Win32.Bagle.AU@mm

( Win32.Beagle.AR@mm (Symantec) )

SYMPTOMS:

The presence of the following registry keys:

HKCU\SOFTWARE\bawindo
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bawindo with value %system%\bawindo.exe

Presence of the following files:

%system%\re_file.exe
%system%\bawindo.exe
%system%\bawindo.exeopen
%system%\bawindo.exeopenopen

Additionally, depending on the virus format in e-mail,
%windows%\cjector.exe

TECHNICAL DESCRIPTION:

Virus comes archived with PeX. It may come as a two-part package: a small dropper that dumps the main viral body and executes it, or just the viral body.

At execution, it creates the following mutexes:

MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
 'D'r'o'p'p'e'd'S'k'y'N'e't'
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
[SkyNet.cz]SystemsMutex
AdmSkynetJklS003
____--->>>>U<<<<--____
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_


Then attempts to delete the following keys from the registry location [HKCU|HKLM]\SOFTWARE\Microsoft\Windows\CurrentVersion\Run:

My AV
Zone Labs Client Ex
9XHtProtect
Antivirus
Special Firewall Service
service
Tiny AV
ICQNet
HtProtect
NetDy
Jammer2nd
FirewallSvr
MsInfo
SysMonXP
EasyAV
PandaAVEngine
Norton Antivirus AV
KasperskyAVEng
SkynetsRevenge
ICQ Net

At every 100milliseconds, searches and kills if present the following processes:

mcagent.exe
mcvsshld.exe
mcshield.exe
mcvsescn.exe
mcvsrte.exe
DefWatch.exe
Rtvscan.exe
ccEvtMgr.exe
NISUM.EXE
ccPxySvc.exe
navapsvc.exe
NPROTECT.EXE
nopdb.exe
ccApp.exe
Avsynmgr.exe
VsStat.exe
Vshwin32.exe
alogserv.exe
RuLaunch.exe
Avconsol.exe
PavFires.exe
FIREWALL.EXE
ATUPDATER.EXE
LUALL.EXE
DRWEBUPW.EXE
AUTODOWN.EXE
NUPGRADE.EXE
OUTPOST.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ESCANH95.EXE
AVXQUAR.EXE
ESCANHNT.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
AVWUPD32.EXE
AVPUPD.EXE
CFIAUDIT.EXE
UPDATE.EXE
NUPGRADE.EXE
MCUPDATE.EXE
pavsrv50.exe
AVENGINE.EXE
APVXDWIN.EXE
pavProxy.exe
navapw32.exe
navapsvc.exe
ccProxy.exe
navapsvc.exe
NPROTECT.EXE
SAVScan.exe
SNDSrvc.exe
symlcsvc.exe
LUCOMS~1.EXE
blackd.exe
FrameworkService.exe
VsTskMgr.exe
SHSTAT.EXE
UpdaterUI.exe

The virus searches for e-mail addresses in files with the following name pattern:

.wab
.txt
.msg
.htm
.shtm
.stm
.xml
.dbx
.mbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.wsh
.adb
.tbb
.sht
.xls
.oft
.uin
.cgi
.mht
.dhtm
.jsp

The e-mail format that the virus uses is the following:

From:
Subject: random from the following:

Re: Hello
Re: Thank you!
Re: Thanks :)
Re: Hi

Body: one of the:
:)
:))

Attachement name: one of the:
Price
price
Joke

with the extension .exe, .com, .scr or .cpl.

The infected e-mail will not be send to e-mail addresses that contain:

@hotmail
@msn
@microsoft
rating@
f-secur
news
update
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
icrosoft
support
ntivi
unix
linux
listserv
certific
sopho
@foo
@iana
free-av
@messagelab
winzip
google
winrar
samples
abuse
panda
cafee
spam
@avp.
noreply
local
root@
postmaster@

The virus will create copies of itself in all directories that contain the string "shar" under the following names:

Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe

The virus, as usual, creates a backdoor, this time on port 81.
It will attempt to download a file from the following websites:

http://www.bottombouncer.com/
http://www.bottombouncer.com/
http://www.anthonyflanagan.com/
http://www.bradster.com/
http://www.traverse.com/
http://www.ims-i.com/
http://www.realgps.com/
http://www.aviation-center.de/
http://www.gci-bln.de/
http://www.pankration.com/
http://www.jansenboiler.com/
http://www.corpsite.com/
http://www.everett.wednet.edu/
http://www.onepositiveplace.org/
http://www.raecoinc.com/
http://www.wwwebad.com/
http://www.corpsite.com/
http://www.wwwebmaster.com/
http://www.wwwebad.com/
http://www.dragcar.com/
http://www.wwwebad.com/
http://www.oohlala-kirkland.com/
http://www.calderwoodinn.com/
http://www.buddyboymusic.com/
http://www.smacgreetings.com/
http://www.tkd2xcell.com/
http://www.curtmarsh.com/
http://www.dontbeaweekendparent.com/
http://www.soloconsulting.com/
http://www.lasermach.com/
http://www.generationnow.net/
http://www.flashcorp.com/
http://www.kencorbett.com/
http://www.FritoPie.NET/
http://www.leonhendrix.com/
http://www.transportation.gov.bh/
http://www.transportation.gov.bh/
http://www.jhaforpresident.7p.com/
http://www.DarrkSydebaby.com/
http://www.cntv.info/
http://www.sugardas.lt/
http://www.adhdtests.com/
http://www.argontech.net/
http://www.customloyal.com/
http://www.ohiolimo.com/
http://www.topko.sk/
http://www.alupass.lu/
http://www.sigi.lu/
http://www.redlightpictures.com/
http://www.irinaswelt.de/
http://www.bueroservice-it.de/
http://www.kranenberg.de/
http://www.kranenberg.de/
http://www.the-fabulous-lions.de/
http://www.the-fabulous-lions.de/
http://www.mongolische-renner.de/
http://www.mongolische-renner.de/
http://www.capri-frames.de/
http://www.capri-frames.de/
http://www.aimcenter.net/
http://www.boneheadmusic.com/
http://www.fludir.is/
http://www.sljinc.com/
http://www.tivogoddess.com/
http://www.fcpages.com/
http://www.andara.com/
http://www.freeservers.com/
http://www.programmierung2000.de/
http://www.asianfestival.nl/
http://www.aviation-center.de/
http://www.gci-bln.de/
http://www.mass-i.kiev.ua/
http://www.jasnet.pl/
http://www.atlantisteste.hpg.com.br/
http://www.fludir.is/
http://www.rieraquadros.com.br/
http://www.metal.pl/
http://www.handsforhealth.com/
http://www.angelartsanctuary.com/
http://www.firstnightoceancounty.org/
http://www.chinasenfa.com/
http://www.chinasenfa.com/
http://www.ulpiano.org/
http://www.gamp.pl/
http://www.vikingpc.pl/
http://www.woundedshepherds.com/
http://www.cpc.adv.br/
http://www.velocityprint.com/
http://www.esperanzaparalafamilia.com/
http://www.celula.com.mx/
http://www.mexis.com/
http://www.wecompete.com/
http://www.vbw.info/
http://www.gfn.org/
http://www.aegee.org/
http://www.deadrobot.com/
http://www.cscliberec.cz/
http://www.ecofotos.com.br/
http://www.amanit.ru/
http://www.bga-gsm.ru/
http://www.innnewport.com/
http://www.knicks.nl/
http://www.srg-neuburg.de/
http://www.mepmh.de/
http://www.mepbisu.de/
http://www.kradtraining.de/
http://www.polizeimotorrad.de/
http://www.sea.bz.it/
http://www.uslungiarue.it/
http://www.gcnet.ru/
http://www.aimcenter.net/
http://www.vandermost.de/
http://www.vandermost.de/
http://www.szantomierz.art.pl/
http://www.immonaut.sk/
http://www.eurostavba.sk/
http://www.spadochron.pl/
http://www.pyrlandia-boogie.pl/
http://www.kps4parents.com/
http://www.pipni.cz/
http://www.selu.edu/
http://www.travelchronic.de/
http://www.fleigutaetscher.ch/
http://www.irakli.org/
http://www.oboe-online.com/
http://www.oboe-online.com/
http://www.pe-sh.com/
http://www.idb-group.net/
http://www.ceskyhosting.cz/
http://www.ceskyhosting.cz/
http://www.hartacorporation.com/
http://www.glass.la/
http://www.glass.la/
http://www.24-7-transportation.com/
http://www.fepese.ufsc.br/
http://www.ellarouge.com.au/
http://www.bbsh.org/
http://www.boneheadmusic.com/
http://www.sljinc.com/
http://www.tivogoddess.com/
http://www.fcpages.com/
http://www.szantomierz.art.pl/
http://www.elenalazar.com/
http://www.ssmifc.ca/
http://www.reliance-yachts.com/
http://www.worest.com.ar/
http://www.kps4parents.com/
http://www.coolfreepages.com/
http://www.scanex-medical.fi/
http://www.jimvann.com/
http://www.orari.net/
http://www.himpsi.org/
http://www.mtfdesign.com/
http://www.jldr.ca/
http://www.relocationflorida.com/
http://www.rentalstation.com/
http://www.approved1stmortgage.com/
http://www.velezcourtesymanagement.com/
http://www.sunassetholdings.com/
http://www.compsolutionstore.com/
http://www.uhcc.com/
http://www.justrepublicans.com/
http://www.pfadfinder-leobersdorf.com/
http://www.featech.com/
http://www.vinirforge.com/
http://www.magicbottle.com.tw/
http://www.giantrevenue.com/
http://www.couponcapital.net/
http://www.crystalrose.ca/

The virus will become inactive after the date 25.04.2006.

Removal instructions:

Let BitDefender delete all files it finds infected.

ANALYZED BY:

Daniel Ionita Virus Researcher.