C++Builder  |  Delphi  |  FireMonkey  |  C/C++  |  Free Pascal  |  Firebird
볼랜드포럼 BorlandForum
 경고! 게시물 작성자의 사전 허락없는 메일주소 추출행위 절대 금지
분야별 포럼
C++빌더
델파이
파이어몽키
C/C++
프리파스칼
파이어버드
볼랜드포럼 홈
헤드라인 뉴스
IT 뉴스
공지사항
자유게시판
해피 브레이크
공동 프로젝트
구인/구직
회원 장터
건의사항
운영진 게시판
회원 메뉴
북마크
볼랜드포럼 광고 모집
자유게시판
 세상 살아가는 이야기들을 나누는 사랑방입니다.
[8509] [3등급 : 위해] Win32.Worm.Bagle.b.11264
mycom [pcaccent] 9266 읽음    2004-02-18 09:32
Win32.Worm.Bagle.b.11264을 시만텍에서 등급을 3등급으로 매겼습니다. 많이 위험한가봅니다. 18일 오전에 안철수연구소와 하우리에서 긴급업데이트를 하였습니다. 지금 사용하시는 AV를 모두다 업데이트 하시길 바랍니다.

다음은 Bagle 웜정보 입니다.

[3등급 : 위해] Win32.Worm.Bagle.b.11264

General characteristics
  Type: Worm, backdoor
  Alias: I-Worm.Bagle.b, W32/Alua@mm, W32/Tanx.A-mm, W32/Yourid.A.Worm,
         Win32.HLLM.Strato.16896, WORM_BAGLE.B, I-Worm.Win32.Bagle.11264
  Spreading mechanism: Email, network
  Email characteristics:
                        Subject: ID [variable]... thanks
                        Body:
                          Yours ID [variable]
                          --
                          Thank
                        Attachment: Variable
  Destructivity: Medium
  Payload: Backdoor functionality
  Detected by virus detection files published: Feb 17 2004
  Virus characteristics first published: 17 Feb 2004 14:39 (CET)
  Virus characteristics latest update: 17 Feb 2004 19:57 (CET)
 
Additional description of malicious program
Type :
  This is an email worm in the Bagle family and closely related to the Mitglied
  backdoor/worm family. It has a timeout function, and will stop spreading Feb
  25th 2004.

  The file is compressed with UPX, file size 11264 bytes.

Spreading mechanism :
  When executed, this worm will first check whether current date is later than Feb.
  25th 2004. If it is, it just quits and does nothing.

  If the date is earlier or equal, it copies itself to the Windows system directory
  using the name AU.EXE, and installs itself in the registry to be run from startup.

  After this it will normally invoke the sound recorder application SNDREC32.EXE,
  however this will not happen if the worm starts as result of an update process
  or if it is started from the System directory.

  It harvests email addresses from *.wab, *.htm, *.html and *.txt files found on
  the local hard drives and uses these when composing emails.

  The worm creates the following registry entries:
  HKCU\Software\Microsoft\Windows\CurrentVersion\Run au.exe = [SYSTEM]\au.exe

  HKCU\Software\Windows2000 gid=[random number]
  HKCU\Software\Windows2000 frn=1

  Every 10000'th second (every 2.7 hr) it will attempt to contact the web sites
  below with port number listened to and the infected user's ID number as parameters.

  http://www.47df.de/wbboard/1.php
  http://www.strato.de/1.php
  http://intern.games-ring.de/1.php
  http://www.strato.de/2.php

Destructivity and Payload :
  The worm installs a listen on port 8866, and will allow a hacker to upload
  and execute a file through this port.
Trackback : http://www.borlandforum.com/impboard/impboard.dll/trackback?sn=57437

+ -

관련 글 리스트
8509 [3등급 : 위해] Win32.Worm.Bagle.b.11264 mycom 9266 2004/02/18
Google
Copyright © 1999-2015, borlandforum.com. All right reserved.