Virus Detail

Win32.Bagle.AG

Date Published:
9 Aug 2004

Last Updated:
26 Oct 2004

Threat Assessment

Overall Risk: High

Wild: High

Destructiveness: Medium

Pervasiveness: High

Characteristics

Type : Worm

Category : Win32

Also known as: ZIP.Bagle.AG, JS.Bagle.AG, Win32/Bagle.AG.DLL.Worm, Win32/Bagle.AG.Downloader.Worm, JScript/Bagle.AG.Exploit.Worm, Win32/Bagle.AG.Price.ZIP.Worm, Win32/Bagle.AG.Worm, W32/Bagle.AJ@mm (F-Secure), I-Worm.Bagle.al (Kaspersky), W32/Bagle.aq@MM (McAfee), W32/Bagle.AQ-mm (Wildlist), W32.Beagle.AO@mm(Symantec), JScript/IE.VM.Exploit, Win32/WDirect.DLL.Worm, Win32/WDirect.Trojan

Immediate Protection Info

Signature	Product	Removal Instructions
23.66.09	eTrust Antivirus v7/8* (InoculateIT Engine)	View
11.x/8509	eTrust Antivirus v7/8* (Vet Engine)	View
6.1x/5655	eTrust EZ Antivirus 6.1x	View
6.2x/8509	eTrust EZ Antivirus 6.2x	View
48.09	Inoculan/InoculateIT 4.x	View
10.5x/5655	Vet Anti-Virus 10.5x	View
10.6x/8509	Vet Anti-Virus 10.6x	View

Tools

Signature file information

Scan for viruses

Submit a Virus Sample

Description

Method of Infection

Method of Distribution

Payload

For additional information:

Description

Win32.Bagle.AG is a worm that spreads via e-mail and file sharing networks. The worm has been distributed as a 19,460-byte, PEX-compressed Win32 executable.

Method of Infection

Bagle.AG consists of several components:

ZIP archive (variable filename, size: 5,932 bytes):
Arrives as an attachment to the worm's e-mail. It contains price.html and price\price.exe.
price.html (size: 1,086 bytes):
Originally contained with price\price.exe in the zip archive. It contains code to activate price.exe. This file may be detected as JS.Bagle.AG or JScript/IE.VM.Exploit by CA Antivirus solutions.
price.exe (size: 14,848 bytes):
Executable dropper. It copies itself to the %System% directory as "WINdirect.exe", and drops the DLL component as "_DLL.EXE". The following registry values are created to run WINdirect.exe when Windows starts:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win_upd2.exe = "%System%\WINdirect.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win_upd2.exe = "%System%\WINdirect.exe"
It also creates a remote thread in the Explorer.exe process to execute the DLL component (_DLL.EXE). It then downloads the main worm executable from a list of 204 different URLs, all pointing to the file 2.JPG. The file is downloaded to the %Windows% directory as "~.exe" and executed. This file may be detected as Win32.Bagle.AG or Win32/WDirect.Trojan by CA Antivirus solutions.
_DLL.exe (size: 11,776 bytes):
This is injected into the Explorer.exe process so that the worm's activities will appear to originate from Explorer.exe. This file may be detected as Win32.Bagle.AG or Win32/WDirect.DLL.Worm by CA Antivirus solutions.
~.exe (size: 19,640 bytes, PEX-compressed):
The main worm executable. When executed, the worm copies itself to: %System%\windll.exe and modifies the registry to ensure that this copy is executed at each Windows start (note the misspelling of the key name):
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n\erthgdr = "%System%\windll.exe"

Note: '%System%' and '%Windows%' are variable locations. The trojan determines the location of these folders by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.

There may be two more files created by the worm in the process of generating e-mail attachments:

%System%\windll.exeopen
%System%\windll.exeopenopen

Method of Distribution

Via E-Mail

The worm e-mail has an empty Subject line (or rather, a single space), with the message body "new price" or " price". The attachment is a zip file that contains two files, "price.html" and "price.exe". The file "price.exe" resides in a subfolder "price" within the zip file.

The attachment name is chosen from the following list:

price
price2
price_new
price_08
08_price
newprice
new_price
new__price

Please see below for examples of e-mail generated by the worm:

Instead of sending the worm itself in the e-mail attachment, the attachment contains only the EXE dropper. The dropper in turn downloads the worm from a list of 204 URLs to complete the infection cycle.

The From address is 'spoofed', chosen from e-mail collected from the affected system.

It searches all fixed drives for e-mail addresses in files with the following extensions:

.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.eml
.htm
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.pl
.sht
.shtm
.stm
.tbb
.txt
.uin
.wab
.wsh
.xls
.xml

It avoids using addresses containing any of the following strings:

@microsoft
rating@
f-secur
news
update
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
sopho
@foo
@iana
free-av
@messagelab
winzip
google
winrar
samples
abuse
panda
cafee
spam
pgp
@avp.
noreply
local
root@
postmaster@

Via P2P File Sharing

While searching for addresses, the worm also looks for any directories whose names contain the string "shar". It copies itself into each matching directory using the following file names:

ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
KAV 5.0
Kaspersky Antivirus 5.0
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Opera 8 New!.exe
Porno Screensaver.scr
Porno pics arhive, xxx.exe
Porno, sex, oral, anal cool, awesome!!.exe
Serials.txt.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe

This enables the worm to spread through peer-to-peer file sharing networks, such as Kazaa.

Payload

Backdoor Functionality

The worm opens a backdoor on port 80, allowing remote access to the machine. This backdoor can be used for uploading and executing files, and updating the worm. It can also be commanded to change the port it listens on.

Deletes Registry Values

The worm removes the following registry values from these keys in an attempt to bypass several antivirus and other security-related applications (note the misspelling of the key name):

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n:

My AV
Zone Labs Client Ex
9XHtProtect
Antivirus
Special Firewall Service
service
Tiny AV
ICQNet
HtProtect
NetDy
Jammer2nd
FirewallSvr
MsInfo
SysMonXP
EasyAV
PandaAVEngine
Norton Antivirus AV
KasperskyAVEng
SkynetsRevenge
ICQ Net

Downloads and Executes Arbitrary Files

Bagle.AG attempts to download a file from a few specific URLs, save the result to %System%\re_file.exe, and execute it. This feature has not been confirmed in our laboratory testing.

Terminates Processes

The following security related processes are terminated by the dropper:

ATUPDATER.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVPUPD.EXE
AVWUPD32.EXE
AVXQUAR.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
DRWEBUPW.EXE
ESCANH95.EXE
ESCANHNT.EXE
FIREWALL.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
MCUPDATE.EXE
no1t1epad.exe
NUPGRADE.EXE
NUPGRADE.EXE
OUTPOST.EXE
sysxp.exe
sys_xp.exe
t1es1t.exe
UPDATE.EXE
winxp.exe

The worm runs a separate thread to look for and delete the following processes:

no1t1epad.exe
t1es1t.exe

For additional information:

The worm creates several mutexes to ensure that only one copy of the worm is running on an affected system at any time:

MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
'D'r'o'p'p'e'd'S'k'y'N'e't'
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
[SkyNet.cz]SystemsMutex
AdmSkynetJklS003
____--->>>>U<<<<--____
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

If the worm is run on August 10th 2004 or later, it removes itself from the registry and terminates. The worm files will be left behind, but it will no longer run automatically.

Analysis by Sha-Li Hsieh