F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Bagle.AN

[Summary] | [Detailed Description] | [Detection]



NAME:Bagle.AN
ALIAS:I-Worm.Bagle.an, W32/Bagle.AN
SIZE:18436

Summary

We received this Bagle variant on September 1st, 2004. This worm sends out an archive named FOTO.ZIP that contains a FOTO.HTML file and a hidden file named FOTO1.EXE which is located into a hidden subfolder named 'FOTO'. The FOTO1.EXE file is a dropper for the downloader named Glieder.H that downloads Bagle.AN worm's file from one of the websites. For more information about Glieder.H dropper and downloader please check the following link:

http://www.f-secure.com/v-descs/gliederh.shtml

Detailed Description

The worm's file is a PE executable 18,5 kilobytes long, packed with PEX file compressor. Additionally the worm has a decryptor that decrypts 2 areas in the worm's body.

System Infection

When the worm's file is run, it creates mutexes with the following names: 

 MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
 'D'r'o'p'p'e'd'S'k'y'N'e't'
 _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
 [SkyNet.cz]SystemsMutex
 AdmSkynetJklS003
 ____--->>>>U<<<<--____
 _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

After that the worm deletes the following Registry key values: 

 [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n]
 "My AV"
 "Zone Labs Client Ex"
 "9XHtProtect"
 "Antivirus"
 "Special Firewall Service"
 "service"
 "Tiny AV"
 "ICQNet"
 "HtProtect"
 "NetDy"
 "Jammer2nd"
 "FirewallSvr"
 "MsInfo"
 "SysMonXP"
 "EasyAV"
 "PandaAVEngine"
 "Norton Antivirus AV"
 "KasperskyAVEng"
 "SkynetsRevenge"
 "ICQ Net"


 [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n]
 "My AV"
 "Zone Labs Client Ex"
 "9XHtProtect"
 "Antivirus"
 "Special Firewall Service"
 "service"
 "Tiny AV"
 "ICQNet"
 "HtProtect"
 "NetDy"
 "Jammer2nd"
 "FirewallSvr"
 "MsInfo"
 "SysMonXP"
 "EasyAV"
 "PandaAVEngine"
 "Norton Antivirus AV"
 "KasperskyAVEng"
 "SkynetsRevenge"
 "ICQ Net"

All the above is done to prevent Netsky worms from infecting computers that are already affected by this Bagle variant as well as to remove existing Netsky variants from a system.

Also the worm terminates processes with the following names: 

 no1t1ad.exe
 t1es451t.exe

The worm copies itself into Windows System folder as WINDLL.EXE file and adds a Registry key for this file into the Registry: 

 [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n]
 "erthgdr" = "%WinSysDir%\windll.exe"

where %WinSysDir% represents a Windows System folder. Additionally the worm creates 2 more files in Windows System folder that are copies of itself: 

 windll.exeopen
 windll.exeopenopen

Collecting E-mail Addresses

The worm scans all hard drives on an infected computer for victim's e-mail addresses. The worm reads files with the following extensions and searches e-mail addresses there: 

 .wab
 .txt
 .msg
 .htm
 .shtm
 .stm
 .xml
 .dbx
 .mbx
 .mdx
 .eml
 .nch
 .mmf
 .ods
 .cfg
 .asp
 .php
 .pl
 .wsh
 .adb
 .tbb
 .sht
 .xls
 .oft
 .uin
 .cgi
 .mht
 .dhtm
 .jsp

The worm avoids sending e-mails to the following e-mail addresses: 

 @eerswqe
 @derewrdgrs
 @microsoft
 rating@
 f-secur
 news
 update
 anyone@
 bugs@
 contract@
 feste
 gold-certs@
 help@
 info@
 nobody@
 noone@
 kasp
 admin
 icrosoft
 support
 ntivi
 unix
 bsd
 linux
 listserv
 certific
 sopho
 @foo
 @iana
 free-av
 @messagelab
 winzip
 google
 winrar
 samples
 abuse
 panda
 cafee
 spam
 pgp
 @avp.
 noreply
 local
 root@
 postmaster@

The worm doesn't send its copy in e-mails. Instead it sends a ZIP archive that contains an HTML file named FOTO.HTML and the Glieder.H trojan dropper named FOTO1.EXE, which is located in a subfolder named 'FOTO' in the same archive. Both the executable file and the subfolder have hidden attributes. The HTML file uses an exploit to activate the dropper. The Glieder.H dropper drops another component, which is a downloader for Bagle.AN worm's file. The worm's file was put by its author as B.JPG to several websites.

Spreading to Shared Folders

When the worm looks for e-mail addresses on a hard disk, it also looks for folders that contain 'shar' substring in their names. If such a folder is found, the worm copies itself there with one of the following names: 

 Microsoft Office 2003 Crack, Working!.exe
 Microsoft Windows XP, WinXP Crack, working Keygen.exe
 Microsoft Office XP working Crack, Keygen.exe
 Porno, sex, oral, anal cool, awesome!!.exe
 Porno Screensaver.scr
 Serials.txt.exe
 KAV 5.0
 Kaspersky Antivirus 5.0
 Porno pics arhive, xxx.exe
 Windows Sourcecode update.doc.exe
 Ahead Nero 7.exe
 Windown Longhorn Beta Leak.exe
 Opera 8 New!.exe
 XXX hardcore images.exe
 WinAmp 6 New!.exe
 WinAmp 5 Pro Keygen Crack Update.exe
 Adobe Photoshop 9 full.exe
 Matrix 3 Revolution English Subtitles.exe
 ACDSee 9.exe

This way the worm can spread to shared network folders and as well as to shared folders of peer-to-peer (P2P) clients, for example Kazaa.

Backdoor Component

When active, the worm listens on TCP port 82 for commands from remote host. Also the worm browses Internet cache and attempts to download a file named '_re_file.exe' from cached websites.

Limited Lifecycle

The worm has a limited lifecycle. If the date is September 2nd 2004 or later, the worm deletes its Registry keys and terminates its process.

Back to the Top


Detection

F-Secure Anti-Virus detects Bagle.AN starting from the following update:

[FSAV_Database_Version]

Version=2004-09-01_04

Back to the Top


Technical Details: Alexey Podrezov, September 1st, 2004;

F-Secure Corporation