Win32.Harbag.B (Ca.com)

Description Published: August 30, 2004
Description Modified: August 31, 2004

Category: Win32
Also known as: W32.Beagle.gen (Symantec),
Win32/Mitglieder.Trojan

Description

Win32.Harbag.B is a trojan that harvests e-mail addresses from an affected machine. This trojan may be downloaded onto machines already compromised by Win32.Glieder (a trojan that downloads and executes arbitrary files from particular URLs). Please see elsewhere in our encyclopedia for additional information on Win32.Glieder.

Harbag searches files with the following extensions (that are located on all fixed drives of the affected machine) for e-mail addresses:
.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.eml
.htm
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.pl
.sht
.shtm
.stm
.tbb
.txt
.uin
.wab
.wsh
.xls
.xml

Harbag checks the validity of each domain by perfoming a DNS lookup.

Harbag avoids collecting addresses that contain any of the following strings:
@avp.
@foo
@iana
@messagelab
abuse
admin
anyone@
bsd
bugs@
cafee
certific
contract@
f-secur
feste
free-av
gold-certs@
google
help@
icrosoft
info@
kasp
linux
listserv
local
news
nobody@
noone@
noreply
ntivi
panda
pgp
postmaster@
rating@
root@
samples
sopho
spam
support
unix
update
winrar
winzip

Harbag posts the collected e-mail addresses to a remote web server. It then drops and executes a batch file a.bat in its own directory. This batch file removes both Harbag and itself.

Analysis by Paul Taylor

More information on CA Virus Information Center:
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=40044

Computer Associates – the Trusted Source of Security Knowledge