posted by Kwan's 2010. 7. 6. 12:21

 

오늘 아침에 받는 메일링에 Bagle.trash 라는것에 감염 되는것을 많이 봤다.
그중 국내 유입 되어있는 사이트 몇개 봤는데 바이러스 토탈에서 걸려 주는 업체는 몇 없는거 같다.
아니 안티버 하나 뿐이다. 베이글이라는 샘플은 많이 봐왔지만 이번 것은 처음 보는 샘플 이었다.
샘플을 봐주신 처리님은 원본 샘플이 있어야 좀 더 자세히 알수 있을거라 했다. 그래도 신고는 해놨으니 진단명이 기대가 된다 !! 어떤식으로 하는지는 나도 구체적으로 알 수 없지만 나쁜 짓을 하는건 맞는거 같다 !! 다른 분께도 네이트온으로 도움을 청해 봐야겠다 !!

샘플 전송 : 안철수연구소 , 이스트 소프트 !!


[국내 감염 사이트]

http://xxxuang.co.kr/images/mxd.jpg
http://www.xxxcson.co.kr/images/mxd.jpg
http://www.xxxcson.co.kr/images/mea/dc.jpg
http://xx09.net/images/mxd.jpg
http://eudxxxing.mireene.com/images/mxd.jpg


[FortiGuard Center]

Alias/es Email-Worm.Win32.Bagle.hw, WORM_BAGLE.IE, W32/Mitglieder.VY, Win32.Bagle.HW@mm
Release Date Feb 13, 2007
Detection Availability
Active Database Extended Database
FortiGate lowhigh
FortiClient
FortiMail N/A
Current Antivirus Definition Database Version
Description

Visible Symptoms

  • The following folders exist:
    • C:\Documents and Settings\{UserName}\Application Data\m
    • C:\Documents and Settings\{UserName}\Application Data\m\shared
  • The following files exist:
    • C:\Documents and Settings\{UserName}\Application Data\m\srvlist.oct
    • C:\Documents and Settings\{UserName}\Application Data\m\data.oct
    • C:\Documents and Settings\{UserName}\Application Data\m\list.oct
    • C:\Documents and Settings\{UserName}\Application Data\m\flec006.exe
  • Several ZIP files in exist in the C:\Documents and Settings\{UserName}\Application Data\m\shared  folder.

    Detailed Analysis

  • Creates the following folders:
    • C:\Documents and Settings\{UserName}\Application Data\m
    • C:\Documents and Settings\{UserName}\Application Data\m\shared
  • Searches for a process whose name contains the string flec006.exe, and attempts to terminate it.

  • Copies itself to C:\Documents and Settings\{UserName}\Application Data\m\flec006.exe  and executes it with the parameter -upd.

  • Adds the following registry:
    • key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • value: mule_st_key
    • data: "C:\Documents and Settings\{UserName}\Application Data\m\flec006.exe"
    • key: HKCU\Software\MuleAppData
    • value: ListTime
    • data: {Date of today such as 6}
    • key: HKCU\Software\MuleAppData
    • value: FileTime
    • data: {Date of today such as 6}
    • key: HKCU\Software\MuleAppData
    • value: ServerTime
    • data: {Date of today such as 6}
  • Attempts to download a file from any of the following URLs:
    • http://www.disco{REMOVED}.com/1/servernames.php
    • http://dev{REMOVED}.com/img/servernames.php
    • http://cam{REMOVED}.com.br/1/servernames.php
    • http://www.in{REMOVED}.gr/1/servernames.php
    The downloaded file is saved as C:\Documents and Settings\{UserName}\Application Data\m\srvlist.oct. This file contains predefined eMule server addresses and ports.

  • Attempts to download a file from any of the following URLs:
    • http://www.disco{REMOVED}.com/1/mxd.jpg
    • http://www.pop{REMOVED}.nl/mxd.jpg
    • http://port{REMOVED}.com/mxd.jpg
    The downloaded file is saved as C:\Documents and Settings\{UserName}\Application Data\m\data.oct. This file is detected as W32/Beagle.HW@mm.

  • Attempts to download a file from any of the following URLs:
    • http://www.disco{REMOVED}.com/1/filenames.php
    • http://dev{REMOVED}.com/img/filenames.php
    • http://cam{REMOVED}.com.br/1/filenames.php
    • http://www.in{REMOVED}.gr/1/filenames.php
    The downloaded file is saved as C:\Documents and Settings\{UserName}\Application Data\m\list.oct.

  • Generates several ZIP files with the names found in srvlist.oct. The ZIP file contains the following files:
    • patch.nfo: a text file containing the string www.{RANDOM NUMBER}.com.
    • a copy of data.oct, but with random overlay data.
  • Sets up an eMule server for virus sharing.

  • [바이러스 토탈]

    검사 파일: mxd.jpg 전송 시각: 2010.07.06 01:16:56 (UTC)
    안티바이러스 엔진 버전 정의 날짜 검사 결과
    a-squared 5.0.0.31 2010.07.06 -
    AhnLab-V3 2010.07.06.00 2010.07.05 -
    AntiVir 8.2.4.2 2010.07.05 TR/Bagle.trash
    Antiy-AVL 2.0.3.7 2010.07.02 -
    Authentium 5.2.0.5 2010.07.05 -
    Avast 4.8.1351.0 2010.07.06 -
    Avast5 5.0.332.0 2010.07.06 -
    AVG 9.0.0.836 2010.07.05 -
    BitDefender 7.2 2010.07.06 -
    CAT-QuickHeal 11.00 2010.06.30 -
    ClamAV 0.96.0.3-git 2010.07.05 -
    Comodo 5330 2010.07.05 -
    DrWeb 5.0.2.03300 2010.07.06 -
    eSafe 7.0.17.0 2010.07.05 -
    eTrust-Vet 36.1.7687 2010.07.05 -
    F-Prot 4.6.1.107 2010.07.05 -
    F-Secure 9.0.15370.0 2010.07.06 -
    Fortinet 4.1.133.0 2010.07.04 -
    GData 21 2010.07.06 -
    Ikarus T3.1.1.84.0 2010.07.06 -
    Jiangmin 13.0.900 2010.07.03 -
    Kaspersky 7.0.0.125 2010.07.06 -
    McAfee 5.400.0.1158 2010.07.06 -
    McAfee-GW-Edition 2010.1 2010.07.05 -
    Microsoft 1.5902 2010.07.03 -
    NOD32 5253 2010.07.05 -
    Norman 6.05.10 2010.07.05 -
    nProtect 2010-07-05.01 2010.07.05 -
    Panda 10.0.2.7 2010.07.06 -
    PCTools 7.0.3.5 2010.07.06 -
    Prevx 3.0 2010.07.06 -
    Rising 22.55.00.04 2010.07.05 -
    Sophos 4.54.0 2010.07.06 -
    Sunbelt 6546 2010.07.05 -
    Symantec 20101.1.0.89 2010.07.06 -
    TheHacker 6.5.2.1.308 2010.07.05 -
    TrendMicro 9.120.0.1004 2010.07.05 -
    TrendMicro-HouseCall 9.120.0.1004 2010.07.06 -
    VBA32 3.12.12.5 2010.07.05 -
    ViRobot 2010.6.29.3912 2010.07.05 -
    VirusBuster 5.0.27.0 2010.07.05 -
     
    추가 정보
    File size: 1068036 bytes
    MD5...: 39773a87aa37376dc0683385e182fe93
    SHA1..: 8bce94f8a5c0d25fea3af195044e272d482f096d
    SHA256: 8602c23dac1168f3b3bf7f0d1ce5afc094500599701186e6e25544742c4f742e


    이스트 소프트 : 파일 자체만으론 실행이 안되고, 다른거에의해 데이터가 쓰일거 같네요.. 정확한것은 분석을 많이 해봐야할거같은데 정보가 부족해서 오래걸릴거 같습니다 . - OO 님 -

    안철수 연구소 : 분석중 !!

    댓글을 달아 주세요

    1. hoo 2010.07.06 15:40  Addr  Edit/Del  Reply

      베이글 변종이 또 나왔군요..
      참.. 오랫동안 사랑(?) 받는 애물단지네요.. ^^

      • Kwan's 2010.07.06 16:14 신고  Addr  Edit/Del

        변종인거 같은데 원본 파일이 있어야 아마도 확실하게 판단을 내릴수 있지않을까 합니다!
        제가 가지고 있는건 jpg 밖에 없어서요~