Win32.Bagle.{C-E}@mm( Win32.Beagle )
SYMPTOMS: - The registry keysHKCU\Software\Microsoft\Windows\CurrentVersion\Run\gouday.exe with value "C:\Windows\System\readme.exe" HKCU\Software\DateTime2\frun with value "1" HKCU\Software\DateTime2\port with value "2745" HKCU\Software\DateTime2\uid with random value - Listening on port 2745. - Presence of the following files: C:\Windows\System\doc.exe, 1536 bytes C:\Windows\System\readme.exe, 15872 bytes C:\Windows\System\onde.exe, 18944 bytes C:\Windows\System\readme.exeopen, 15994 bytes TECHNICAL DESCRIPTION: The mass-mailer is 15944 bytes in length, comes as attachement in zip formwith "store" method. It arrives in an email in the following format: From: [forged email address] Subject: [one of the following] Price New Price-list Hardware devices price-list Weekly activity report Daily activity report Maria Jenny Jessica Registration confirmation USA government abolishes the capital punishment Freedom for everyone Flayers among us From Hair-cutter Melissa Camila Price-list Pricelist Price list Hello my friend Well... Greet the day The account Looking for the report You really love me? he he You are dismissed Accounts department From me Monthly incomings summary The summary Proclivity to servitude Ahtung! The employee Body: [empty] Attachment: [random bytes].exe within a zip file. Upon execution, it drops four files into "C:\Windows\System" directory, with the following purposes: - readme.exe is the virus unzipped. A key will be inserted in the registry so that the file will be executed at every operating system restart. - doc.exe, a file which has the purpose of executing onde.exe. Injected in the explorer.exe address space. - onde.exe is the main component of the virus. Handles all the mass-mailing. - readme.exeopen is the zipped version of the virus, the file in the archive created already with a random name and ready to be mass-mailed as attachement. When first ran, it will start notepad.exe. Then, it checks the date and if the date is after 14 March 2004 the worm will exit. The worm will create the registry keys described in the "Symptoms" sections, and starts a backdoor that will listen for commands on the port 2745. The worm will create a mutex named "imain_mutex" and create a series of threads, performing various functions: - every 100 milliseconds kill all proces with the name: ATUPDATER.EXE AVWUPD32.EXE AVPUPD.EXE LUALL.EXE DRWEBUPW.EXE ICSSUPPNT.EXE ICSUPP95.EXE UPDATE.EXE NUPGRADE.EXE ATUPDATER.EXE AUPDATE.EXE AUTODOWN.EXE AUTOTRACE.EXE AUTOUPDATE.EXE AVXQUAR.EXE CFIAUDIT.EXE MCUPDATE.EXE NUPGRADE.EXE OUTPOST.EXE AVLTMAIN.EXE - every 2000 milliseconds check if connected to internet. - every 3 hours and ten minutes, the worm will connect to the following addresses under the name "i_am_ideal": http://permail.uni-muenster.de http://www.songtext.net/de http://www.sportscheck.de The worm will search the host computer for the filenames with the following extensions, extracting email addresses from them: .wab .txt .htm .html .dbx .mdx .eml .nch .mmf .ods .cfg .asp .php .adb .sht The worm will not send itself to addresses containing the following strings: @hotmail.com @msn.com @microsoft @avp. noreply local root@ postmaster@ Update: it seems there is a new strain of Bagle in the wild. The virus is detected by Bitdefender as Win32.Bagle.D@mm and is similar to the Bagle.C@mm variant. There are only minor differences: - the mutex is now called "iain_m2". - the user used to connect to the sites mentioned is now "al". - the key "DateTime2" is now called "DateTime3". The location is unchanged. Update #2: we received yet another strain of Bagle. BitDefender now detects it as Win32.Bagle.E@mm. Seems like there are more differences as opposed to Bagle.C@mm: - the messages that the virus sends have now attachements, one of the following: Subj Request Empty Response Everything inside the attach Look it through - Name of the files dropped have changed: doc.exe is now called ii455nj4.exe readme.exe is now called i1ru74n4.exe readme.exeopen is now called i1ru74n4.exeopen ondo.exe is now called godo.exe. Note that the size of the file "i1ru74n4.exe" now varies, the virus adds random bytes as overlay to the file. - mutex name is the same as that of the C@mm variant: "imain_mutex" - the user used to connect to the same pages is now named "oclivity". - registry keys have changed: HKCU\Software\DateTime4, with the only subkey "frun = 1". HKCU\Software\Microsoft\Windows\CurrentVersion\Run, with the subkey "rate.exe = C:\Windows\System\i1ru74n4.exe" - the date at which the virus will de-activate has now changed from 14 March 2004 to 25 March 2004. - the attachement inside the ZIP archive changed packer, from UPX to PEX. Removal instructions: Automatic disinfection: let Bitdefender delete infected files.Manual disinfection: Delete the key "gouday.exe = C:\Windows\System\readme.exe" under "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run". Delete the keys "frun=1", "port=2745", "uid=[random value]" under "HKEY_CURRENT_USER\Software\DateTime2". After a restart delete the files "readme.exe", "readme.exeopen", "doc.exe", "onde.exe" from "C:\Windows\System". ANALYZED BY: Daniel Ionita Virus Researcher |