Virus Detail

Description

Back to top

Method of Infection

When executed, Win32.Bagle.AQ copies itself to

%System%\wingo.exe

and modifies the registry to ensure that this copy is executed at each Windows start:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wingo = "%System%\wingo.exe"

Note: '%System%' is a variable location. The worm determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.

There may be four additional files created by the worm while it is in the process of generating mail attachments:

%System%\wingo.exeopen
%System%\wingo.exeopenopen
%System%\wingo.exeopenopenopen
%System%\wingo.exeopenopenopenopen

Back to top

Method of Distribution

Via E-mail

The worm arrives attached to an e-mail with a variable Subject and Message Body. The attachment also uses a variable name and extension. The From address is 'spoofed', chosen from e-mail collected from the affected system.

E-mail sent by the worm have the following characteristics:

Possible Subjects

Re:
Re: Hello
Re: Thank you!
Re: Thanks :)
Re: Hi

Possible Message Bodies:

:)
:))

The attachment name is chosen from the following list:

Price
price
Joke

The extension can be one of the following:

.exe
.scr
.com
.cpl

The worm collects addresses for sending itself to, and to use as fake sender addresses, by searching files on all local fixed drives. It searches in any files with the following extensions:

.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.eml
.htm
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.pl
.sht
.shtm
.stm
.tbb
.txt
.uin
.wab
.wsh
.xls
.xml

It avoids using addresses containing any of the following strings:

@hotmail
@msn
@microsoft
rating@
f-secur
news
update
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
sopho
@foo
@iana
free-av
@messagelab
winzip
google
winrar
samples
abuse
panda
cafee
spam
pgp
@avp.
noreply
local
root@
postmaster@

It sends e-mail using its own SMTP engine. It finds the appropriate mail server for each recipient address by performing an MX lookup using the local system's default DNS server. If it cannot find the DNS server used by the local system, it tries to use the one at 217.5.97.137

Please see below for an example of e-mail generated by the worm:

Via P2P File Sharing

While searching for files with e-mail addresses, the worm also looks for any directories whose names contain the string "shar". It copies itself into each matching directory using the following file names:

ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
KAV 5.0
Kaspersky Antivirus 5.0
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Opera 8 New!.exe
Porno Screensaver.scr
Porno pics arhive, xxx.exe
Porno, sex, oral, anal cool, awesome!!.exe
Serials.txt.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe

This enables the worm to spread through peer-to-peer file sharing networks, such as Kazaa.

Back to top

Payload

Backdoor Functionality

The worm opens a backdoor on TCP port 81, allowing remote access to the machine. This backdoor can be used for uploading and executing files, and updating the worm. It can also be commanded to change the port it listens on.

Deletes Registry Values

The worm removes the following registry values from these keys:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

My AV
Zone Labs Client Ex
9XHtProtect
Antivirus
Special Firewall Service
service
Tiny AV
ICQNet
HtProtect
NetDy
Jammer2nd
FirewallSvr
MsInfo
SysMonXP
EasyAV
PandaAVEngine
Norton Antivirus AV
KasperskyAVEng
SkynetsRevenge
ICQ Net

Downloads and Executes Arbitrary Files

Bagle.AQ contains a list of 146 URLs. It attempts to download from each URL, save the results to %System%\re_file.exe, and execute it. At the time of writing, none of these URLs were available.

Terminates Processes

The worm terminates any process whose name contains any of the following strings:

APVXDWIN.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVENGINE.EXE
AVPUPD.EXE
AVWUPD32.EXE
AVXQUAR.EXE
Avconsol.exe
Avsynmgr.exe
CFIAUDIT.EXE
DRWEBUPW.EXE
DefWatch.exe
ESCANH95.EXE
ESCANHNT.EXE
FIREWALL.EXE
FrameworkService.exe
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
LUCOMS~1.EXE
MCUPDATE.EXE
NISUM.EXE
NPROTECT.EXE
NUPGRADE.EXE
OUTPOST.EXE
PavFires.exe
Rtvscan.exe
RuLaunch.exe
SAVScan.exe
SHSTAT.EXE
SNDSrvc.exe
UPDATE.EXE
UpdaterUI.exe
VsStat.exe
VsTskMgr.exe
Vshwin32.exe
alogserv.exe
blackd.exe
ccApp.exe
ccEvtMgr.exe
ccProxy.exe
ccPxySvc.exe
mcagent.exe
mcshield.exe
mcvsescn.exe
mcvsrte.exe
mcvsshld.exe
navapsvc.exe
navapw32.exe
nopdb.exe
pavProxy.exe
pavsrv50.exe
symlcsvc.exe

Stops/Disables Services

Bagle.AQ also attempts to stop and disable the Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) service  (the "SharedAccess" service), and the Security Center service ("wscsvc" - which was introduced with Windows XP service pack 2) on Windows XP systems.

Back to top

For additional information:

The worm creates several mutexes:

MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
'D'r'o'p'p'e'd'S'k'y'N'e't'
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
[SkyNet.cz]SystemsMutex
AdmSkynetJklS003
____--->>>>U<<<<--____
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

These are probably created to stop other viruses (such as Win32.Netsky) from running while Bagle is running. It also creates unnamed mutexes for its own thread synchronization purposes.

Analysis by Hamish O'Dea and Scott Molenkamp

Back to top