My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Bagle.AX@mm

HIGH
MEDIUM
approx 20Kbytes (packed)
(N/A)

Symptoms

Presence of files 'wingo.exe','wingo.exeopen','wingo.exeopenopen' etc. %SYSDIR%.
Presence of registry key:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run with the value wingo=%SYSDIR%\wingo.exe.

Removal instructions:

Manual removal:
Identify and kill the process ( if active ), then remove the registry keys and files from the system.

Analyzed By

Alexandru Carp - Bitdefender Virus Researcher

Technical Description:

This is a typical massmailer and P2P worm with backdoor capabilities.
The worm spreads by mail or P2P programs. The email has the following characteristics:

Mail sender - spoofed.

Mail subject is one of:
Re:
Re: Hello
Re: Thank you!
Re: Thanks :)
Re: Hi
:))


Mail attachment is one of:
Price
price
Joke

with an .com,.exe,.cpl or .scr extension.


In case of the P2P, the filenames can be:

Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe




This worm also tries to kill the following processes:
mcagent.exe
mcvsshld.exe
mcshield.exe
mcvsescn.exe
mcvsrte.exe
DefWatch.exe
Rtvscan.exe
ccEvtMgr.exe
NISUM.EXE
ccPxySvc.exe
navapsvc.exe
NPROTECT.EXE
nopdb.exe
ccApp.exe
Avsynmgr.exe
VsStat.exe
Vshwin32.exe
alogserv.exe
RuLaunch.exe
Avconsol.exe
PavFires.exe
FIREWALL.EXE
ATUPDATER.EXE
LUALL.EXE
DRWEBUPW.EXE
AUTODOWN.EXE
NUPGRADE.EXE
OUTPOST.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ESCANH95.EXE
AVXQUAR.EXE
ESCANHNT.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
AVWUPD32.EXE
AVPUPD.EXE
CFIAUDIT.EXE
UPDATE.EXE
NUPGRADE.EXE
MCUPDATE.EXE
pavsrv50.exe
AVENGINE.EXE
APVXDWIN.EXE
pavProxy.exe
navapw32.exe
navapsvc.exe
ccProxy.exe
navapsvc.exe
NPROTECT.EXE
SAVScan.exe
SNDSrvc.exe
symlcsvc.exe
LUCOMS~1.EXE
blackd.exe
bawindo.exe
FrameworkService.exe
VsTskMgr.exe
SHSTAT.EXE
UpdaterUI.exe


It also tries to download a file from the following sites:
http://www.bottombouncer.com
http://www.anthonyflanagan.com
http://www.bradster.com
http://www.traverse.com
http://www.ims-i.com
http://www.realgps.com
http://www.aviation-center.de
http://www.gci-bln.de
http://www.pankration.com
http://www.jansenboiler.com
http://www.corpsite.com
http://www.everett.wednet.edu
http://www.onepositiveplace.org
http://www.raecoinc.com
http://www.wwwebad.com
http://www.corpsite.com
http://www.wwwebmaster.com
http://www.wwwebad.com
http://www.dragcar.com
http://www.wwwebad.com
http://www.oohlala-kirkland.com
http://www.calderwoodinn.com
http://www.buddyboymusic.com
http://www.smacgreetings.com
http://www.tkd2xcell.com
http://www.curtmarsh.com
http://www.dontbeaweekendparent.com
http://www.soloconsulting.com
http://www.lasermach.com
http://www.generationnow.net
http://www.flashcorp.com
http://www.kencorbett.com
http://www.FritoPie.NET
http://www.leonhendrix.com
http://www.transportation.gov.bh
http://www.jhaforpresident.7p.com
http://www.DarrkSydebaby.com
http://www.cntv.info
http://www.sugardas.lt
http://www.adhdtests.com
http://www.argontech.net
http://www.customloyal.com
http://www.ohiolimo.com
http://www.topko.sk
http://www.alupass.lu
http://www.sigi.lu
http://www.redlightpictures.com
http://www.irinaswelt.de
http://www.bueroservice-it.de
http://www.kranenberg.de
http://www.the-fabulous-lions.de
http://www.mongolische-renner.de
http://www.capri-frames.de
http://www.aimcenter.net
http://www.boneheadmusic.com
http://www.fludir.is
http://www.sljinc.com
http://www.tivogoddess.com
http://www.fcpages.com
http://www.andara.com
http://www.freeservers.com
http://www.programmierung2000.de
http://www.asianfestival.nl
http://www.aviation-center.de
http://www.gci-bln.de
http://www.mass-i.kiev.ua
http://www.jasnet.pl
http://www.atlantisteste.hpg.com.br
http://www.fludir.is
http://www.rieraquadros.com.br
http://www.metal.pl
http://www.handsforhealth.com
http://www.angelartsanctuary.com
http://www.firstnightoceancounty.org
http://www.chinasenfa.com
http://www.ulpiano.org
http://www.gamp.pl
http://www.vikingpc.pl
http://www.woundedshepherds.com
http://www.cpc.adv.br
http://www.velocityprint.com
http://www.esperanzaparalafamilia.com
http://www.celula.com.mx
http://www.mexis.com
http://www.wecompete.com
http://www.vbw.info
http://www.gfn.org
http://www.aegee.org
http://www.deadrobot.com
http://www.cscliberec.cz
http://www.ecofotos.com.br
http://www.amanit.ru
http://www.bga-gsm.ru
http://www.innnewport.com
http://www.knicks.nl
http://www.srg-neuburg.de
http://www.mepmh.de
http://www.mepbisu.de
http://www.kradtraining.de
http://www.polizeimotorrad.de
http://www.sea.bz.it
http://www.uslungiarue.it
http://www.gcnet.ru
http://www.aimcenter.net
http://www.vandermost.de
http://www.szantomierz.art.pl
http://www.immonaut.sk
http://www.eurostavba.sk
http://www.spadochron.pl
http://www.pyrlandia-boogie.pl
http://www.kps4parents.com
http://www.pipni.cz
http://www.selu.edu
http://www.travelchronic.de
http://www.fleigutaetscher.ch
http://www.irakli.org
http://www.oboe-online.com
http://www.pe-sh.com
http://www.idb-group.net
http://www.ceskyhosting.cz
http://www.hartacorporation.com
http://www.glass.la
http://www.24-7-transportation.com
http://www.fepese.ufsc.br
http://www.ellarouge.com.au
http://www.bbsh.org
http://www.boneheadmusic.com
http://www.sljinc.com
http://www.tivogoddess.com
http://www.fcpages.com
http://www.szantomierz.art.pl
http://www.elenalazar.com
http://www.ssmifc.ca
http://www.reliance-yachts.com
http://www.worest.com.ar
http://www.kps4parents.com
http://www.coolfreepages.com
http://www.scanex-medical.fi
http://www.jimvann.com
http://www.orari.net
http://www.himpsi.org
http://www.mtfdesign.com
http://www.jldr.ca
http://www.relocationflorida.com
http://www.rentalstation.com
http://www.approved1stmortgage.com
http://www.velezcourtesymanagement.com
http://www.sunassetholdings.com
http://www.compsolutionstore.com
http://www.uhcc.com
http://www.justrepublicans.com
http://www.pfadfinder-leobersdorf.com
http://www.featech.com
http://www.vinirforge.com
http://www.magicbottle.com.tw
http://www.giantrevenue.com
http://www.couponcapital.net
http://www.crystalrose.ca

The worm also opens TCP port 81 and startes listening for incoming connections.