Immediate Protection Info
| Signature | Product | Removal Instructions |
|---|
23.68.12
| eTrust Antivirus v7/8* (InoculateIT Engine)
| |
11.x/8894
| eTrust Antivirus v7/8* (Vet Engine)
| |
6.1x/6032
| eTrust EZ Antivirus 6.1x
| |
6.2x/8894
| eTrust EZ Antivirus 6.2x
| |
6.3x/8894
| eTrust EZ Antivirus 6.3x
| |
6.4x/8894
| eTrust EZ Antivirus 6.4x
| |
7.x/8894
| eTrust EZ Antivirus 7.x
| |
10.6x/8894
| Vet Anti-Virus 10.6x
| |
Description
Win32.Bagle.AT is a worm that spreads via e-mail and peer-to-peer file sharing. The worm itself is a PeX-packed executable that is approximately 17,000 bytes in length; however, it can also distribute itself in the form of a control panel applet.
Back to top
Method of Infection
When executed, Win32.Bagle.AT copies itself to:
%System%\sysformat.exe
and modifies the registry to ensure that this copy is executed at each Windows start:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysformat = "%System%\sysformat.exe"
Note: '%System%' is a variable location. The worm determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.
There may be four additional files created by the worm while it is in the process of generating mail attachments:
%System%\sysformat.exeopen
%System%\sysformat.exeopenopen
%System%\sysformat.exeopenopenopen
%System%\sysformat.exeopenopenopenopen
Back to top
Method of Distribution
Via E-mail
The worm arrives attached to an e-mail with a variable Subject and Message Body. The attachment also uses a variable name and extension. The From address is 'spoofed', chosen from e-mail collected from the affected system.
E-mail sent by the worm have the following characteristics:
Possible Subjects
Delivery service mail
Delivery by mail
Registration is accepted
Is delivered mail
You are made active
Possible Message Bodies:
Thanks for use of our software.
Before use read the help
The attachment name is chosen from the following list:
wsd01
viupd02
siupd02
guupd02
zupd02
upd02
Jol03
The extension can be one of the following:
.exe
.scr
.com
.cpl
The worm collects addresses for sending itself to, and to use as fake sender addresses, by searching files on all local fixed drives. It searches in any files with the following extensions:
.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.eml
.htm
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.pl
.sht
.shtm
.stm
.tbb
.txt
.uin
.wab
.wsh
.xls
.xml
It avoids using addresses containing any of the following strings:
@microsoft
rating@
f-secur
news
update
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
sopho
@foo
@iana
free-av
@messagelab
winzip
google
winrar
samples
abuse
panda
cafee
spam
pgp
@avp.
noreply
local
root@
postmaster@
It sends e-mail using its own SMTP engine. It finds the appropriate mail server for each recipient address by performing an MX lookup using the local system's default DNS server. If it cannot find the DNS server used by the local system, it tries to use the one at 217.5.97.137
Please see below for examples of e-mail generated by the worm:
Via P2P File Sharing
While searching for files with e-mail addresses, the worm also looks for any directories whose names contain the string "shar". It copies itself into each matching directory using the following file names:
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe
1.exe
2.exe
3.exe
4.exe
5.scr
6.exe
7.exe
8.exe
9.exe
10.exe
This enables the worm to spread through peer-to-peer file sharing networks, such as Kazaa.
Back to top
Payload
Backdoor Functionality (Port 81)
The worm opens a backdoor on TCP port 81, allowing remote access to the machine. This backdoor can be used for uploading and executing files, and updating the worm. It can also be commanded to change the port it listens on.
Deletes Registry Values
The worm removes the following registry values from these keys:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
My AV
ICQ Net
Downloads and Executes Arbitrary Files
Bagle.AT contains a list of 145 URLs. It attempts to download from each URL, save the results to %System%\re_file.exe, and execute it. At the time of writing, none of these URLs were available.
Terminates Processes
The worm terminates any process whose name contains any of the following strings:
APVXDWIN.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVENGINE.EXE
AVPUPD.EXE
AVWUPD32.EXE
AVXQUAR.EXE
Avconsol.exe
Avsynmgr.exe
CFIAUDIT.EXE
DRWEBUPW.EXE
DefWatch.exe
ESCANH95.EXE
ESCANHNT.EXE
FIREWALL.EXE
FrameworkService.exe
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
LUCOMS~1.EXE
MCUPDATE.EXE
NISUM.EXE
NPROTECT.EXE
NUPGRADE.EXE
OUTPOST.EXE
PavFires.exe
Rtvscan.exe
RuLaunch.exe
SAVScan.exe
SHSTAT.EXE
SNDSrvc.exe
UPDATE.EXE
UpdaterUI.exe
VsStat.exe
VsTskMgr.exe
Vshwin32.exe
alogserv.exe
bawindo.exe
blackd.exe
ccApp.exe
ccEvtMgr.exe
ccProxy.exe
ccPxySvc.exe
mcagent.exe
mcshield.exe
mcvsescn.exe
mcvsrte.exe
mcvsshld.exe
navapsvc.exe
navapw32.exe
nopdb.exe
pavProxy.exe
pavsrv50.exe
symlcsvc.exe
Stops/Disables Services
Bagle.AT also attempts to stop and disable the Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) service (the "SharedAccess" service), and the Security Center service ("wscsvc" - which was introduced with Windows XP service pack 2) on Windows XP systems.
Back to top
For additional information:
The worm creates several mutexes:
- MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
- _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
These are probably created to stop other viruses (such as Win32.Netsky) from running while Bagle is running. It also creates unnamed mutexes for its own thread synchronization purposes.
Analysis by Scott Molenkamp
Back to top