ThreatExpert Report: Email-Worm.Beagle!rem, W32.Beagle.DS@mm, Email-Worm.Win32.Bagle.ae..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 13 March 2012, 00:42:54
Processing time: 8 min 55 sec
Submitted sample:

File MD5: 0x9E5D1E6D6EAFCE5F390DC785A394A7B2
File SHA-1: 0x1DBACBF2350F392994BE2EE5C85F973531ABC906
Filesize: 48,988 bytes
Alias:

Email-Worm.Beagle!rem [PCTools]
W32.Beagle.DS@mm [Symantec]
Email-Worm.Win32.Bagle.ae [Kaspersky Lab]
W32/Bagle.gen!Sality [McAfee]
PE_SALITY.AC-O [Trend Micro]
W32/Kookoo-A [Sophos]
Virus:Win32/Sality.M [Microsoft]
Virus.Win32.Sality [Ikarus]
Win32/Bagle.worm.27136 [AhnLab]

Summary of the findings:

What's been found	Severity Level
Capability to send out email message(s) with the built-in SMTP client engine.
Searching for email addresses by enumerating files with the certain extensions. This functionality is used by mass-mailers and spam-bots.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

Possible Security Risk

Attention! The following threat categories were identified:

Threat Category	Description
	A network-aware worm that attempts to replicate across the existing network(s)
	A virus capable to modify other files by infecting, prepending, or overwriting them them with its own body
	A program that downloads files to the local computer that may represent security risk
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%System%\lmovie.exe [file and pathname of the sample #1]	48,988 bytes	MD5: 0x9E5D1E6D6EAFCE5F390DC785A394A7B2 SHA-1: 0x1DBACBF2350F392994BE2EE5C85F973531ABC906	Email-Worm.Beagle!rem [PCTools] W32.Beagle.DS@mm [Symantec] Email-Worm.Win32.Bagle.ae [Kaspersky Lab] W32/Bagle.gen!Sality [McAfee] PE_SALITY.AC-O [Trend Micro] W32/Kookoo-A [Sophos] Virus:Win32/Sality.M [Microsoft] Virus.Win32.Sality [Ikarus] Win32/Bagle.worm.27136 [AhnLab]
2	%System%\lmovie.exeopen %System%\lmovie.exeopenopen	49,007 bytes	MD5: 0xF50A07CA83ED4893828A0D7E78A5B0E7 SHA-1: 0xA3F4631BE35CCEFF102C9833D19D93ECC9544CC3	Email-Worm.Beagle!rem [PCTools] W32.Beagle.DS@mm [Symantec] Email-Worm.Win32.Bagle.ae [Kaspersky Lab] W32/Bagle.gen!Sality [McAfee] PE_SALITY.AC-O [Trend Micro] W32/Kookoo-A [Sophos] Virus:Win32/Sality.M [Microsoft] Virus.Win32.Sality [Ikarus] Win32/Bagle.worm.27136 [AhnLab]
3	%System%\olemdb32.dll	23,552 bytes	MD5: 0x65387B1305F01EDE9BCE1B664207D5D7 SHA-1: 0x19D719D16958E6A1C5367B578CB9FF7700E695BF	Malware.Sality [PCTools] W32.Sality [Symantec] Virus.Win32.Sality.k [Kaspersky Lab] W32/Sality.dll [McAfee] W32/Kookoo-A [Sophos] Trojan:Win32/Sality.M.dll [Microsoft] Virus.Win32.Sality [Ikarus] Win-Trojan/Sality.23552 [AhnLab]
4	%Windir%\vcualts32.exe	5,120 bytes	MD5: 0xD99874B9C0584134162F35D93560D5F8 SHA-1: 0x8EB2AC41773C8007856C0A9071CAE14DC6837ED5	GenericDetection [PCTools] Trojan.Pramro [Symantec] Trojan-Downloader.Win32.Bagle.z [Kaspersky Lab] W32/Bagle.dldr [McAfee] WORM_BAGLE.EW [Trend Micro] W32/Bagle-CO [Sophos] TrojanDownloader:Win32/Small [Microsoft] Trojan-Downloader.Win32.Bagle [Ikarus] Win-Trojan/BagleDownloader.5120 [AhnLab]

Notes:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
lmovie.exe	%System%\lmovie.exe	102,400 bytes
vcualts32.exe	%Windir%\vcualts32.exe	12,288 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	102,400 bytes

The following modules were loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
olemdb32.dll	%System%\olemdb32.dll	Process name: explorer.exe Process filename: %Windir%\explorer.exe Address space: 0xF90000 - 0xF9F000
olemdb32.dll	%System%\olemdb32.dll	Process name: msmsgs.exe Process filename: %ProgramFiles%\messenger\msmsgs.exe Address space: 0x10000000 - 0x1000F000
olemdb32.dll	%System%\olemdb32.dll	Process name: dllhost.exe Process filename: %System%\dllhost.exe Address space: 0x10000000 - 0x1000F000
olemdb32.dll	%System%\olemdb32.dll	Process name: sdnsmain.exe Process filename: %Windir%\dns\sdnsmain.exe Address space: 0x14E0000 - 0x14EF000
olemdb32.dll	%System%\olemdb32.dll	Process name: IEXPLORE.EXE Process filename: %ProgramFiles%\internet explorer\iexplore.exe Address space: 0x1900000 - 0x190F000
olemdb32.dll	%System%\olemdb32.dll	Process name: lmovie.exe Process filename: %System%\lmovie.exe Address space: 0x10000000 - 0x1000F000

Notes:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

Registry Modifications

The newly created Registry Value is:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

MovieM = "%System%\lmovie.exe"

so that lmovie.exe runs every time Windows starts

Other details

The following ports were open in the system:

Port	Protocol	Process
1057	TCP	vcualts32.exe (%Windir%\vcualts32.exe)
1059	TCP	vcualts32.exe (%Windir%\vcualts32.exe)
1060	TCP	lmovie.exe (%System%\lmovie.exe)
6777	TCP	lmovie.exe (%System%\lmovie.exe)

Heuristics Analysis

Heuristically identified capability to harvest email addresses (e.g. for spamming or mass-mailing purposes) from files with the following extensions:

Heuristically identified that addresses containing the following strings are not harvested:

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.