Virus Detail

Description

Back to top

Method of Infection

When executed, Win32.Bagle.AE copies itself to

%System%\winxp.exe

and modifies the registry to ensure that this copy is executed at each Windows start:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\key = "%System%\winxp.exe"

Note: '%System%' is a variable location. The worm determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.

There may be four more files created by the worm in the process of generating mail attachments:

%System%\winxp.exeopen
%System%\winxp.exeopenopen
%System%\winxp.exeopenopenopen
%System%\winxp.exeopenopenopenopen

Back to top

Method of Distribution

Via E-mail

The worm arrives attached to an e-mail with a variable Subject and Message Body. The attachment also uses a variable name and extension. The From address is 'spoofed', chosen from e-mail collected from the affected system.

It searches for e-mail addresses in files with the following extensions:

.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.eml
.htm
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.pl
.sht
.shtm
.stm
.tbb
.txt
.uin
.wab
.wsh
.xls
.xml

It avoids using addresses containing any of the following strings:

@microsoft
rating@
f-secur
news
update                       
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
sopho
@foo
@iana
free-av
@messagelab
winzip
google
winrar
samples  
abuse
panda
cafee
spam
pgp
@avp.
noreply
local
root@
postmaster@

When searching for e-mail addresses, it also searches for files with the extension ".exe". It picks an .exe file at random and copies its icon to its own file when it next spreads.

E-mail sent by the worm have the following characteristics:

Subject:

Re:

Possible Message Bodies:

>foto3 and MP3
>fotogalary and Music
>fotoinfo
>Lovely animals
>Animals
>Predators
>The snake
>Screen and Music

The attachment may be contained within a password protected ZIP archive. If so, the message body will contain one of the following lines, in addition to or instead of, one of those listed above:

 :)<password>
Password: <password>
Pass - <password>
Key - <password>

Where <password> is the password for the ZIP attachment. The password itself is always a number, 5 digits long (for example "40300"). It is displayed as an image file, which may be in BMP, GIF or JPEG format.

The attachment name is chosen from the following list:

MP3
Music_MP3
New_MP3_Player
Cool_MP3
Doll
Garry
Cat
Dog
Fish

The extension can be one of the following:

.exe
.scr
.com
.zip
.cpl

In the case of a ZIP archive, the file inside has a randomly generated name, 5 to 9 characters long, consisting of lower case letters and an ".EXE" extension.

The zip file may also include an additional clean file, between 1000 and 4,999 bytes in size, containing random data, with a random name and one of the following extensions:

.ini
.cfg
.txt
.vxd
.def
.dll
.doc

These are some example attachment names:

• Cool_MP3.zip containing aeyhali.exe and jrydqiwco.dll
• Garry.cpl
• Doll.exe

Users of the Windows XP operating system will see a dialog, similar to the following when double-clicking on the .zip attachment:

Please see below for examples of e-mail generated by the worm:

Via P2P File Sharing

While scanning for addresses, the worm also looks for any directories whose names contain the string "shar". It copies itself into each matching directory using the following file names:

ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
Kaspersky Antivirus 5.0
KAV 5.0
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Opera 8 New!.exe
Porno pics arhive, xxx.exe
Porno Screensaver.scr
Porno, sex, oral, anal cool, awesome!!.exe
Serials.txt.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe

This enables the worm to spread through peer-to-peer file sharing networks, such as Kazaa.

Back to top

Payload

Backdoor Functionality 

The worm opens a backdoor on port 1080, allowing remote access to the machine. This backdoor can be used for uploading and executing files, and updating the worm. It can also be commanded to change the port it listens on.

Deletes Registry Values

The worm removes the following registry values from these keys in an attempt to bypass several antivirus and other security-related applications:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run:

My AV
Zone Labs Client Ex
9XHtProtect
Antivirus
Special Firewall Service
service
Tiny AV
ICQNet
HtProtect
NetDy
Jammer2nd
FirewallSvr
MsInfo
SysMonXP
EasyAV
PandaAVEngine
Norton Antivirus AV
KasperskyAVEng
SkynetsRevenge
ICQ Net

Terminates Processes

The worm terminates the following processes (associated with several antivirus and other security-related applications):

Downloads and Executes Arbitrary Files

Back to top

For additional information:

The worm creates several mutexes to ensure that only one copy of the worm is running on an affected system at any time:

    * MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
    * 'D'r'o'p'p'e'd'S'k'y'N'e't'
    * _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
    * [SkyNet.cz]SystemsMutex
    * AdmSkynetJklS003
    * ____--->>>>U<<<<--____
    * _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

If the worm is run on 05 May 2006 or later, it removes itself from the registry and terminates. The worm files will be left behind, but it will no longer run automatically.

Analysis by Hamish O'Dea

Back to top