Weekly Report on Viruses and Intrusions – Five Bagle and Two of Netsky Worm Variants

The first variants of Bagle we’ll look at -O and N- share the following characteristics:

– They spread via e-mail in a message with variable characteristics, which contains an attachment (in the O variant the file has an icon similar to Notepad, while the N variant has a True Type font icon). Both worms can also spread via peer-to-peer file sharing applications.
– They infect and increase the size of PE files (in the case of the O variant the increase is 44KB, and with the N variant, the increase is 21KB).
– They both open a backdoor through TCP port 2556.
– They terminate processes belonging to certain programs, including some antivirus applications, firewalls and system monitoring tools. They also terminate other processes related to previous variants of the Bagle and Netsky worms.
– They will only run up until December 31 2005 (according to the system date).

The main features that differentiate these variants of Bagle are:

– Bagle.O contains a text inside its code which makes an image of a butterfly, although this can’t be seen.
– Bagle.N is a polimorphic malicious code.

– The size, both when compressed and extracted: Bagle.O is 23558 when compressed and 44189 bytes when extracted, and the N variant is 20650 and 38570 bytes respectively

The other three variants of Bagle that were looking at today are the Q, R and S variants, of which the first and third infect files. Bagle.Q downloads a file from the Internet and then runs it on the computer. According to PandaLabs, this last variant has spread widely.

The next worms we’re looking at today are Netsky.N and Netsky.O. They are sent by e-mail, using their own SMTP engine, to all addresses they find in files with certain extensions. They also create several files, some in MIME format, and delete entries made by certain worms including Mydoom and Bagle. They also create a mutex to avoid several simultaneous executions.

Aspects that differentiate the N and O variants of Netsky include the texts in the message in which they are sent, the files copied to infected computers and the registry entries they create.

Share this