TR/Bagle.trash (AntiVir) !!

 

오늘 아침에 받는 메일링에 Bagle.trash 라는것에 감염 되는것을 많이 봤다.
그중 국내 유입 되어있는 사이트 몇개 봤는데 바이러스 토탈에서 걸려 주는 업체는 몇 없는거 같다.
아니 안티버 하나 뿐이다. 베이글이라는 샘플은 많이 봐왔지만 이번 것은 처음 보는 샘플 이었다.
샘플을 봐주신 처리님은 원본 샘플이 있어야 좀 더 자세히 알수 있을거라 했다. 그래도 신고는 해놨으니 진단명이 기대가 된다 !! 어떤식으로 하는지는 나도 구체적으로 알 수 없지만 나쁜 짓을 하는건 맞는거 같다 !! 다른 분께도 네이트온으로 도움을 청해 봐야겠다 !!

샘플 전송 : 안철수연구소 , 이스트 소프트 !!


[국내 감염 사이트]

http://xxxuang.co.kr/images/mxd.jpg
http://www.xxxcson.co.kr/images/mxd.jpg
http://www.xxxcson.co.kr/images/mea/dc.jpg
http://xx09.net/images/mxd.jpg
http://eudxxxing.mireene.com/images/mxd.jpg


[FortiGuard Center]

Alias/es	Email-Worm.Win32.Bagle.hw, WORM_BAGLE.IE, W32/Mitglieder.VY, Win32.Bagle.HW@mm
Release Date	Feb 13, 2007
Detection Availability	Active Database Extended Database FortiGate lowhigh FortiClient FortiMail N/A Current Antivirus Definition Database Version
Description	Visible Symptoms The following folders exist: C:\Documents and Settings\{UserName}\Application Data\m C:\Documents and Settings\{UserName}\Application Data\m\shared The following files exist: C:\Documents and Settings\{UserName}\Application Data\m\srvlist.oct C:\Documents and Settings\{UserName}\Application Data\m\data.oct C:\Documents and Settings\{UserName}\Application Data\m\list.oct C:\Documents and Settings\{UserName}\Application Data\m\flec006.exe Several ZIP files in exist in the C:\Documents and Settings\{UserName}\Application Data\m\shared  folder. Detailed Analysis Creates the following folders: C:\Documents and Settings\{UserName}\Application Data\m C:\Documents and Settings\{UserName}\Application Data\m\shared Searches for a process whose name contains the string flec006.exe, and attempts to terminate it. Copies itself to C:\Documents and Settings\{UserName}\Application Data\m\flec006.exe  and executes it with the parameter -upd. Adds the following registry: key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value: mule_st_key data: "C:\Documents and Settings\{UserName}\Application Data\m\flec006.exe" key: HKCU\Software\MuleAppData value: ListTime data: {Date of today such as 6} key: HKCU\Software\MuleAppData value: FileTime data: {Date of today such as 6} key: HKCU\Software\MuleAppData value: ServerTime data: {Date of today such as 6} Attempts to download a file from any of the following URLs: http://www.disco{REMOVED}.com/1/servernames.php http://dev{REMOVED}.com/img/servernames.php http://cam{REMOVED}.com.br/1/servernames.php http://www.in{REMOVED}.gr/1/servernames.php The downloaded file is saved as C:\Documents and Settings\{UserName}\Application Data\m\srvlist.oct. This file contains predefined eMule server addresses and ports. Attempts to download a file from any of the following URLs: http://www.disco{REMOVED}.com/1/mxd.jpg http://www.pop{REMOVED}.nl/mxd.jpg http://port{REMOVED}.com/mxd.jpg The downloaded file is saved as C:\Documents and Settings\{UserName}\Application Data\m\data.oct. This file is detected as W32/Beagle.HW@mm. Attempts to download a file from any of the following URLs: http://www.disco{REMOVED}.com/1/filenames.php http://dev{REMOVED}.com/img/filenames.php http://cam{REMOVED}.com.br/1/filenames.php http://www.in{REMOVED}.gr/1/filenames.php The downloaded file is saved as C:\Documents and Settings\{UserName}\Application Data\m\list.oct. Generates several ZIP files with the names found in srvlist.oct. The ZIP file contains the following files: patch.nfo: a text file containing the string www.{RANDOM NUMBER}.com. a copy of data.oct, but with random overlay data. Sets up an eMule server for virus sharing.

[바이러스 토탈]

검사 파일: mxd.jpg 전송 시각: 2010.07.06 01:16:56 (UTC)
안티바이러스	엔진 버전	정의 날짜	검사 결과
a-squared	5.0.0.31	2010.07.06	-
AhnLab-V3	2010.07.06.00	2010.07.05	-
AntiVir	8.2.4.2	2010.07.05	TR/Bagle.trash
Antiy-AVL	2.0.3.7	2010.07.02	-
Authentium	5.2.0.5	2010.07.05	-
Avast	4.8.1351.0	2010.07.06	-
Avast5	5.0.332.0	2010.07.06	-
AVG	9.0.0.836	2010.07.05	-
BitDefender	7.2	2010.07.06	-
CAT-QuickHeal	11.00	2010.06.30	-
ClamAV	0.96.0.3-git	2010.07.05	-
Comodo	5330	2010.07.05	-
DrWeb	5.0.2.03300	2010.07.06	-
eSafe	7.0.17.0	2010.07.05	-
eTrust-Vet	36.1.7687	2010.07.05	-
F-Prot	4.6.1.107	2010.07.05	-
F-Secure	9.0.15370.0	2010.07.06	-
Fortinet	4.1.133.0	2010.07.04	-
GData	21	2010.07.06	-
Ikarus	T3.1.1.84.0	2010.07.06	-
Jiangmin	13.0.900	2010.07.03	-
Kaspersky	7.0.0.125	2010.07.06	-
McAfee	5.400.0.1158	2010.07.06	-
McAfee-GW-Edition	2010.1	2010.07.05	-
Microsoft	1.5902	2010.07.03	-
NOD32	5253	2010.07.05	-
Norman	6.05.10	2010.07.05	-
nProtect	2010-07-05.01	2010.07.05	-
Panda	10.0.2.7	2010.07.06	-
PCTools	7.0.3.5	2010.07.06	-
Prevx	3.0	2010.07.06	-
Rising	22.55.00.04	2010.07.05	-
Sophos	4.54.0	2010.07.06	-
Sunbelt	6546	2010.07.05	-
Symantec	20101.1.0.89	2010.07.06	-
TheHacker	6.5.2.1.308	2010.07.05	-
TrendMicro	9.120.0.1004	2010.07.05	-
TrendMicro-HouseCall	9.120.0.1004	2010.07.06	-
VBA32	3.12.12.5	2010.07.05	-
ViRobot	2010.6.29.3912	2010.07.05	-
VirusBuster	5.0.27.0	2010.07.05	-
추가 정보
File size: 1068036 bytes
MD5...: 39773a87aa37376dc0683385e182fe93
SHA1..: 8bce94f8a5c0d25fea3af195044e272d482f096d
SHA256: 8602c23dac1168f3b3bf7f0d1ce5afc094500599701186e6e25544742c4f742e

이스트 소프트 : 파일 자체만으론 실행이 안되고, 다른거에의해 데이터가 쓰일거 같네요.. 정확한것은 분석을 많이 해봐야할거같은데 정보가 부족해서 오래걸릴거 같습니다 . - OO 님 -

안철수 연구소 : 분석중 !!