--Mipso


#4 Leurgy

Leurgy

    Voted most likely


  • Members
  • 3,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Collingwood, Ontario, Canada
  • Local time:06:06 PM

Posted 12 August 2005 - 05:42 PM

Exactly the same. One of my primary email addresses is, say, joeblowc554 at domain name. The virus came from joeblow at whiskey.ru. Makes it pretty obvious that its suspicious as I don't often send email to myself except for test purposes.

When the only tool you own is a hammer, every problem begins to resemble a nail. Abraham Maslo

**** We use our powers for good, not evil ****

 Trying to remove your data from the web is like trying to remove pee from a swimming pool


#5 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:07:06 PM

Posted 12 August 2005 - 05:48 PM

I also received a similar Bagel CF e-mail this a.m.

The sending addee is also exactly as you describe PK, a stripped version of my legit addy "@163.com"

Untitled with "To_reduce_the_tax.rar" attachment.

My ISP had marked the e-mail as Spam.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#6 Hyle

Hyle

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:06 PM

Posted 14 August 2005 - 11:03 PM

Trend report
=====================================================
WORM_BAGLE.CG

File type: PE

Memory resident: Yes

Size of malware: Varies

Initial samples received on: Aug 12, 2005

Related to: TROJ_BAGLE.BI


--------------------------------------------------------------------------------

Payload 1: Deletes a registry entry

Trigger condition 1: System date is later than April 12, 2008


--------------------------------------------------------------------------------

Payload 2: Prevents NETSKY variants from running on the affected machine

Trigger condition 1: Upon execution


--------------------------------------------------------------------------------

Payload 3: Downloads files

Trigger condition 1: Upon execution


--------------------------------------------------------------------------------



--------------------------------------------------------------------------------

Details:



Installation and Registry Modification

This memory-resident worm usually arrives on a system as a downloaded file of another malware, such as TROJ_BAGLE.BI.

Upon execution, it drops a copy of itself in the Windows system folder as the file SVC23.EXE. It then creates the following registry keys and entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Ru1n
erthgdr2 = "%System%\svc23.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Ru1n
erthgdr2 = "%System%\svc23.exe"

HKEY_USERS\.DEFAULT\Software\Microsoft\
Windows\CurrentVersion\Ru1n
erthgdr2 = "%System%\svc23.exe"

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP.)

Since this worm fails to add a proper autostart entry on the affected system's registry, it does not automatically execute whenever the system is restarted.

Mass-mailing Routine

Like other BAGLE variants, this memory-resident worm utilizes a Trojan downloader to propagate. It uses its own SMTP engine to mass-mail copies of TROJ_BAGLE.BI to target recipients, while the said Trojan, in turn, downloads a copy of this worm into affected systems.

The email message it sends out contains the following details:

From: {spoofed}

Subject: {blank}

Message body: (any of the following)
Password:
The password is

Attachment: (a copy of the Trojan using any of the following file names, followed by a .RAR or a .ZIP extension)
Increase_in_the_tax
Taxes
The_reporting_of_taxes
The_taxation
To_reduce_the_tax
Work and taxes

(Note: The archive file contains an executable file named TAXES.EXE, which is a copy of TROJ_BAGLE.BI.)

Notably, the Trojan attachment uses file names related to taxes as a timely social engineering technique, since the deadline for filing of taxes in the United States is extended until August 15, 2005.

However, it avoids sending email messages to addresses that contain any of the following strings:

@avp.
@derewrdgrs
@eerswqe
@iana
@messagelab
@microsoft
abuse
admin
anyone@
bugs@
cafee
certific
contract@
f-secur
feste
free-av
gold-certs@
google
help@
icrosoft
info@
linux
listserv
nobody@
noone@
ntivi
panda
rating@
samples
sopho
support
update
winrar
winzip
Registry Deletion

This worm worm deletes entries associated with antivirus and security applications from the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Ru1n

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Ru1n


The following are the registry entries it deletes from the abovementioned keys:

9XHtProtect
Antivirus
EasyAV
FirewallSvr
HtProtect
ICQ Net
ICQNet
Jammer2nd
KasperskyAVEng
MsInfo
My AV
NetDy
Norton Antivirus AV
PandaAVEngine
service
SkynetsRevenge
Special Firewall Service
SysMonXP
Tiny AV
Zone Labs Client Ex
File Download

This worm attempts to download the file RE_FILE.EXE from the following Web sites:

http://lo{BLOCKED}a2/s1.php
http://lo{BLOCKED}a2/s3.php
It also attempts to download the file EML.EXE from the following URLs:

http://ame{BLOCKED}kansk-bulldog.dk/images/web.php
http://car{BLOCKED}oodcontracting.com/2/web.php
http://cli{BLOCKED}hare.com/images/web.php
http://cpt{BLOCKED}.com/2/web.php
http://cre{BLOCKED}ionesartisticasandaluza...bovedas/web.php
http://dgg{BLOCKED}phicsonline.com/images/web.php
http://dir{BLOCKED}teenhuis.nl/images/web.php
http://doe{BLOCKED}er-torbau.de/images/web.php
http://dor{BLOCKED}vis.com/images/web.php
http://dow{BLOCKED}iththesickness.com/images/web.php
http://dre{BLOCKED}decor.com.pl/images/web.php
http://dun{BLOCKED}ec.zakliczyn.pnth.net/dunajec/web.php
http://eks{BLOCKED}ine.com/images/web.php
http://ess{BLOCKED}line.us/images/web.php
http://eve{BLOCKED}peopleforyou.com/help/web.php
http://fal{BLOCKED}nframingco.com/images/web.php
http://fam{BLOCKED}iasmaltratadas.com/images/web.php
http://fib{BLOCKED}design.co.uk/images/web.php
http://fib{BLOCKED}feed.com/images/web.php
http://fin{BLOCKED}ngmodels.net/images/web.php
http://fpc{BLOCKED}.org/images/web.php
http://fye{BLOCKED}.com/lyra/web.php
http://gam{BLOCKED}py.cz/images/web.php
http://gol{BLOCKED}mira.com/test/web.php
http://got{BLOCKED}mk.ua/images/web.php
http://lig{BLOCKED}ichangueras.cl/images/web.php
http://phd{BLOCKED}mark.dk/images/web.php
http://rep{BLOCKED}sentacion4380.net/images/web.php
However, these Web sites are already inaccessible as of this writing.

NETSKY Retaliation

Similar to earlier BAGLE variants, this worm also prevents the execution of NETSKY worm variants on the affected system by creating the following mutexes:

'D'r'o'p'p'e'd'S'k'y'N'e't'
[SkyNet.cz]SystemsMutex
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
____--->>>>U<<<<--____
AdmSkynetJklS003
MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
Other Details

If the system date is later than April 12, 2008, this worm attempts to delete the following registry entry before terminating itself:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Ru1n
erthgdr2 = "%System%\svc23.exe"

It runs on Windows 98, ME, NT, 2000, and XP.




Analysis By: Alvin Jethro Calderon Bacani

Revision History:
First pattern file version: 2.777.00
First pattern file release date: Aug 12, 2005




=====================================================


My computer is affected by the taxes file I recieved at 12 August, but this one is different.
It creat a file named winshost.exe at "c:\windows\system32\ "

and changed the registration
"HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run"
"HKEY_USER\**********\Software\Microsoft\
Windows\CurrentVersion\Run"

#7 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:06 PM

Posted 14 August 2005 - 11:51 PM

Well, you probably got a different variant. If you check out the blog page Harry linked to last you'll see this quote:

Two certain things in life: Bagle and taxes

Series of Bagle variants has been released over the last 16 hours. We detect them as Email-Worm.Win32.Bagle.cb, .cc, .cd, .ce, .cf, .cg and .ch.

These are minor variants of each other, sending emails with attachments related to Taxation, such as The_reporting_of_taxes.zip or To_reduce_the_tax.zip. Once again, these archives contain executable files with misleading icons.

You've reproduced a discription that Trend calls .cg. Probably yours is cb, .cc, .cd, or some other that is slightly different from the rest.

Of the three infected attachments I received, all were different variants, according to Kaspersky.

The_taxation.zip :thumbsup: Infected :flowers: Email-Worm.Win32.Bagle.cj
To_reduce_the_tax.zip :trumpet: Infected :inlove: Email-Worm.Win32.Bagle.bq
To_reduce_the_tax.zip :cool: Infected :) Email-Worm.Win32.Bagle.cc

And just to remind everyone--always use security best practices when you receive an attachment. If you don't expect an attachment, even if it's from someone you know, don't fall for the social engineering and let your curiosity get the better of you. Don't open the zip files and in this case the Taxes.exe file inside it. Just delete it.

Hyle, are you still infected? Do you need help getting rid of it?

The thing about people

is they change

when they walk away.--Mipso


#8 Hyle

Hyle

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:06 PM

Posted 15 August 2005 - 04:35 AM

Thanks, PK
I have deleted it




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users