My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Bagle.AE@mm

VERY LOW
VERY LOW
30 KB
(I-Worm.Bagle.ad, WORM_BAGLE.AE)

Symptoms

  • Files:
    %SYSDIR%\loader_name.exe
    %SYSDIR%\loader_name.exeopen
    %SYSDIR%\loader_name.exeopenopen
    where %SYSDIR% is Windows System directory (eg. C:\Windows\System, C:\WinNT\System32)
  • Registry key:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    with the value:
    "reg_key"="%SYSDIR%\loader_name.exe
  • Port 1234 opened (see it using "netstat -a" at the command prompt)

Removal instructions:

Let BitDefender delete all files found infected by this worm.

Analyzed By

Mihai Neagu BitDefender virus researcher

Technical Description:

The worm comes by mail in the following form:

From: [spoofed]

Subject: one of the following:

  • Re: Msg reply
  • Re: Hello
  • Re: Yahoo!
  • Re: Thank you!
  • Re: Thanks :)
  • RE: Text message
  • Re: Document
  • Incoming message
  • Re: Incoming Message
  • RE: Incoming Msg
  • RE: Message Notify
  • Notification
  • Changes..
  • Update
  • Fax Message
  • Protected message
  • RE: Protected message
  • Forum notify
  • Site changes
  • Re: Hi
  • Encrypted document

Attachment: has a .exe, .scr, .com, .zip, .vbs, .hta or .cpl extension and one of the following names:

  • Information
  • Details
  • text_document
  • Updates
  • Readme
  • Document
  • Info
  • Details
  • MoreInfo
  • Message
  • Sources

Body text: may contain one or more of the following:

  • Read the attach.
  • Your file is attached.
  • More info is in attach
  • See attach.
  • Please, have a look at the attached file.
  • Your document is attached.
  • Please, read the document.
  • Attach tells everything.
  • Attached file tells everything.
  • Check attached file for details.
  • Check attached file.
  • Pay attention at the attach.
  • See the attached file for details.
  • Message is in attach
  • Here is the file.
  • For security reasons attached file is password protected. The password is [password]
  • For security purposes the attached file is password protected. Password -- [password]
  • Note: Use password [password] to open archive.
  • Attached file is protected with the password for security reasons. Password is [password]
  • In order to read the attach you have to use the following password: [password]
  • Archive password: [password]
  • Password - [password]
  • Password: [password]


When ran, the worm displays a fake error message:

Can't find a viewer associated with the file

and creates one of the following mutexes:

  • |MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
  • 'D'r'o'p'p'e'd'S'k'y'N'e't'
  • _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
  • [SkyNet.cz]SystemsMutex
  • AdmSkynetJklS003
  • _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

then creates the following files:

  • %SYSDIR%\loader_name.exe -- worm executable file
    where %SYSDIR% is Windows System directory (eg. C:\Windows\System, C:\WinNT\System32)
  •  
  • %SYSDIR%\loader_name.exeopen -- worm copy with some garbage appended
  • %SYSDIR%\loader_name.exeopenopen -- worm zipped (may be password protected)

and creates the registry key:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    with the value:
    "reg_key"="%SYSDIR%\loader_name.exe

The key above is created ten times per second, so deleting it will not help unless the process (loader_name.exe) is killed.

The worm tries to remove the following registry keys:
  • HKCU\Software\Microsoft\Windows\My AV
  • HKCU\Software\Microsoft\Windows\Zone Labs Client Ex
  • HKCU\Software\Microsoft\Windows\9XHtProtect
  • HKCU\Software\Microsoft\Windows\Antivirus
  • HKCU\Software\Microsoft\Windows\Special Firewall Service
  • HKCU\Software\Microsoft\Windows\service
  • HKCU\Software\Microsoft\Windows\Tiny AV
  • HKCU\Software\Microsoft\Windows\ICQNet
  • HKCU\Software\Microsoft\Windows\HtProtect
  • HKCU\Software\Microsoft\Windows\NetDy
  • HKCU\Software\Microsoft\Windows\Jammer2nd
  • HKCU\Software\Microsoft\Windows\FirewallSvr
  • HKCU\Software\Microsoft\Windows\MsInfo
  • HKCU\Software\Microsoft\Windows\SysMonXP
  • HKCU\Software\Microsoft\Windows\EasyAV
  • HKCU\Software\Microsoft\Windows\PandaAVEngine
  • HKCU\Software\Microsoft\Windows\Norton Antivirus AV
  • HKCU\Software\Microsoft\Windows\KasperskyAVEng
  • HKCU\Software\Microsoft\Windows\SkynetsRevenge
  • HKCU\Software\Microsoft\Windows\ICQ Net

To mail itself, the worm searches the local hard-disk for e-mail addresses inside files with the following extensions:

.wab, .txt, .msg, .htm, .shtm, .stm, .xml, .dbx, .mbx, .mdx, .eml, .nch, .mmf, .ods, .cfg, .asp, .php, .wsh, .adb, .tbb, .sht, .xls, .oft, .uin, .cgi, .mht, .dhtm, .jsp

and uses its own SMTP engine to resolve the target mail server and to send mail to it, skipping e-mail addresses that contain:

@hotmail, @msn, @microsoft, rating@, f-secur, news, update, anyone@, bugs@, contract@, feste, gold-certs@, help@, info@, nobody@, noone@, kasp, admin, icrosoft, support, ntivi, unix, linux, listserv, certific, sopho, @foo, @iana, free-av, @messagelab, winzip, google, winrar, samples, abuse, panda, cafee, spam, @avp., noreply, local, root@, postmaster@.

Also the worm copies itself to directories that have shar in their names (for instance the P2P shared folders) with one of the following names:

  • Microsoft Office 2003 Crack, Working!.exe
  • Microsoft Windows XP, WinXP Crack, working Keygen.exe
  • Microsoft Office XP working Crack, Keygen.exe
  • Porno, sex, oral, anal cool, awesome!!.exe
  • Porno Screensaver.scr
  • Serials.txt.exe
  • KAV 5.0
  • Kaspersky Antivirus 5.0
  • Porno pics arhive, xxx.exe
  • Windows Sourcecode update.doc.exe
  • Ahead Nero 7.exe
  • Windown Longhorn Beta Leak.exe
  • Opera 8 New!.exe
  • XXX hardcore images.exe
  • WinAmp 6 New!.exe
  • WinAmp 5 Pro Keygen Crack Update.exe
  • Adobe Photoshop 9 full.exe
  • Matrix 3 Revolution English Subtitles.exe
  • ACDSee 9.exe


The worm also runs as backdoor on port 1234.