F-Secure Virus Descriptions : Bagle.AF

  [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "key" = "%SystemDir%\sysxp.exe"

- Expiration date set to May 5th, 2006

- The backdoor listens on port 1080/TCP

- It does not send .HTA or .VBS attachments anymore

- It has a downloader feature that attempts to download and run a file from several web pages

Detailed Description

The worm is a PE executable about 20 kilobytes long. The worm's file is packed with UPX file compressor. Additionally the worm uses encryption of its code and data areas and adds random garbage to the end of its file as a decoy. The worm can also spread with a prepended Windows Control Panel Applet (CPL) stub (see info below).

If system date is May 5th, 2006 the worm uninstalls itself from an infected system by deleting its startup key in the Registry and terminating its own process.

When active in memory, the worm re-creates its startup key every 100 milliseconds.

System Infection

When the worm's file is run, it copies itself as SYSXP.EXE file to Windows System folder and creates a startup key for this file in the Registry:

 [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
 "key" = "%winsysdir%\sysxp.exe"

where %winsysdir% represents Windows System folder name.

The worm creates 2 more files in Windows System folder:

 sysxp.exeopen
 sysxp.exeopenopen

These files are used when the worm spreads itself in e-mails.

Email Propagation

The worm scans a hard drive to collect victims' e-mail addresses. It scans files with the following extensions:

 .wab
 .txt
 .msg
 .htm
 .shtm
 .stm
 .xml
 .dbx
 .mbx
 .mdx
 .eml
 .nch
 .mmf
 .ods
 .cfg
 .asp
 .php
 .pl
 .wsh
 .adb
 .tbb
 .sht
 .xls
 .oft
 .uin
 .cgi
 .mht
 .dhtm
 .jsp

The worm ignores e-mail addresses that contain the following strings:

 @hotmail
 @msn
 @microsoft
 rating@
 f-secur
 news
 update
 anyone@
 bugs@
 contract@
 feste
 gold-certs@
 help@
 info@
 nobody@
 noone@
 kasp
 admin
 icrosoft
 support
 ntivi
 unix
 bsd
 linux
 listserv
 certific
 sopho
 @foo
 @iana
 free-av
 @messagelab
 winzip
 google
 winrar
 samples
 abuse
 panda
 cafee
 spam
 pgp
 @avp.
 noreply
 local
 root@
 postmaster@

The worm spreads itself in e-mails with different subject texts and attachment names. The worm can attach itself to e-mails as an executable file with COM, EXE, SCR and CPL extension, as a ZIP archive (password-protected).

When spreading as a Windows Control Panel Applet (CPL) file, the worm prepends a small binary dropper to its executable file. When the CPL file is activated, it copies itself as CJECTOR.EXE file to Windows folder and then drops the worm's file into Windows System folder.

Bagle.Z uses the following text strings as subjects for infected e-mails that it sends:

 Re: Msg reply
 Re: Hello
 Re: Yahoo!
 Re: Thank you!
 Re: Thanks :)
 RE: Text message
 Re: Document
 Incoming message
 Re: Incoming Message
 RE: Incoming Msg
 RE: Message Notify
 Notification
 Changes..
 Update
 Fax Message
 Protected message
 RE: Protected message
 Forum notify
 Site changes
 Re: Hi
 Encrypted document

When the worm sends itself in a password-protected file, it puts one of the following strings in the message's body:

 For security reasons attached file is password protected. The password is <password>
 For security purposes the attached file is password protected. Password -- <password>
 Note: Use password <password> to open archive
 Attached file is protected with the password for security reasons. Password is <password>
 In order to read the attach you have to use the following password: <password>
 Archive password: <password>
 Password - <password>
 Password: <password>

where <password> is an image with a password for the worm's archive. Sometimes the worms sends a password for its archive as an ASCII text. In some cases the whole password information can be sent as an image, for example:

The worm uses the following attachment names:

 Information
 Details
 text_document
 Updates
 Readme
 Document
 Info
 Details
 Message

Backdoor

The worm has a backdoor that listens to port 1080. The backdoor code is encrypted with a password. The worm author who knows the password can connect to the computer and execute arbitrary programs.

Propagation Through Shared Folders

The worm is capable of spreading to shared folders. It scans all available drives and if it finds a folder name that contains 'shar' substring, the worm copies itself there with the following names:

 Microsoft Office 2003 Crack, Working!.exe
 Microsoft Windows XP, WinXP Crack, working Keygen.exe
 Microsoft Office XP working Crack, Keygen.exe
 Porno, sex, oral, anal cool, awesome!!.exe
 Porno Screensaver.scr
 Serials.txt.exe
 KAV 5.0
 Kaspersky Antivirus 5.0
 Porno pics arhive, xxx.exe
 Windows Sourcecode update.doc.exe
 Ahead Nero 7.exe
 Windown Longhorn Beta Leak.exe
 Opera 8 New!.exe
 XXX hardcore images.exe
 WinAmp 6 New!.exe
 WinAmp 5 Pro Keygen Crack Update.exe
 Adobe Photoshop 9 full.exe
 Matrix 3 Revolution English Subtitles.exe
 ACDSee 9.exe

This method allows the worm to spread to shared folders if P2P (peer-to-peer) clients and to shared network folders.

Terminating Security Software

Bagle.AF terminates processes of security and anti-virus software as well as some other applications. Processes of the following applications are terminated:

 OUTPOST.EXE
 NMAIN.EXE
 NORTON_INTERNET_SECU_3.0_407.EXE
 NPF40_TW_98_NT_ME_2K.EXE
 NPFMESSENGER.EXE
 NPROTECT.EXE
 NSCHED32.EXE
 NTVDM.EXE
 NVARCH16.EXE
 KERIO-WRP-421-EN-WIN.EXE
 KILLPROCESSSETUP161.EXE
 LDPRO.EXE
 LOCALNET.EXE
 LOCKDOWN.EXE
 LOCKDOWN2000.EXE
 LSETUP.EXE
 CLEANPC.EXE
 AVprotect9x.exe
 CMGRDIAN.EXE
 CMON016.EXE
 CPF9X206.EXE
 CPFNT206.EXE
 CV.EXE
 CWNB181.EXE
 CWNTDWMO.EXE
 ICSSUPPNT.EXE
 DEFWATCH.EXE
 DEPUTY.EXE
 DPF.EXE
 DPFSETUP.EXE
 DRWATSON.EXE
 ENT.EXE
 ESCANH95.EXE
 AVXQUAR.EXE
 ESCANHNT.EXE
 ESCANV95.EXE
 AVPUPD.EXE
 EXANTIVIRUS-CNET.EXE
 FAST.EXE
 FIREWALL.EXE
 FLOWPROTECTOR.EXE
 FP-WIN_TRIAL.EXE
 FRW.EXE
 FSAV.EXE
 AUTODOWN.EXE
 FSAV530STBYB.EXE
 FSAV530WTBYB.EXE
 FSAV95.EXE
 GBMENU.EXE
 GBPOLL.EXE
 GUARD.EXE
 GUARDDOG.EXE
 HACKTRACERSETUP.EXE
 HTLOG.EXE
 HWPE.EXE
 IAMAPP.EXE
 IAMAPP.EXE
 IAMSERV.EXE
 ICLOAD95.EXE
 ICLOADNT.EXE
 ICMON.EXE
 ICSUPP95.EXE
 ICSUPPNT.EXE
 IFW2000.EXE
 IPARMOR.EXE
 IRIS.EXE
 JAMMER.EXE
 ATUPDATER.EXE
 AUPDATE.EXE
 KAVLITE40ENG.EXE
 KAVPERS40ENG.EXE
 KERIO-PF-213-EN-WIN.EXE
 KERIO-WRL-421-EN-WIN.EXE
 BORG2.EXE
 BS120.EXE
 CDP.EXE
 CFGWIZ.EXE
 CFIADMIN.EXE
 CFIAUDIT.EXE
 AUTOUPDATE.EXE
 CFINET.EXE
 NAVAPW32.EXE
 NAVDX.EXE
 NAVSTUB.EXE
 NAVW32.EXE
 NC2000.EXE
 NCINST4.EXE
 AUTOTRACE.EXE
 NDD32.EXE
 NEOMONITOR.EXE
 NETARMOR.EXE
 NETINFO.EXE
 NETMON.EXE
 NETSCANPRO.EXE
 NETSPYHUNTER-1.2.EXE
 NETSTAT.EXE
 NISSERV.EXE
 NISUM.EXE
 CFIAUDIT.EXE
 LUCOMSERVER.EXE
 AGENTSVR.EXE
 ANTI-TROJAN.EXE
 ANTI-TROJAN.EXE
 ANTIVIRUS.EXE
 ANTS.EXE
 APIMONITOR.EXE
 APLICA32.EXE
 APVXDWIN.EXE
 ATCON.EXE
 ATGUARD.EXE
 ATRO55EN.EXE
 ATWATCH.EXE
 AVCONSOL.EXE
 AVGSERV9.EXE
 AVSYNMGR.EXE
 BD_PROFESSIONAL.EXE
 BIDEF.EXE
 BIDSERVER.EXE
 BIPCP.EXE
 BIPCPEVALSETUP.EXE
 BISP.EXE
 BLACKD.EXE
 BLACKICE.EXE
 BOOTWARN.EXE
 NWINST4.EXE
 NWTOOL16.EXE
 OSTRONET.EXE
 OUTPOSTINSTALL.EXE
 OUTPOSTPROINSTALL.EXE
 PADMIN.EXE
 PANIXK.EXE
 PAVPROXY.EXE
 DRWEBUPW.EXE
 PCC2002S902.EXE
 PCC2K_76_1436.EXE
 PCCIOMON.EXE
 PCDSETUP.EXE
 PCFWALLICON.EXE
 PCFWALLICON.EXE
 PCIP10117_0.EXE
 PDSETUP.EXE
 PERISCOPE.EXE
 PERSFW.EXE
 PF2.EXE
 AVLTMAIN.EXE
 PFWADMIN.EXE
 PINGSCAN.EXE
 PLATIN.EXE
 POPROXY.EXE
 POPSCAN.EXE
 PORTDETECTIVE.EXE
 PPINUPDT.EXE
 drvsys.exe
 PPTBC.EXE
 PPVSTOP.EXE
 PROCEXPLORERV1.0.EXE
 PROPORT.EXE
 PROTECTX.EXE
 PSPF.EXE
 WGFE95.EXE
 WHOSWATCHINGME.EXE
 AVWUPD32.EXE
 NUPGRADE.EXE
 WHOSWATCHINGME.EXE
 WINRECON.EXE
 WNT.EXE
 WRADMIN.EXE
 WRCTRL.EXE
 WSBGATE.EXE
 WYVERNWORKSFIREWALL.EXE
 XPF202EN.EXE
 ZAPRO.EXE
 ZAPSETUP3001.EXE
 ZATUTOR.EXE
 CFINET32.EXE
 CLEAN.EXE
 CLEANER.EXE
 CLEANER3.EXE
 CLEANPC.EXE
 CMGRDIAN.EXE
 CMON016.EXE
 CPD.EXE
 CFGWIZ.EXE
 CFIADMIN.EXE
 PURGE.EXE
 PVIEW95.EXE
 QCONSOLE.EXE
 QSERVER.EXE
 RAV8WIN32ENG.EXE
 REGEDT32.EXE
 REGEDIT.EXE
 UPDATE.EXE
 RESCUE.EXE
 RESCUE32.EXE
 RRGUARD.EXE
 RSHELL.EXE
 RTVSCN95.EXE
 RULAUNCH.EXE
 SAFEWEB.EXE
 SBSERV.EXE
 SD.EXE
 SETUP_FLOWPROTECTOR_US.EXE
 SETUPVAMEEVAL.EXE
 SFC.EXE
 SGSSFW32.EXE
 SH.EXE
 SHELLSPYINSTALL.EXE
 SHN.EXE
 SMC.EXE
 SOFI.EXE
 SPF.EXE
 SPHINX.EXE
 SPYXX.EXE
 SS3EDIT.EXE
 ST2.EXE
 SUPFTRL.EXE
 LUALL.EXE
 SUPPORTER5.EXE
 SYMPROXYSVC.EXE
 SYSEDIT.EXE
 TASKMON.EXE
 TAUMON.EXE
 TAUSCAN.EXE
 TC.EXE
 TCA.EXE
 TCM.EXE
 TDS2-98.EXE
 TDS2-NT.EXE
 TDS-3.EXE
 TFAK5.EXE
 TGBOB.EXE
 TITANIN.EXE
 TITANINXP.EXE
 TRACERT.EXE
 TRJSCAN.EXE
 TRJSETUP.EXE
 TROJANTRAP3.EXE
 UNDOBOOT.EXE
 VBCMSERV.EXE
 VBCONS.EXE
 VBUST.EXE
 VBWIN9X.EXE
 VBWINNTW.EXE
 VCSETUP.EXE
 VFSETUP.EXE
 VIRUSMDPERSONALFIREWALL.EXE
 VNLAN300.EXE
 VNPC3000.EXE
 VPC42.EXE
 VPFW30S.EXE
 VPTRAY.EXE
 VSCENU6.02D30.EXE
 VSECOMR.EXE
 VSHWIN32.EXE
 VSISETUP.EXE
 VSMAIN.EXE
 VSMON.EXE
 VSSTAT.EXE
 VSWIN9XE.EXE
 VSWINNTSE.EXE
 VSWINPERSE.EXE
 W32DSM89.EXE
 W9X.EXE
 WATCHDOG.EXE
 WEBSCANX.EXE
 CFIAUDIT.EXE
 CFINET.EXE
 ICSUPP95.EXE
 MCUPDATE.EXE
 CFINET32.EXE
 CLEAN.EXE
 CLEANER.EXE
 LUINIT.EXE
 MCAGENT.EXE
 MCUPDATE.EXE
 MFW2EN.EXE
 MFWENG3.02D30.EXE
 MGUI.EXE
 MINILOG.EXE
 MOOLIVE.EXE
 MRFLUX.EXE
 MSCONFIG.EXE
 MSINFO32.EXE
 MSSMMC32.EXE
 MU0311AD.EXE
 NAV80TRY.EXE
 ZAUINST.EXE
 ZONALM2601.EXE
 ZONEALARM.EXE

Uninstalling Netsky Worm

This variant of Bagle removes the following Netsky worm startup keys:

 My AV
 Zone Labs Client Ex
 9XHtProtect
 Antivirus
 Special Firewall Service
 service
 Tiny AV
 ICQNet
 HtProtect
 NetDy
 Jammer2nd
 FirewallSvr
 MsInfo
 SysMonXP
 EasyAV
 PandaAVEngine
 Norton Antivirus AV
 KasperskyAVEng
 SkynetsRevenge
 ICQ Net

Additionally the worm creates several mutexes with names that are used by Netsky worm. So certain versions of Netsky will not infect a system where Bagle.AF worm is active.

Back to the Top

Detection

F-Secure Anti-Virus detects Bagle.AF starting from the following update:

[FSAV_Database_Version]

Version=2004-07-16_01

Back to the Top

Writeup: Mikko Hypponen, July 16th, 2004;

Technical Details: Alexey Podrezov and Gergely Erdelyi, July 16th, 2004;

F-Secure Corporation