Win32.Bagle.AL@mm

SYMPTOMS:

Presence of file %SYSTEM%\WINdirect.exe.
Presence of file %SYSTEM%\windll.exe.
Presence of registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win_upd.exe = %SYSTEM%\WINdirect.exe or
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win_upd.exe = %SYSTEM%\WINdirect.exe.
Presence of registry key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n.

TECHNICAL DESCRIPTION:

The worm comes in the form of a small file, that drops another file ( namely WINDirect.exe) in the %SYSTEM% directory.
This file then tries to raise it's privilege level and then starts a thread in which it keeps looking at all the processes and when it finds one within a list ( in order to prevent updating an AV product or the use of a firewall ) it tries to terminate it. Then it starts another thread that tries to download the main part of the massmailer from a list of addresses, each 10 hours.

The main part of the worm creates mutexes named MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D, 'D'r'o'p'p'e'd'S'k'y'N'e't', -oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_, [SkyNet.cz]SystemsMutex, AdmSkynetJklS003, ____--->>>>U<<<<--____ and _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_ in order to prevent some Netsky versions from running.

It also tries to delete from the system startup registry keys any key that contains one from a list of strings ( such as "FirewallSvr", "ICQNet", "My AV" and so on ).

It also checks for files that may contain e-mail addresses in files of the type "wab","txt","msg","htm","shtm",
"stm","xml","dbx","mbx","mdx","eml","nch","mmf","ods","cfg","asp","php" etc.

It uses it's own SMTP client implementation.

The mails it sends contain only the first dropper, called one of "price","price2","price_new",
"price_08","08_price","newprice","new_price" in a .zip archive .
The mail body contains "new price". The archive may be encrypted, so the body of the mail contins the password. The mail has the subject empty.




This worm can also take advantage of P2P networks, as it tries to spread using the following names:
'Microsoft Office 2003 Crack, Working!.exe',
'Microsoft Windows XP, WinXP Crack, working Keygen.exe',
'Microsoft Office XP working Crack, Keygen.exe',
'Porno, sex, oral, anal cool, awesome!!.exe',
'Porno Screensaver.scr',
'Serials.txt.exe',
'KAV 5.0',
'Kaspersky Antivirus 5.0',
'Porno pics arhive, xxx.exe',
'Windows Sourcecode update.doc.exe',
'Ahead Nero 7.exe',
'Windown Longhorn Beta Leak.exe',
'Opera 8 New!.exe',
'XXX hardcore images.exe',
'WinAmp 6 New!.exe',
'WinAmp 5 Pro Keygen Crack Update.exe',
'Adobe Photoshop 9 full.exe',
'Matrix 3 Revolution English Subtitles.exe',
'ACDSee 9.exe'.
by copying into each folder that contains 'shar'.

The worm also opens a connection that listents on port 80, but since this is the default port used by HTTP, this should not be used as an infection flag ( unless you are very sure you have no HTTP server installed ).


The complete list of processes it tries to kill:
FIREWALL.EXE
ATUPDATER.EXE
winxp.exe
sys_xp.exe
sysxp.exe
LUALL.EXE
DRWEBUPW.EXE
AUTODOWN.EXE
NUPGRADE.EXE
OUTPOST.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ESCANH95.EXE
AVXQUAR.EXE
ESCANHNT.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
AVWUPD32.EXE
AVPUPD.EXE
CFIAUDIT.EXE
UPDATE.EXE
NUPGRADE.EXE
MCUPDATE.EXE


The complete list of sites it tries to download from:
134.102.228.45
196.12.49.27
213.188.129.72
64.62.172.118
abi-2004.org
advm1.gm.fh-koeln.de
alexey.pioneers.com.ru
alfinternational.ru
aus-Zeit.com
binn.ru
burn2k.ipupdater.com
carabi.ru
catalog.zelnet.ru
cavalierland.5u.com
celine.artics.ru
change.east.ru
colleen.ai.net
controltechniques.ru
dev.tikls.net
diablo.homelinux.com
dodgetheatre.com
dozenten.f1.fhtw-berlin.de
emnesty.w.interia.pl
emnezz.e-mania.pl
euroviolence.com
evadia.ru
fairy.dataforce.net
financial.washingtonpost.com
free.bestialityhost.com
gutemine.wu-wien.ac.at
herzog.cs.uni-magdeburg.de
home.profootball.ru
host.businessweek.com
host.wallstreetcity.com
host23.ipowerweb.com
hsr.zhp.org.pl
infokom.pl
kafka.punkt.pl
kooltokyo.ru
kypexin.ru
lars-s.privat.t-online.de
lottery.h11.ru
matzlinger.com
megion.ru
mmag.ru
molinero-berlin.de
momentum.ru
niebo.net
nominal.kaliningrad.ru
omegat.ru
ourcj.com
packages.debian.or.jp
pb195.slupsk.sdi.tpnet.pl
photo.gornet.ru
pixel.co.il
pocono.ru
polobeer.de
porno-mania.net
protek.ru
przeglad-tygodnik.pl
przeglad-tygodnik.pl
quotes.barchart.com
r2626r.de
rausis.latnet.lv
relay.great.ru
republika.pl
sacred.ru
sbuilder.ru
sec.polbox.pl
shadkhan.ru
silesianet.pl
silesianet.pl
slavarik.ru
sovea.de
spbbook.ru
strony.wp.pl
szm.sk
tarkosale.net
tdi-router.opola.pl
terramail.pl
thorpedo.us
traveldeals.sidestep.com
ultimate-best-hgh.0my.net
vip.pnet.pl
werel1.web-gratis.net
www.5100.ru
www.PlayGround.ru
www.aannemers-nederland.nl
www.abcdesign.ru
www.airnav.com
www.aktor.ru
www.ankil.ru
www.antykoncepcja.net
www.aphel.de
www.artics.ru
www.astoria-stuttgart.de
www.avant.ru
www.baltmatours.com
www.baltnet.ru
www.biratnagarmun.org.np
www.biysk.ru
www.boglen.com
www.bridesinrussia.com
www.busheron.ru
www.ccbootcamp.com
www.chat4adult.com
www.chelny.ru
www.ciachoo.pl
www.dami.com.pl
www.ddosers.net
www.dicto.ru
www.dilver.ru
www.dsmedia.ru
www.dynex.ru
www.elemental.ru
www.elit-line.ru
www.epski.gr
www.forbes.com
www.free-time.ru
www.gamma.vyborg.ru
www.gantke-net.com
www.gin.ru
www.glass-master.ru
www.glavriba.ru
www.gradinter.ru
www.hack-gegen-rechts.com
www.hbz-nrw.de
www.hgr.de
www.hgrstrailer.com
www.ifa-guide.co.uk
www.iluminati.kicks-ass.net
www.infognt.com
www.intellect.lvc
www.interfoodtd.ru
www.interrybflot.ru
www.inversorlatino.com
www.jewishgen.org
www.k2kapital.com
www.kefaloniaresorts.com
www.lamatec.com
www.landofcash.net
www.laserbuild.ru
www.math.kobe-u.ac.jp
www.mcschnaeppchen.com
www.mdmedia.org
www.met.pl
www.metacenter.ru
www.milm.ru
www.myrtoscorp.com
www.nefkom.net
www.neostrada.pl
www.neprifan.ru
www.netradar.com
www.no-abi2003.de
www.oldtownradio.com
www.omnicom.ru
www.oshweb.com
www.pakwerk.ru
www.perfectgirls.net
www.perfectjewel.com
www.peterstar.ru
www.pgipearls.com
www.phg.pl
www.porsa.ru
www.porta.de
www.rafani.cz
www.rastt.ru
www.republika.pl
www.republika.pl
www.rollenspielzirkel.de
www.rubikon.pl
www.rumbgeo.ru
www.rweb.ru
www.scli.ru
www.sdsauto.ru
www.sensi.com
www.silesianet.pl
www.sjgreatdeals.com
www.sposob.ru
www.strefa.pl
www.tanzen-in-sh.de
www.taom-clan.de
www.tayles.com
www.teatr-estrada.ru
www.teleline.ru
www.thepositivesideofsports.com
www.timelessimages.com
www.tuhart.net
www.vconsole.net
www.vendex.ru
www.virtmemb.com
www.vivamedia.ru
www.vrack.net
www.wapf.com
www.webpark.pl
www.webronet.com
www.webzdarma.cz
www.yarcity.ru
www.youbuynow.com
www.zeiss.ru
www.zelnet.ru
www.zhp.gdynia.pl
wynnsjammer.proboards18.com
yaguark.h10.ru

The complete list of keys it removes from HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
or HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run :
"9XHtProtect"
"Antivirus"
"EasyAV"
"FirewallSvr"
"HtProtect"
"ICQ Net"
"ICQNet"
"Jammer2nd"
"KasperskyAVEng"
"MsInfo"
"My AV"
"NetDy"
"Norton Antivirus AV"
"PandaAVEngine"
"SkynetsRevenge"
"Special Firewall Service"
"SysMonXP"
"Tiny AV"
"Zone Labs Client Ex"
"service"


The complete list of file types it looks into when searching for email addresses:
.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.eml
.htm
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.pl
.sht
.shtm
.stm
.tbb
.txt
.uin
.wab
.wsh
.xls
.xml

Removal instructions:

Please let Bitdefender handle the infected files.

ANALYZED BY:

Alexandru Carp Bitdefender Virus Researcher