My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Bagle.GM@mm

LOW
LOW
40,561 bytes

Symptoms

When it is run for the first time, it dropps a file named error.txt in C:\, and opens it with Nodepad. It will look like this:




Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Raul Tosa, virus researcher

Technical Description:

The worm makes itself two copies:
  • %APPDATA%\hidn\hldrrr.exe
  • %APPDATA%\hidn\hidn2.exe
In older versions, Bagle used the same name, but it used a rootkit to hide the "hidn" folder, the two files and associated processes and registry entries. It is not the case in this version.

It creates the following registry entry to ensure it will be run at startup:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\drv_st_key = "%APPDATA%\hidn\hidn2.exe"
The worm will try to download some lists with email addresses, from the following web sites:
  • http://accesible.cl/1/[REMOVED].php
  • http://amdlady.com/1/[REMOVED].php
  • http://avataresgratis.com/1/[REMOVED].php
  • http://beyoglu.com.tr/1/[REMOVED].php
  • http://brandshock.com/1/[REMOVED].php
  • http://c-d-c.com.au/1/[REMOVED].php
  • http://camaramafra.sc.gov.br/1/[REMOVED].php
  • http://camposequipamentos.com.br/1/[REMOVED].php
  • http://cbradio.sos.pl/1/[REMOVED].php
  • http://coparefrescos.stantonstreetgroup.com/1/[REMOVED].php
  • http://creainspire.com/1/[REMOVED].php
  • http://desenjoi.com.br/1/[REMOVED].php
  • http://hotelesalba.com/1/[REMOVED].php
  • http://inca.dnetsolution.net/1/[REMOVED].php
  • http://veranmaisala.com/1/[REMOVED].php
  • http://wklight.nazwa.pl/1/[REMOVED].php
  • http://www.auraura.com/1/[REMOVED].php
  • http://www.buydigital.co.kr/1/[REMOVED].php
  • http://www.diem.cl/1/[REMOVED].php
  • http://www.discotecapuzzle.com/1/[REMOVED].php
  • http://www.inprofile.gr/1/[REMOVED].php
  • http://www.klanpl.com/1/[REMOVED].php
  • http://www.titanmotors.com/images/1/[REMOVED].php
  • http://yongsan24.co.kr/1/[REMOVED].php
It will collect them in a file named "elist.xpt", found in %WINDOWS% directory.

To this list will be added all email addresses found on the system. The worm search for them in all files having the following extensions:
  • .wab
  • .txt
  • .msg
  • .htm
  • .shtm
  • .stm
  • .xml
  • .dbx
  • .mbx
  • .mdx
  • .eml
  • .nch
  • .mmf
  • .ods
  • .cfg
  • .asp
  • .php
  • .pl
  • .wsh
  • .adb
  • .tbb
  • .sht
  • .xls
  • .oft
  • .uin
  • .cgi
  • .mht
  • .dhtm
  • .jsp

It will not gather emails matching the following patterns:
  • @.
  • .@
  • ..
  • rating@
  • f-secur
  • news
  • update
  • anyone@
  • bugs@
  • contract@
  • feste
  • gold-certs@
  • help@
  • info@
  • nobody@
  • noone@
  • kasp
  • admin
  • icrosoft
  • support
  • ntivi
  • unix
  • bsd
  • linux
  • listserv
  • certific
  • sopho
  • @foo
  • @iana
  • free-av
  • @messagelab
  • winzip
  • google
  • winrar
  • samples
  • abuse
  • panda
  • cafee
  • spam
  • pgp
  • @avp.
  • noreply
  • local
  • root@
  • postmaster@

The worm uses the SMTP servers defined in Outlook. If there are no such servers configured on the system, it uses some predefined SMTP servers.

An email sent by this version of Bagle will look like this:

Subject
A combination of one of the following and the current date:
  • "pric "
  • "price_ "
  • "price_"
  • "price-"
  • "price "
For example: "price_29-Dec-2006"

From
Searches for Outlook profiles in HKCU\Software\Microsoft\Internet Account Manager\Accounts

Body
One of the following:
  • Message in attach.
  • Message is zipped.
  • Msg attached.
Attachment
A combination of one of the following, and the current date, with ".zip" at the end:
  • price
  • new_price
  • latest_price
For example: "new_price29-Dec-2006.zip"

It will also download a file from one of these addresses, and will rename it to "re_file.exe":
  • http://5050clothing.com/[REMOVED].gif
  • http://axelero.hu/[REMOVED].gif
  • http://calamarco.com/[REMOVED].gif
  • http://ceramax.co.kr/[REMOVED].gif
  • http://charlesspaans.com/[REMOVED].gif
  • http://chatsk.wz.cz/[REMOVED].gif
  • http://checkalertusa.com/[REMOVED].gif
  • http://cibernegocios.com.ar/[REMOVED].gif
  • http://cof666.shockonline.net/[REMOVED].gif
  • http://comaxtechnologies.net/[REMOVED].gif
  • http://concellodesandias.com/[REMOVED].gif
  • http://dev.jintek.com/[REMOVED].gif
  • http://dogoodesign.ch/[REMOVED].gif
  • http://donchef.com/[REMOVED].gif
  • http://erich-kaestner-schule-donaueschingen.de/[REMOVED].gif
  • http://foxvcoin.com/[REMOVED].gif
  • http://grupdogus.de/[REMOVED].gif
  • http://hotchillishop.de/[REMOVED].gif
  • http://ilikesimple.com/[REMOVED].gif
  • http://innovation.ojom.net/[REMOVED].gif
  • http://kisalfold.com/[REMOVED].gif
  • http://knickimbit.de/[REMOVED].gif
  • http://kremz.ru/[REMOVED].gif
  • http://massgroup.de/[REMOVED].gif
  • http://poliklinika-vajnorska.sk/[REMOVED].gif
  • http://prime.gushi.org/[REMOVED].gif
  • http://svatba.viskot.cz/[REMOVED].gif
  • http://systemforex.de/[REMOVED].gif
  • http://uwua132.org/[REMOVED].gif
  • http://v-v-kopretiny.ic.cz/[REMOVED].gif
  • http://vanvakfi.com/[REMOVED].gif
  • http://vega-sps.com/[REMOVED].gif
  • http://vidus.ru/[REMOVED].gif
  • http://viralstrategies.com/[REMOVED].gif
  • http://Vivamodelhobby.com/[REMOVED].gif
  • http://vkinfotech.com/[REMOVED].gif
  • http://vproinc.com/[REMOVED].gif
  • http://vytukas.com/[REMOVED].gif
  • http://waisenhaus-kenya.ch/[REMOVED].gif
  • http://watsrisuphan.org/[REMOVED].gif
  • http://wbecanada.com/[REMOVED].gif
  • http://web-comp.hu/[REMOVED].gif
  • http://webfull.com/[REMOVED].gif
  • http://welvo.com/[REMOVED].gif
  • http://wvpilots.org/[REMOVED].gif
  • http://www.ag.ohio-state.edu/[REMOVED].gif
  • http://www.chapisteriadaniel.com/[REMOVED].gif
  • http://www.chittychat.com/[REMOVED].gif
  • http://www.cort.ru/[REMOVED].gif
  • http://www.crfj.com/[REMOVED].gif
  • http://www.kersten.de/[REMOVED].gif
  • http://www.kljbwadersloh.de/[REMOVED].gif
  • http://www.voov.de/[REMOVED].gif
  • http://www.walsch.de/[REMOVED].gif
  • http://www.wchat.cz/[REMOVED].gif
  • http://www.wg-aufbau-bautzen.de/[REMOVED].gif
  • http://www.wzhuate.com/[REMOVED].gif
  • http://xotravel.ru/[REMOVED].gif
  • http://yeniguntugla.com/[REMOVED].gif
  • http://zebrachina.net/[REMOVED].gif
  • http://zsnabreznaknm.sk/[REMOVED].gif

"re_file.exe" will then be executed.


Other payloads:
  • it disables Windows Update Service (wuauserv)
  • it deletes "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot"