Win32.Bagle.GM@mm
LOW
LOW
40,561 bytes
()
Symptoms
When it is run for the first time, it dropps a file named error.txt in C:\, and opens it with Nodepad. It will look like this:
Removal instructions:
Please let BitDefender disinfect your files.
Analyzed By
Raul Tosa, virus researcher
Technical Description:
The worm makes itself two copies:- %APPDATA%\hidn\hldrrr.exe
- %APPDATA%\hidn\hidn2.exe
It creates the following registry entry to ensure it will be run at startup:
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\drv_st_key = "%APPDATA%\hidn\hidn2.exe"
- http://accesible.cl/1/[REMOVED].php
- http://amdlady.com/1/[REMOVED].php
- http://avataresgratis.com/1/[REMOVED].php
- http://beyoglu.com.tr/1/[REMOVED].php
- http://brandshock.com/1/[REMOVED].php
- http://c-d-c.com.au/1/[REMOVED].php
- http://camaramafra.sc.gov.br/1/[REMOVED].php
- http://camposequipamentos.com.br/1/[REMOVED].php
- http://cbradio.sos.pl/1/[REMOVED].php
- http://coparefrescos.stantonstreetgroup.com/1/[REMOVED].php
- http://creainspire.com/1/[REMOVED].php
- http://desenjoi.com.br/1/[REMOVED].php
- http://hotelesalba.com/1/[REMOVED].php
- http://inca.dnetsolution.net/1/[REMOVED].php
- http://veranmaisala.com/1/[REMOVED].php
- http://wklight.nazwa.pl/1/[REMOVED].php
- http://www.auraura.com/1/[REMOVED].php
- http://www.buydigital.co.kr/1/[REMOVED].php
- http://www.diem.cl/1/[REMOVED].php
- http://www.discotecapuzzle.com/1/[REMOVED].php
- http://www.inprofile.gr/1/[REMOVED].php
- http://www.klanpl.com/1/[REMOVED].php
- http://www.titanmotors.com/images/1/[REMOVED].php
- http://yongsan24.co.kr/1/[REMOVED].php
To this list will be added all email addresses found on the system. The worm search for them in all files having the following extensions:
- .wab
- .txt
- .msg
- .htm
- .shtm
- .stm
- .xml
- .dbx
- .mbx
- .mdx
- .eml
- .nch
- .mmf
- .ods
- .cfg
- .asp
- .php
- .pl
- .wsh
- .adb
- .tbb
- .sht
- .xls
- .oft
- .uin
- .cgi
- .mht
- .dhtm
- .jsp
It will not gather emails matching the following patterns:
- @.
- .@
- ..
- rating@
- f-secur
- news
- update
- anyone@
- bugs@
- contract@
- feste
- gold-certs@
- help@
- info@
- nobody@
- noone@
- kasp
- admin
- icrosoft
- support
- ntivi
- unix
- bsd
- linux
- listserv
- certific
- sopho
- @foo
- @iana
- free-av
- @messagelab
- winzip
- winrar
- samples
- abuse
- panda
- cafee
- spam
- pgp
- @avp.
- noreply
- local
- root@
- postmaster@
The worm uses the SMTP servers defined in Outlook. If there are no such servers configured on the system, it uses some predefined SMTP servers.
An email sent by this version of Bagle will look like this:
Subject
A combination of one of the following and the current date:
- "pric "
- "price_ "
- "price_"
- "price-"
- "price "
From
Searches for Outlook profiles in HKCU\Software\Microsoft\Internet Account Manager\Accounts
Body
One of the following:
- Message in attach.
- Message is zipped.
- Msg attached.
A combination of one of the following, and the current date, with ".zip" at the end:
- price
- new_price
- latest_price
It will also download a file from one of these addresses, and will rename it to "re_file.exe":
- http://5050clothing.com/[REMOVED].gif
- http://axelero.hu/[REMOVED].gif
- http://calamarco.com/[REMOVED].gif
- http://ceramax.co.kr/[REMOVED].gif
- http://charlesspaans.com/[REMOVED].gif
- http://chatsk.wz.cz/[REMOVED].gif
- http://checkalertusa.com/[REMOVED].gif
- http://cibernegocios.com.ar/[REMOVED].gif
- http://cof666.shockonline.net/[REMOVED].gif
- http://comaxtechnologies.net/[REMOVED].gif
- http://concellodesandias.com/[REMOVED].gif
- http://dev.jintek.com/[REMOVED].gif
- http://dogoodesign.ch/[REMOVED].gif
- http://donchef.com/[REMOVED].gif
- http://erich-kaestner-schule-donaueschingen.de/[REMOVED].gif
- http://foxvcoin.com/[REMOVED].gif
- http://grupdogus.de/[REMOVED].gif
- http://hotchillishop.de/[REMOVED].gif
- http://ilikesimple.com/[REMOVED].gif
- http://innovation.ojom.net/[REMOVED].gif
- http://kisalfold.com/[REMOVED].gif
- http://knickimbit.de/[REMOVED].gif
- http://kremz.ru/[REMOVED].gif
- http://massgroup.de/[REMOVED].gif
- http://poliklinika-vajnorska.sk/[REMOVED].gif
- http://prime.gushi.org/[REMOVED].gif
- http://svatba.viskot.cz/[REMOVED].gif
- http://systemforex.de/[REMOVED].gif
- http://uwua132.org/[REMOVED].gif
- http://v-v-kopretiny.ic.cz/[REMOVED].gif
- http://vanvakfi.com/[REMOVED].gif
- http://vega-sps.com/[REMOVED].gif
- http://vidus.ru/[REMOVED].gif
- http://viralstrategies.com/[REMOVED].gif
- http://Vivamodelhobby.com/[REMOVED].gif
- http://vkinfotech.com/[REMOVED].gif
- http://vproinc.com/[REMOVED].gif
- http://vytukas.com/[REMOVED].gif
- http://waisenhaus-kenya.ch/[REMOVED].gif
- http://watsrisuphan.org/[REMOVED].gif
- http://wbecanada.com/[REMOVED].gif
- http://web-comp.hu/[REMOVED].gif
- http://webfull.com/[REMOVED].gif
- http://welvo.com/[REMOVED].gif
- http://wvpilots.org/[REMOVED].gif
- http://www.ag.ohio-state.edu/[REMOVED].gif
- http://www.chapisteriadaniel.com/[REMOVED].gif
- http://www.chittychat.com/[REMOVED].gif
- http://www.cort.ru/[REMOVED].gif
- http://www.crfj.com/[REMOVED].gif
- http://www.kersten.de/[REMOVED].gif
- http://www.kljbwadersloh.de/[REMOVED].gif
- http://www.voov.de/[REMOVED].gif
- http://www.walsch.de/[REMOVED].gif
- http://www.wchat.cz/[REMOVED].gif
- http://www.wg-aufbau-bautzen.de/[REMOVED].gif
- http://www.wzhuate.com/[REMOVED].gif
- http://xotravel.ru/[REMOVED].gif
- http://yeniguntugla.com/[REMOVED].gif
- http://zebrachina.net/[REMOVED].gif
- http://zsnabreznaknm.sk/[REMOVED].gif
"re_file.exe" will then be executed.
Other payloads:
- it disables Windows Update Service (wuauserv)
- it deletes "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot"
SHARE
THIS ON