F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Bagle.AL

[Summary] | [Detailed Description] | [Detection]

THIS VIRUS IS RANKED AS LEVEL 2 ALERT UNDER
F-SECURE RADAR.
Radar Alert LEVEL 2

NAME:Bagle.AL
ALIAS:I-Worm.Bagle.al, W32/Bagle.aq@MM, WORM_BAGLE.AC,Bagle.AG, W32/Bagle-AQ
SIZE:14848

Summary

This Bagle variant was spammed widely on 9th of August, 2004.

Like other Bagle variants, it sends emails with infected attachments. Typically the email attachment has a name like new_price.zip, price_new.zip, price_08.zip etc.

Detailed Description

Bagle.AL is an email worm that locates emails from the local hard drive and then sends itself to those addresses with messages looking like this: 

  From: <random email address>
  Subject: <nothing>


  price


  Attachment:<variable> price.zip

The attachment name is variable, but always contains the word "price". The attachment is always ZIP, although it could sometimes be encrypted. In these cases the email contains the password in an image. When using encrypted ZIPs, the email body might be "new price" instead of "price".

The attachment ZIP file contains two files: PRICE.HTML and PRICE.EXE (with hidden attribute set).

When the HTML file is accessed, it uses the Object Data vulnerability in Internet Explorer to load and execute the PRICE.EXE file.

When PRICE.EXE is run, it copies itself to Windows SYSTEM32 directory as WINDLL.EXE and tries to add execution of this file to Windows registry.

The worm also locates folders containing the string "SHAR" in their name and copies itself to these folders under several tempting names, such as "Porno pics arhive, xxx.exe".

The worm contains a backdoor which allows the author of the virus to control the infected machines.

To prevent installing itself multiple times, the worm creates and checks for the existance of these mutexes: 

  MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
  'D'r'o'p'p'e'd'S'k'y'N'e't'
  _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
  [SkyNet.cz]SystemsMutex
  AdmSkynetJklS003
  ____--->>>>U<<<<--____
  _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

The worm is using the same mutexes as older Netsky variants did in order to prevent the same machine getting infected by Netsky.

In an attempt to disable various programs, the worm will remove several registry keys from the following locations: 

   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n
   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n

The following keys are being deleted: 

   My AV
   Zone Labs ClientEx
   9XHtProtect
   Antivirus
   Special Firewall Service
   service
   TinyAV
   ICQNet
   HtProtect
   NetDy
   Jammer2nd
   FirewallSvr
   MsInfo
   SysMonXP
   EasyAV
   PandaAVEngine
   Norton Antivirus AV
   KasperskyAVEng
   SkynetsRevenge
   ICQ Net

The worm will then proceed with collecting e-mail addresses and sending out infected e-mail messages.

For more basic information on Bagle variants please see the description of Bagle.Z:

http://www.f-secure.com/v-descs/bagle_z.shtml


Back to the Top


Detection

F-Secure Anti-Virus detects Bagle.AL starting from the following update:

[FSAV_Database_Version]

Version=2004-08-09_03

Back to the Top


Writeup: Mikko Hypponen, August 9th, 2004;

Technical Details: Katrin Tocheva and Tzvetan Chaliavski, August 9th, 2004;

Description Updated: Tzvetan Chaliavski, August 11, 2004;

F-Secure Corporation