At 9 o'clock this morning, February 18, 2004, Bkis Network Security Center received some emails titled "ID ajeearrohy ... thanks" and "ID nwchv ... thanks", these emails are attached. Includes .exe files of about 11 Kbyte. According to the initial comment of the Network Security Center, this is a new virus and began to appear in Vietnam. We immediately analyzed and decoded this virus. By this afternoon, the virus analysis was completed and the Bkav497 virus update W32.Bagle.B virus (see below for more details) was launched at 18:45.
To remove the W32.Bagle.B virus you need to follow these steps:
1. Download the Bkav software version Bkav497 to a folder on your machine.
2. If you use Windows Me or XP, you must turn off the System Restore function of the operating system.
3. If your computer has other anti-virus programs such as NAV, McAffe, then temporarily disable the Auto Protect function of those programs.
Run Bkav497, choose to scan all files, all drives.
5. Restart the computer.
W32.Bagle.B virus detailed description:
BeagleB is spread by e-mail, which automatically sends messages to the email addresses found on the machine.
1. The virus messages sent out are as follows:
From (From):
One address is fake virus.
Subject:
ID .... <chuỗi nhiên="" ngẫu="" tự="" ký=""> ...... thanks
Content:
Yours ID <chuỗi nhiên="" ngẫu="" tự="" ký="">
Thank you
Attachments (Attachment)
<chuỗi nhiên="" ngẫu="" tự="" ký=""> .exe
This attachment, when written to disk, will have the icon as a Windows audio file.
When activated on a user's computer, BeagleB will check if the computer is infected. If the computer is not infected, it will call Sndrec32.exe (Windows Sound Recorder ) to deceive the user, then copy itself to the system directory of the operating system under the name au.exe
BeagleB creates the key "au.exe" in the key
HKEY_CURRENT_USERSOFTWARE
MicrosoftWindowsCurrentVersionRun
This virus can be manually activated every time Windows starts.
4. Viruses are automatically added to the key
HKEY_CURRENT_USERSOFTWAREWindows2000
the following lines:
"frn" = "0x00000001" or "frn" = "0x00000000" "gid" = " <giá nhiên="" ngẫu="" trị=""> The random value of the "gid" key will be used by the hacker as a number to identify. Beagle.B worm has the technique of a backdoor, waiting on port 8866 to allow hackers to upload Trojan to the infected computer as an .exe file in the Windows directory of the operating system with random name starting with "bsupld". Then run this file with the parameter "-upd". 6. Every 10,000 seconds, BeagleB connects to the following websites and sends out information about the computer being infected with the virus, such as the IP, which port the computer is open and its identification number:www.strato.de/1.php7. The virus performs a full scan of your hard drive and analyzes the files with the following extensions for the email addresses:
www.strato.de/2.php
www.47df.de/wbboard/1.php
www.intern.games-ring.de/2.php
.wabThe BeagleB worm is programmed to operate only on February 25, 2004. If past this date, the Beagle worm will generate the a.bat file to perform an automatic removal of itself from the user's computer.
.txt
.htm
.html
Analyst team: Vu Ngoc Son, Dao Van Huy, Ngo Trong Canh, Le Nhat Minh, Nguyen Minh Anh.
Download Bkav2002 (Version 497) & nbsp; & nbsp; & nbsp; 220kb
