Proaktiv IT säkerhet
 

W32/Bagle.AI@mm

Threat risk

Threat risk low
Detection files published:
9 Aug 2004
Description created:
2004-08-09
Description updated:
2004-08-09
Malware type:
Worm
Alias:
Win32.Bagle.AG [Computer Associates], W32/Bagle.AJ@mm [F-secure], W32/Bagle.aq@MM [Network Associates], W32/Bagle.AM.worm [Panda], W32/Bagle-AQ [Sophos], W32.Beagle.AO@mm [Symantec], WORM_BAGLE.AC [Trend Micro]
Spreading mechanism
Email
Payload:

Summary

W32/Bagle.AI@mm is a mass mailing worm compressed using PEX 0.99.

Spreading description

Email characteristics:

Body: New Price
Attachment: Variable
Bagle.AI is spread via a zip archive which contains two files, price.html and price.exe. When run, price.exe creates the following registry entries to ensure it is started with Windows:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
       win_upd2.exe = "%SYSTEM%\WINdirect.exe"
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
       win_upd2.exe = "%SYSTEM%\WINdirect.exe"
Price.exe also drops a file named _dll.exe, which will attempt to download Bagle.AI to %WINDIR%\~.exe and launch it. _dll.exe will contact one of the following domains to download Bagle.AI:
  • http://polobeer.de/
  • http://r2626r.de/
  • http://kooltokyo.ru/
  • http://mmag.ru/
  • http://advm1.gm.fh-koeln.de/
  • http://evadia.ru/
  • http://megion.ru/
  • http://molinero-berlin.de/
  • http://dozenten.f1.fhtw-berlin.de/
  • http://shadkhan.ru/
  • http://sacred.ru/
  • http://kypexin.ru/
  • http://www.gantke-net.com/
  • http://www.mcschnaeppchen.com/
  • http://www.rollenspielzirkel.de/
  • http://134.102.228.45/
  • http://196.12.49.27/
  • http://aus-Zeit.com/
  • http://lottery.h11.ru/
  • http://herzog.cs.uni-magdeburg.de/
  • http://yaguark.h10.ru/
  • http://213.188.129.72/
  • http://thorpedo.us/
  • http://szm.sk/
  • http://lars-s.privat.t-online.de/
  • http://www.no-abi2003.de/
  • http://www.mdmedia.org/
  • http://abi-2004.org/
  • http://sovea.de/
  • http://www.porta.de/
  • http://matzlinger.com/
  • http://pocono.ru/
  • http://controltechniques.ru/
  • http://alexey.pioneers.com.ru/
  • http://momentum.ru/
  • http://omegat.ru/
  • http://www.perfectgirls.net/
  • http://porno-mania.net/
  • http://colleen.ai.net/
  • http://ourcj.com/
  • http://free.bestialityhost.com/
  • http://slavarik.ru/
  • http://burn2k.ipupdater.com/
  • http://carabi.ru/
  • http://spbbook.ru/
  • http://binn.ru/
  • http://sbuilder.ru/
  • http://protek.ru/
  • http://www.PlayGround.ru/
  • http://celine.artics.ru/
  • http://www.artics.ru/
  • http://www.laserbuild.ru/
  • http://www.lamatec.com/
  • http://www.sensi.com/
  • http://www.oldtownradio.com/
  • http://www.youbuynow.com/
  • http://64.62.172.118/
  • http://www.tayles.com/
  • http://dodgetheatre.com/
  • http://www.thepositivesideofsports.com/
  • http://www.bridesinrussia.com/
  • http://fairy.dataforce.net/
  • http://www.pakwerk.ru/
  • http://home.profootball.ru/
  • http://www.ankil.ru/
  • http://www.ddosers.net/
  • http://tarkosale.net/
  • http://www.boglen.com/
  • http://change.east.ru/
  • http://www.teatr-estrada.ru/
  • http://www.glass-master.ru/
  • http://www.zeiss.ru/
  • http://www.sposob.ru/
  • http://www.glavriba.ru/
  • http://alfinternational.ru/
  • http://euroviolence.com/
  • http://www.webronet.com/
  • http://www.virtmemb.com/
  • http://www.infognt.com/
  • http://www.vivamedia.ru/
  • http://www.zelnet.ru/
  • http://www.dsmedia.ru/
  • http://www.vendex.ru/
  • http://www.elit-line.ru/
  • http://pixel.co.il/
  • http://www.milm.ru/
  • http://dev.tikls.net/
  • http://www.met.pl/
  • http://www.strefa.pl/
  • http://kafka.punkt.pl/
  • http://www.rubikon.pl/
  • http://www.neostrada.pl/
  • http://werel1.web-gratis.net/
  • http://www.tuhart.net/
  • http://www.antykoncepcja.net/
  • http://www.dami.com.pl/
  • http://vip.pnet.pl/
  • http://www.webzdarma.cz/
  • http://emnesty.w.interia.pl/
  • http://niebo.net/
  • http://strony.wp.pl/
  • http://sec.polbox.pl/
  • http://www.phg.pl/
  • http://emnezz.e-mania.pl/
  • http://www.republika.pl/
  • http://www.silesianet.pl/
  • http://www.republika.pl/
  • http://tdi-router.opola.pl/
  • http://republika.pl/
  • http://infokom.pl/
  • http://silesianet.pl/
  • http://terramail.pl/
  • http://silesianet.pl/
  • http://www.iluminati.kicks-ass.net/
  • http://www.dilver.ru/
  • http://www.yarcity.ru/
  • http://www.scli.ru/
  • http://www.elemental.ru/
  • http://diablo.homelinux.com/
  • http://www.interrybflot.ru/
  • http://www.webpark.pl/
  • http://www.rafani.cz/
  • http://gutemine.wu-wien.ac.at/
  • http://przeglad-tygodnik.pl/
  • http://przeglad-tygodnik.pl/
  • http://pb195.slupsk.sdi.tpnet.pl/
  • http://www.ciachoo.pl/
  • http://cavalierland.5u.com/
  • http://www.nefkom.net/
  • http://rausis.latnet.lv/
  • http://www.hgr.de/
  • http://www.airnav.com/
  • http://www.astoria-stuttgart.de/
  • http://ultimate-best-hgh.0my.net/
  • http://wynnsjammer.proboards18.com/
  • http://www.jewishgen.org/
  • http://www.hack-gegen-rechts.com/
  • http://host.wallstreetcity.com/
  • http://quotes.barchart.com/
  • http://www.aannemers-nederland.nl/
  • http://www.sjgreatdeals.com/
  • http://financial.washingtonpost.com/
  • http://www.biratnagarmun.org.np/
  • http://hsr.zhp.org.pl/
  • http://traveldeals.sidestep.com/
  • http://www.hbz-nrw.de/
  • http://www.ifa-guide.co.uk/
  • http://www.inversorlatino.com/
  • http://www.zhp.gdynia.pl/
  • http://host.businessweek.com/
  • http://packages.debian.or.jp/
  • http://www.math.kobe-u.ac.jp/
  • http://www.k2kapital.com/
  • http://www.tanzen-in-sh.de/
  • http://www.wapf.com/
  • http://www.hgrstrailer.com/
  • http://www.forbes.com/
  • http://www.oshweb.com/
  • http://www.rumbgeo.ru/
  • http://www.dicto.ru/
  • http://www.busheron.ru/
  • http://www.omnicom.ru/
  • http://www.teleline.ru/
  • http://www.dynex.ru/
  • http://www.gamma.vyborg.ru/
  • http://nominal.kaliningrad.ru/
  • http://www.baltmatours.com/
  • http://www.interfoodtd.ru/
  • http://www.baltnet.ru/
  • http://www.neprifan.ru/
  • http://photo.gornet.ru/
  • http://www.aktor.ru/
  • http://catalog.zelnet.ru/
  • http://www.sdsauto.ru/
  • http://www.gradinter.ru/
  • http://www.avant.ru/
  • http://www.porsa.ru/
  • http://www.taom-clan.de/
  • http://www.perfectjewel.com/
  • http://www.vrack.net/
  • http://www.netradar.com/
  • http://www.pgipearls.com/
  • http://www.vconsole.net/
  • http://www.ccbootcamp.com/
  • http://host23.ipowerweb.com/
  • http://www.timelessimages.com/
  • http://www.peterstar.ru/
  • http://www.5100.ru/
  • http://www.gin.ru/
  • http://www.rweb.ru/
  • http://www.metacenter.ru/
  • http://www.biysk.ru/
  • http://www.free-time.ru/
  • http://www.rastt.ru/
  • http://www.chelny.ru/
  • http://www.chat4adult.com/
  • http://www.landofcash.net/
  • http://relay.great.ru/
  • http://www.kefaloniaresorts.com/
  • http://www.epski.gr/
  • http://www.myrtoscorp.com/
  • http://www.aphel.de/
  • http://www.intellect.lvc/
  • http://www.abcdesign.ru/
_dll.exe also terminates processes with these names:
  • FIREWALL.EXE
  • ATUPDATER.EXE
  • winxp.exe
  • sys_xp.exe
  • sysxp.exe
  • LUALL.EXE
  • DRWEBUPW.EXE
  • AUTODOWN.EXE
  • NUPGRADE.EXE
  • OUTPOST.EXE
  • ICSSUPPNT.EXE
  • ICSUPP95.EXE
  • ESCANH95.EXE
  • AVXQUAR.EXE
  • ESCANHNT.EXE
  • ATUPDATER.EXE
  • AUPDATE.EXE
  • AUTOTRACE.EXE
  • AUTOUPDATE.EXE
  • AVXQUAR.EXE
  • AVWUPD32.EXE
  • AVPUPD.EXE
  • CFIAUDIT.EXE
  • UPDATE.EXE
  • NUPGRADE.EXE
  • MCUPDATE.EXE
When _dll.exe launches ~.exe  (downloaded Bagle.AI), ~.exe will copy itself to the %SYSTEM% folder as:
  • windll.exe
  • windll.exeopen
  • windll.exeopenopen
The worm will also create the following registry value, which would normally ensure the worm is started with Windows, but due to a typo it is actually useless:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Ru1n\erthgdr = "%SYSTEM%\windll.exe"
Bagle.AI will delete the following entries from the registry in an attempt to remove various Netsky variants:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
       My AV
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
       Zone Labs Client Ex
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
       9XHtProtect
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
       Antivirus
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
       Special Firewall Service
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
       service
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
       Tiny AV
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
       ICQNet
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
       HtProtect
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
       NetDv
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
       Jammer2nd
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
       FirewallSvr
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
       MsInfo
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
       SysMonXP
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
       EasyAV
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
      PandaAVEngine
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
       Norton Antivirus AV
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
       KasperskyAVEng
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
       SkynetsRevenge
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
       ICQ Net
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
       My AV
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
       Zone Labs Client Ex
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
       9XHtProtect
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
       Antivirus
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
       Special Firewall Service
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
       service
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
       Tiny AV
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
       ICQNet
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
       HtProtect
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
       NetDv
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
       Jammer2nd
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
       FirewallSvr
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
       MsInfo
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
       SysMonXP
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
       EasyAV
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
       PandaAVEngine
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
       Norton Antivirus AV
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
       KasperskyAVEng
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
       SkynetsRevenge
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
       ICQ Net
The worm will also create the following mutexes in order to prevent Netsky from running:
  • MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D.
  • ’D’r’o’p’p’e’d’S’k’y’N’e’t’.
  • _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_.
  • [SkyNet.cz]SystemsMutex.
  • AdmSkynetJklS003.
  • ____--->>>>U<<<<--____.
  • _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_.
Bagle.AI then harvests email addresses from files with the following extension:
  • .wab
  • .txt
  • .msg
  • .htm
  • .shtm
  • .stm
  • .xml
  • .dbx
  • .mbx
  • .mdx
  • .eml
  • .nch
  • .mmf
  • .ods
  • .cfg
  • .asp
  • .php
  • .pl
  • .wsh
  • .adb
  • .tbb
  • .sht
  • .xls
  • .oft
  • .uin
  • .cgi
  • .mht
  • .dhtm
  • .jsp
Email addresses containing any of these strings are ignored:
  • @hotmail
  • @msn
  • @microsoft
  • rating@
  • f-secur
  • news
  • update
  • anyone@
  • bugs@
  • contract@
  • feste
  • gold-certs@
  • help@
  • info@
  • nobody@
  • noone@
  • kasp
  • admin
  • icrosoft
  • support
  • ntivi
  • unix
  • bsd
  • linux
  • listserv
  • certific
  • sopho
  • @foo
  • @iana
  • free-av
  • @messagelab
  • winzip
  • google
  • winrar
  • samples
  • abuse
  • panda
  • cafee
  • spam
  • pgp
  • @avp.
  • noreply
  • local
  • root@
  • postmaster@
The worm then begins its mass mailing routine. Emails may have the following characteristics:
Subject
  • None
Body
  • New Price
Attachment
  • price_08.zip
  • price.zip
  • price2.zip
  • new_price.zip
  • price_new.zip
  • 08_price.zip
  • new__price.zip 
  • newprice.zip
Finally, Bagle.AI will also copy itself to folders containing ‘shar’ in the pathname. Possible filenames include:
  • Microsoft Office 2003 Crack, Working!.exe
  • Microsoft Windows XP, WinXP Crack, working Keygen.exe
  • Microsoft Office XP working Crack, Keygen.exe
  • Porno, sex, oral, anal cool, awesome!!.exe
  • Porno Screensaver.scr Serials.txt.exe
  • KAV 5.0
  • Kaspersky Antivirus 5.0
  • Porno pics arhive, xxx.exe
  • Windows Sourcecode update.doc.exe
  • Ahead Nero 7.exe
  • Windown Longhorn Beta Leak.exe
  • Opera 8 New!.exe
  • XXX hardcore images.exe
  • WinAmp 6 New!.exe
  • WinAmp 5 Pro Keygen Crack Update.exe
  • Adobe Photoshop 9 full.exe
  • Matrix 3 Revolution English Subtitles.exe
  • ACDSee 9.exe

Removal

The worm was detected proactively by Norman Sandbox as W32/EMailWorm.  

General information about removal of malicious software

Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.

Användning Titel Kommentar
  Förhindra smitta genom fildelning i nätverk  
  Sanering av back-up foldrar i Windows Me och XP  
Skriv ut sidan