Type
: Worm
Category
: Win32
Also known as:
W32/Bagle!ITW#82 (WildList), WORM_BAGLE.CL (Trend), Win32.Bagle.DR, Win32/Bagle.DR!Worm, Win32.Bagle.DR!ZIP, Win32/Bagle.DR!ZIP, W32/Bagle.DW@mm (F-Secure), Troj/BagleDl-BZ (Sophos), Win32/Baglelike, Email-Worm.Win32.Bagle.fj (Kaspersky)
Immediate Protection Info
| Signature | Product | Removal Instructions |
|---|
12.x/2064
| eTrust Antivirus v7/8*
| |
23.71.67
| eTrust Antivirus v7/8* (InoculateIT Engine)
| |
11.x/9641
| eTrust Antivirus v7/8* (Vet Engine)
| |
6.2x/9641
| eTrust EZ Antivirus 6.2x
| |
6.3x/9641
| eTrust EZ Antivirus 6.3x
| |
6.4x/9641
| eTrust EZ Antivirus 6.4x
| |
7.x/9641
| eTrust EZ Antivirus 7.x
| |
10.6x/9641
| Vet Anti-Virus 10.6x
| |
Description
Win32.Bagle.DR is a worm that spreads via e-mail and peer-to-peer file sharing. The worm itself is an executable that is approximately 19,000 bytes in length, which is also distributed inside a ZIP archive.
Back to top
Method of Infection
When executed, Win32.Bagle.DR copies itself to:
%System%\sysformat.exe
and modifies the registry to ensure that this copy is executed at each Windows start:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysformat = "%System%\sysformat.exe"
Note: '%System%' is a variable location. The worm determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.
There may be three additional files created by the worm while it is in the process of generating mail attachments:
- %System%\sysformat.exeopen
- %System%\sysformat.exeopenopen
- %System%\sysformat.exeopenopenopenopen
When the worm is first run, it executes "notepad.exe".
Back to top
Method of Distribution
Via E-mail
The worm arrives attached to an e-mail with the following form:
Subject:
price
Body:
February price
The From address is 'spoofed', chosen from e-mail addresses collected from the affected system.
The attachment name is chosen at random from the following list:
price.zip
pricelst.zip
pricelist.zip
price_lst.zip
new_price.zip
February_price.zip
21_price.zip
Each ZIP archive contains a copy of the worm's executable, plus another file containing random garbage. The worm EXE's file name consists of between 5 and 9 lower case letters, followed by the extension ".exe". The second file's name is generated in the same way, except without any extension. The file itself contains between 100 and 599 randomly generated lower case letters.
For example:
new_price.zip containing ytdzp.exe and ssfzy
The worm collects addresses to send itself to, and to use as fake sender addresses, by searching files on all local fixed drives. It searches in any files with the following extensions:
.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.eml
.htm
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.pl
.sht
.shtm
.stm
.tbb
.txt
.uin
.wab
.wsh
.xls
.xml
It avoids using addresses containing any of the following strings:
@microsoft
rating@
f-secur
news
update
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
sopho
@foo
@iana
free-av
@messagelab
winzip
google
winrar
samples
abuse
panda
cafee
spam
pgp
@avp.
noreply
local
root@
postmaster@
It sends e-mail using its own SMTP engine. It finds the appropriate mail server for each recipient address by performing an MX lookup using the local system's default DNS server. If it cannot find the DNS server used by the local system, it tries to use the one at 217.5.97.137. It tests the DNS server by first performing an MX lookup on the domain google.com.
Please see below for examples of e-mail generated by the worm:
Via P2P File Sharing
While searching for files with e-mail addresses, the worm also looks for any directories whose names contain the string "shar". It copies itself into each matching directory using the following file names:
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe
1.exe
2.exe
3.exe
4.exe
5.scr
6.exe
7.exe
8.exe
9.exe
10.exe
This enables the worm to spread through peer-to-peer file sharing networks, such as Kazaa.
Back to top
Payload
Deletes Registry Values
The worm removes the following registry values from these keys:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
My AV
ICQ Net
Downloads and Executes Arbitrary Files
Bagle.DR contains a list of 80 URLs. It attempts to download from each URL, save the results to %System%\re_file.exe, and execute it. At the time of writing, none of these URLs were available.
The URLs are on the following domains:
www.cnsrvr.com
www.casinofunnights.com
www.ec.cox-wacotrib.com
www.crazyiron.ru
www.uni-esma.de
www.sorisem.net
www.varc.lv
www.belwue.de
www.thetildegroup.com
www.vybercz.cz
www.kyno.cz
www.forumgestionvilles.com
www.campus-and-more.com
www.capitalforex.com
www.capitalspreadspromo.com
www.prineus.de
www.databoots.de
www.steintrade.net
www.njzt.net
www.emarrynet.com
www.zebrachina.net
www.lxlight.com
www.yili-lighting.com
www.fachman.com
www.q-serwer.net
www.wellness-i.com
www.newportsystemsusa.com
www.westcoastcadd.com
www.wing49.cz
www.posteffects.com
www.provax.sk
www.casinobrillen.de
www.duodaydream.nl
www.finlaw.ru
www.fitdina.com
www.flashcardplayer.com
www.flox-avant.ru
www.lotslink.com
www.algor.com
www.gaspekas.com
www.ezybidz.com
www.genesisfinancialonline.com
www.georg-kuenzle.ch
www.girardelli.com
www.rodoslovia.ru
www.golden-gross.ru
www.gregoryolson.com
www.gtechna.com
www.lunardi.com
www.sgmisburg.de
www.harmony-farms.net
www.hftmusic.com
www.hiwmreport.com
www.horizonimagingllc.com
www.hotelbus.de
www.howiwinmoney.com
www.ietcn.com
www.import-world.com
www.houstonzoo.org
www.interorient.ru
www.internalcardreaders.com
www.interstrom.ru
www.iutoledo.org
www.wena.net
www.iesgrantarajal.org
www.alexandriaradiology.com
www.booksbyhunter.com
www.wxcsxy.com
www.coupdepinceau.com
www.erotologist.com
www.jackstitt.com
www.imspress.com
www.digitalefoto.net
www.josemarimuro.com
www.eversetic.com
www.curious.be
www.kameo-bijux.ru
www.karrad6000.ru
www.kaztransformator.kz
www.keywordthief.com
Terminates Processes
The worm terminates any process whose name contains any of the following strings:
APVXDWIN.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVENGINE.EXE
AVPUPD.EXE
AVWUPD32.EXE
AVXQUAR.EXE
Avconsol.exe
Avsynmgr.exe
CFIAUDIT.EXE
DRWEBUPW.EXE
DefWatch.exe
ESCANH95.EXE
ESCANHNT.EXE
FIREWALL.EXE
FrameworkService.exe
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
LUCOMS~1.EXE
MCUPDATE.EXE
NISUM.EXE
NPROTECT.EXE
NUPGRADE.EXE
OUTPOST.EXE
PavFires.exe
Rtvscan.exe
RuLaunch.exe
SAVScan.exe
SHSTAT.EXE
SNDSrvc.exe
UPDATE.EXE
UpdaterUI.exe
VsStat.exe
VsTskMgr.exe
Vshwin32.exe
alogserv.exe
bawindo.exe
blackd.exe
ccApp.exe
ccEvtMgr.exe
ccProxy.exe
ccPxySvc.exe
mcagent.exe
mcshield.exe
mcvsescn.exe
mcvsrte.exe
mcvsshld.exe
navapsvc.exe
navapw32.exe
nopdb.exe
pavProxy.exe
pavsrv50.exe
symlcsvc.exe
Stops/Disables Services
Bagle.DR also attempts to stop and disable the Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) service (the "SharedAccess" service), and the Security Center service ("wscsvc" - which was introduced with Windows XP service pack 2) on Windows XP systems.
Modifies Hosts File
The Hosts file contains the mappings of IP addresses to host names. Windows checks the Hosts file before it queries any DNS servers, which enables it to override addresses in the DNS. On XP, 2000 and NT systems the hosts file is located at %System%\drivers\etc\hosts: on 9x systems the hosts file is located at %Windows%\hosts.
Bagle.DR replaces the Windows hosts file, effectively stopping an affected user from visiting the following domains by redirecting them to localhost (127.0.0.1):
ad.doubleclick.net
ad.fastclick.net
ads.fastclick.net
ar.atwola.com
atdmt.com
avp.ch
avp.com
avp.ru
awaps.net
banner.fastclick.net
banners.fastclick.net
ca.com
click.atdmt.com
clicks.atdmt.com
dispatch.mcafee.com
download.mcafee.com
download.microsoft.com
downloads.microsoft.com
engine.awaps.net
fastclick.net
f-secure.com
ftp.f-secure.com
ftp.sophos.com
go.microsoft.com
liveupdate.symantec.com
mast.mcafee.com
mcafee.com
media.fastclick.net
msdn.microsoft.com
my-etrust.com
nai.com
networkassociates.com
office.microsoft.com
phx.corporate-ir.net
secure.nai.com
securityresponse.symantec.com
service1.symantec.com
sophos.com
spd.atdmt.com
support.microsoft.com
symantec.com
update.symantec.com
updates.symantec.com
us.mcafee.com
vil.nai.com
viruslist.ru
windowsupdate.microsoft.com
www.avp.ch
www.avp.com
www.avp.ru
www.awaps.net
www.ca.com
www.fastclick.net
www.f-secure.com
www.kaspersky.ru
www.mcafee.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.ru
www3.ca.com
Back to top
For additional information:
The worm creates several mutexes:
- MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
- _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
These are probably created to stop other viruses (such as Win32.Netsky) from running while Bagle is running. It also creates unnamed mutexes for its own thread synchronization purposes.
Analysis by Hamish O'Dea
Back to top