SonicALERT
Search

Sonicwall Signatures

 

Go to All Categories list.


  Bagle.CQ
Bagle.CQ is a Worm. Worms are reproducing malicious programs that run independently and travel across network connections without human action. They could spread over email, IM, peer-to-peer networks, or directly over the wire by leveraging vulnerabilities. The threat that a worm poses is its capability to replicate itself on the system so the computer can send out hundreds or thousands of copies of itself.

File Related Changes
It drops the following file(s) on the system:
  • "c:\Program Files\Windows Sidebar\Shared Gadgets\XXX hardcore images.exe"
  • "c:\Program Files\Common Files\microsoft shared\Ahead Nero 7.exe"
  • "c:\Program Files\Windows Sidebar\Shared Gadgets\Microsoft Windows XP WinXP Crack working Keygen.exe"
  • "c:\Program Files\Windows Sidebar\Shared Gadgets\WinAmp 6 New!.exe"
  • "c:\Program Files\Windows Media Player\Network Sharing\Microsoft Office XP working Crack Keygen.exe"
  • "c:\Program Files\Common Files\microsoft shared\Microsoft Office 2003 Crack Working!.exe"
  • "c:\Program Files\Windows Media Player\Network Sharing\Porno pics arhive xxx.exe"
  • "c:\Program Files\Windows Sidebar\Shared Gadgets\Opera 8 New!.exe"
  • "c:\Program Files\Windows Sidebar\Shared Gadgets\Microsoft Office XP working Crack Keygen.exe"
  • "c:\Program Files\Windows Sidebar\Shared Gadgets\Porno pics arhive xxx.exe"
  • "c:\Program Files\Windows Sidebar\Shared Gadgets\Windows Sourcecode update.doc.exe"
  • "c:\Program Files\Windows Sidebar\Shared Gadgets\WinAmp 5 Pro Keygen Crack Update.exe"
  • "c:\Program Files\Windows Media Player\Network Sharing\Windows Sourcecode update.doc.exe"
  • "c:\Program Files\Common Files\microsoft shared\WinAmp 6 New!.exe"
  • "c:\Program Files\Windows Sidebar\Shared Gadgets\Porno Screensaver.scr"
  • "c:\Program Files\Common Files\microsoft shared\WinAmp 5 Pro Keygen Crack Update.exe"
  • "c:\Program Files\Common Files\microsoft shared\Windown Longhorn Beta Leak.exe"
  • "c:\Program Files\Common Files\microsoft shared\Microsoft Office XP working Crack Keygen.exe"
  • "c:\Program Files\Windows Sidebar\Shared Gadgets\Serials.txt.exe"
  • "c:\Program Files\Windows Media Player\Network Sharing\ACDSee 9.exe"
  • "c:\Program Files\Windows Media Player\Network Sharing\WinAmp 6 New!.exe"
  • "c:\Windows\System32\windspl.exeopen"
  • "c:\Program Files\Common Files\microsoft shared\Microsoft Windows XP WinXP Crack working Keygen.exe"
  • "c:\Program Files\Windows Media Player\Network Sharing\Adobe Photoshop 9 full.exe"
  • "c:\Program Files\Windows Media Player\Network Sharing\Microsoft Windows XP WinXP Crack working Keygen.exe"
  • "c:\Program Files\Common Files\microsoft shared\Porno pics arhive xxx.exe"
  • "c:\Program Files\Windows Media Player\Network Sharing\Windown Longhorn Beta Leak.exe"
  • "c:\Program Files\Windows Media Player\Network Sharing\Microsoft Office 2003 Crack Working!.exe"
  • "c:\Program Files\Windows Media Player\Network Sharing\Opera 8 New!.exe"
  • "c:\Windows\regisp32.exe"
  • "c:\Program Files\Common Files\microsoft shared\Matrix 3 Revolution English Subtitles.exe"
  • "c:\Program Files\Windows Sidebar\Shared Gadgets\Porno sex oral anal cool awesome!!.exe"
  • "c:\Program Files\Common Files\microsoft shared\Porno sex oral anal cool awesome!!.exe"
  • "c:\Program Files\Common Files\microsoft shared\Windows Sourcecode update.doc.exe"
  • "c:\Program Files\Common Files\microsoft shared\XXX hardcore images.exe"
  • "c:\Program Files\Windows Sidebar\Shared Gadgets\Windown Longhorn Beta Leak.exe"
  • "c:\Program Files\Windows Sidebar\Shared Gadgets\Ahead Nero 7.exe"
  • "c:\Program Files\Windows Media Player\Network Sharing\Matrix 3 Revolution English Subtitles.exe"
  • "c:\Program Files\Windows Media Player\Network Sharing\Porno sex oral anal cool awesome!!.exe"
  • "c:\Program Files\Windows Sidebar\Shared Gadgets\Matrix 3 Revolution English Subtitles.exe"
  • "c:\Program Files\Windows Sidebar\Shared Gadgets\Microsoft Office 2003 Crack Working!.exe"
  • "c:\Windows\System32\windspl.exeopenopen"
  • "c:\Program Files\Windows Media Player\Network Sharing\Ahead Nero 7.exe"
  • "c:\Program Files\Common Files\microsoft shared\Porno Screensaver.scr"
  • "c:\Program Files\Common Files\microsoft shared\Adobe Photoshop 9 full.exe"
  • "c:\Program Files\Common Files\microsoft shared\Serials.txt.exe"
  • "c:\Program Files\Windows Sidebar\Shared Gadgets\Adobe Photoshop 9 full.exe"
  • "c:\Windows\System32\windspl.exe"
  • "c:\Program Files\Windows Media Player\Network Sharing\WinAmp 5 Pro Keygen Crack Update.exe"
  • "c:\Program Files\Windows Media Player\Network Sharing\XXX hardcore images.exe"
  • "c:\Program Files\Windows Media Player\Network Sharing\Porno Screensaver.scr"
  • "c:\Program Files\Common Files\microsoft shared\Opera 8 New!.exe"
  • "c:\Program Files\Windows Media Player\Network Sharing\Serials.txt.exe"
  • "c:\Program Files\Common Files\microsoft shared\ACDSee 9.exe"
  • "c:\Program Files\Windows Sidebar\Shared Gadgets\ACDSee 9.exe"

Process Related Changes
It creates the following mutex(es):
  • "bagla_super_downloader_1000"
  • "_-oOaxX|- S - k - y - N - e - t -|XxKOo-_"
  • "MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D"
  • "IESQMMUTEX_0_208"
  • "AdmSkynetJklS003"
  • "smtp_bagla_1000"
  • "'D'r'o'p'p'e'd'S'k'y'N'e't'"
  • "____--->>>>U<<<<--____"
  • "_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_"
  • "[SkyNet.cz]SystemsMutex"

It creates the following process(es):
  • C:\Windows\system32\windspl.exe
  • C:\Windows\regisp32.exe

Network Activity
It attempts to connect to the following remote servers:
  • noshit.fateback.com:80 (198.23xxxxxx)
  • 209.16xxxxxx:80
  • prodx-proxy-746048238.us-east-1.elb.amazonaws.com:80 (23.21.xxxxxx)
  • prodx-proxy-746048238.us-east-1.elb.amazonaws.com:443 (23.21.xxxxxx)
  • ijj.t235.com:80 (82.98.xxxxxx)
  • prodx-proxy-746048238.us-east-1.elb.amazonaws.com:443 (54.235.xxxxxx)
  • myphotokool.t235.com:80 (82.98.xxxxxx)
  • 8.8xxxxxx:53

We observed the following DNS query/queries:
  • mail3.edvz.uni-linz.ac.at
  • myphotokool.t235.com
  • abcmail2.abc.org
  • mail.fabrikam.com
  • mail.adatum.com
  • mail.alumni.caltech.edu
  • mail.perth.ddd.com
  • noshit.fateback.com
  • mx.dpoczta.pl
  • mail.example.es
  • mail-in5.apple.com
  • dva.hr
  • fltr-in2.mail.dreamhost.com
  • mta.teaser.net
  • msmtp.leonet.it
  • aspmx.l.google.com
  • mailin-01.mx.aol.com
  • dook.zoo.by
  • debut.zoo.com
  • cdata.tvnet.hu
  • ijj.t35.com
  • fmx.freemail.hu
  • unicode.org
  • ijj.t235.com
  • ma-01.vlada.hr
  • mail.global.frontbridge.com

The sample sends Spam mails to a number of sources

    Registry Related Changes
    It makes the following registry modifications to ensure infection after system reboot:
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\dsplobjects = C:\Windows\system32\windspl.exe


    Relevant Information