|ALIAS:||Worm.Win32.Bagif, Win32/KME, W32/Bagif|
Bagif is a polymorphic parasitic virus-worm that utilises EPO (entry point obscuring) techniques.
When the infected file is run, it creates the file named NTLOADER.EXE in Windows System folder and modifies the EXE file startup key in System Registry:
[HKEY_CLASSES_ROOT\exefile\shell\open\command] @ = %winsysdir%\ntloader.exe "%1" %*"
The NTLOADER.EXE file acts as a virus dropper and it is activated every time a user of an infected computer runs an EXE file.
Then the virus creates a file named WIN32S.EXE in the startup folder for current computer user:
This folder is located in main Windows folder on 9x systems. In Windows XP and 2000 this folder is located in the following location:
\Documents and Settings\%profile%\
In Windows NT this folder is located in the following location:
The %profile% is current user's profile name. Copying the dropper to Startup folder is done to make the virus dropper start every time Windows starts.
The virus polymorphic engine is quite strong. It uses FPU and 386+ processor instructions and simple anti-emulation tricks. The virus unpacks itself in 2 steps. First it unpacks a part of its code into stack area and passes control to it. That code locates KERNEL32.DLL library and gets addresses of 2 API functions from there. After that the virus allocates a chunk of memory and decrypts its main body into that area. Then the control is passed to the main virus body.
The virus scans local hard disks and tries to infect EXE and SCR files. It can not infect all executable files, it only can infect files with certain characteristics. Upon infection the virus appends itself to the first section of a file. This is not a typical infection technique.
The virus can infect files that have ExitProcess function exported from KERNEL32.DLL library. When infecting a file the virus looks for ExitProcess function call in the file's startup code area and replaces it with a call routine to it own decryptor. So the control is only passed to the virus code when an infected file exits. The virus does not modify the entry point address of an infected file, nor the beginning of a file's startup code as many other viruses do. The technique that the Bagif virus uses to hide its entry point is called EPO (entry point obscuring) and it makes such viruses harder to detect.
The virus also avoids infecting files that start with the following strings:
EXPL UNRE HL
Besides, the virus tries to spread to other computers over local network. It enumerates shares and tries to locate remote folders with the following names:
WINDOWS WINNT WIN95 WIN98 WINME WIN2000 WIN2K WINXP
If such folder is found, the virus copies its dropper there as TSOC32.EXE and modifies WIN.INI file on a remote computer. The virus adds the startup string for TSOC32.EXE file after RUN= variable in WIN.INI file. As a result Windows 9x computers affected that way will be infected after their restart. Windows NT, 2000 and XP computers will not be affected unless the TSOC32.EXE file is manually started there.
The virus has the following text string in its body:
HI CHUNK OF SH*T ! IT'S ME SUPRA VIRUS BY GRIFIN I HATE SCHOOL & USA KILL 'EM ALL
Virus samples are detected by F-Secure Anti-Virus as 'Worm.Win32.Bagif' and droppers are detected as 'Win32.KME'.
[Analysis: Alexey Podrezov; F-Secure Corp; February 19th, 2003]