F-Secure
Tools
Email-Worm:W32/Bagle.AT
Summary
This type of worm is embedded in an e-mail attachment, and spreads using the infected computer's e-mailing networks.Disinfection
Disinfection Utility
F-Secure provides the special disinfection utility to eliminate Bagle worm infections. You can download this utility from our ftp site:
Disinfection Instructions
Disinfection instructions can be found here:
System Administrators
System administrators who are using F-Secure Policy Manager, can distribute the tool as a JAR package automatically to all workstations.
The JAR version can be downloaded from:
F-Secure provides the special disinfection utility to eliminate Bagle worm infections. You can download this utility from our ftp site:
- ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.exe
- ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.zip
Disinfection Instructions
Disinfection instructions can be found here:
- ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.txt
System Administrators
System administrators who are using F-Secure Policy Manager, can distribute the tool as a JAR package automatically to all workstations.
The JAR version can be downloaded from:
- http://www.europe.f-secure.com/tools/f-bagle.jar
- ftp://ftp.europe.f-secure.com/anti-virus/tools/f-bagle.jar
Additional Details
Email-Worm:W32/Bagle.AT spreads via e-mail file attachments and through Peer-to-Peer (P2P) networks, as well as through a prepended Windows Control Panel Applet (CPL) stub.
This worm is programmed to cease its activity on Apr 25th, 2006.
Infection
Bagle.AT arrives a file attachment to an e-mail message, which has varying subject lines and body texts. The attachment is an executable file with one the following extensions: .EXE, .SCR, .COM and .CPL. The worm uses several different icons for the attachments it sends, such as these:
When the worm's file is run, it copies itself as wingo.exe to Windows System folder and creates a startup key for this file in the Registry:
%SystemDir% represents the Windows System folder name, for example C:\Windows\System32 on Windows XP systems.
If system date is Apr 25th, 2006 the worm uninstalls itself from the infected system by deleting its startup key in the Registry and terminating its own process.
The worm creates 2 more files in Windows System folder:
These files are used when the worm spreads itself in e-mails.
Propagation (E-mail)
To find new victims, Bagle.AT scans the hard drive to collect e-mail addresses. Files with the following extensions are checked:
The worm ignores e-mail addresses that contain any of the following strings:
Bagle.AT spreads itself in e-mails with randomly-chosen subject lines, mail bodies and attachment names. Bagle.AT uses the following text strings as subjects for infected e-mails that it sends:
Message bodies are randomly chosen from a predefined list:
Attachment names can be one of the following names with EXE, SCR, COM, and CPL extension:
When the worm copies itself in shared folder or sends itself as an e-mail attachment, it changes the icon file of the executable. The icon is picked randomly from the infected computer's hard drive.
Propagation (CPL)
When spreading as a Windows Control Panel Applet file, the worm prepends a small binary dropper to its executable file. When the CPL file is activated, it copies itself as cjector.exe file to Windows folder and then drops the worm's file into Windows System folder.
Propagation (P2P)
Bagle.AT is capable of spreading to shared folders of Peer-to-Peer clients. It scans all available drives and if it finds a folder name that contains 'shar' substring, the worm copies itself there with the following names:
Activity
The worm has a backdoor that listens on port 81. The backdoor code is encrypted with a password. The worm author who knows the password can connect to the computer and execute arbitrary programs. Infected computers are reported to the worm's author by accessing several predefined URLs.
The worm also tries to download and execute a file from list of predefined URLs. The downloaded file is saved on disk under the following name:
At the time of this writing, some of the URLs are functional. The file is a downloader that tries to access another list of predefined URLs.
Finally, Bagle.AT terminates processes of security and antivirus software as well as some other applications. Processes of the following applications are terminated:
Uninstalling the NetSky Worm
To disable the NetSky worm, Bagle.AT removes a number of registry values from under
Additionally the worm creates several MUTEXes with names that are used by NetSky worm, so that certain versions of NetSky will not infect a system where the Bagle.AT worm is active.
This worm is programmed to cease its activity on Apr 25th, 2006.
Infection
Bagle.AT arrives a file attachment to an e-mail message, which has varying subject lines and body texts. The attachment is an executable file with one the following extensions: .EXE, .SCR, .COM and .CPL. The worm uses several different icons for the attachments it sends, such as these:
When the worm's file is run, it copies itself as wingo.exe to Windows System folder and creates a startup key for this file in the Registry:
• [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"wingo" = "%SystemDir%\ wingo.exe"
"wingo" = "%SystemDir%\ wingo.exe"
%SystemDir% represents the Windows System folder name, for example C:\Windows\System32 on Windows XP systems.
If system date is Apr 25th, 2006 the worm uninstalls itself from the infected system by deleting its startup key in the Registry and terminating its own process.
The worm creates 2 more files in Windows System folder:
• wingo.exeopen
wingo.exeopenopen
These files are used when the worm spreads itself in e-mails.
Propagation (E-mail)
To find new victims, Bagle.AT scans the hard drive to collect e-mail addresses. Files with the following extensions are checked:
• .wab
.txt
.msg
.htm
.shtm
.stm
.xml
.dbx
.mbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.pl
.wsh
.adb
.tbb
.sht
.xls
.oft
.uin
.cgi
.mht
.dhtm
.jsp
The worm ignores e-mail addresses that contain any of the following strings:
• @hotmail
@msn
@microsoft
rating@
f-secur
news
update
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
sopho
@foo
@iana
free-av
@messagelab
winzip
google
winrar
samples
abuse
panda
cafee
spam
pgp
@avp.
noreply
local
root@
postmaster@
Bagle.AT spreads itself in e-mails with randomly-chosen subject lines, mail bodies and attachment names. Bagle.AT uses the following text strings as subjects for infected e-mails that it sends:
• Re:
Re: Hello
Re: Thank you!
Re: Thanks :)
Re: Hi
Message bodies are randomly chosen from a predefined list:
• :)
:))
Attachment names can be one of the following names with EXE, SCR, COM, and CPL extension:
• Price
price
Joke
When the worm copies itself in shared folder or sends itself as an e-mail attachment, it changes the icon file of the executable. The icon is picked randomly from the infected computer's hard drive.
Propagation (CPL)
When spreading as a Windows Control Panel Applet file, the worm prepends a small binary dropper to its executable file. When the CPL file is activated, it copies itself as cjector.exe file to Windows folder and then drops the worm's file into Windows System folder.
Propagation (P2P)
Bagle.AT is capable of spreading to shared folders of Peer-to-Peer clients. It scans all available drives and if it finds a folder name that contains 'shar' substring, the worm copies itself there with the following names:
• Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe
Activity
The worm has a backdoor that listens on port 81. The backdoor code is encrypted with a password. The worm author who knows the password can connect to the computer and execute arbitrary programs. Infected computers are reported to the worm's author by accessing several predefined URLs.
The worm also tries to download and execute a file from list of predefined URLs. The downloaded file is saved on disk under the following name:
• %SystemDir%\re_file.exe
At the time of this writing, some of the URLs are functional. The file is a downloader that tries to access another list of predefined URLs.
Finally, Bagle.AT terminates processes of security and antivirus software as well as some other applications. Processes of the following applications are terminated:
• mcagent.exe
mcvsshld.exe
mcshield.exe
mcvsescn.exe
mcvsrte.exe
DefWatch.exe
Rtvscan.exe
ccEvtMgr.exe
NISUM.EXE
ccPxySvc.exe
navapsvc.exe
NPROTECT.EXE
nopdb.exe
ccApp.exe
Avsynmgr.exe
VsStat.exe
Vshwin32.exe
alogserv.exe
RuLaunch.exe
Avconsol.exe
PavFires.exe
FIREWALL.EXE
ATUPDATER.EXE
LUALL.EXE
DRWEBUPW.EXE
AUTODOWN.EXE
NUPGRADE.EXE
OUTPOST.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ESCANH95.EXE
AVXQUAR.EXE
ESCANHNT.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
AVWUPD32.EXE
AVPUPD.EXE
CFIAUDIT.EXE
UPDATE.EXE
NUPGRADE.EXE
MCUPDATE.EXE
pavsrv50.exe
AVENGINE.EXE
APVXDWIN.EXE
pavProxy.exe
navapw32.exe
navapsvc.exe
ccProxy.exe
navapsvc.exe
NPROTECT.EXE
SAVScan.exe
SNDSrvc.exe
symlcsvc.exe
LUCOMS~1.EXE
blackd.exe
bawindo.exe
FrameworkService.exe
VsTskMgr.exe
SHSTAT.EXE
UpdaterUI.exe
Uninstalling the NetSky Worm
To disable the NetSky worm, Bagle.AT removes a number of registry values from under
• HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• My AV
Zone Labs Client Ex
9XHtProtect
Antivirus
Special Firewall Service
service
Tiny AV
ICQNet
HtProtect
NetDy
Jammer2nd
FirewallSvr
MsInfo
SysMonXP
EasyAV
PandaAVEngine
Norton Antivirus AV
KasperskyAVEng
SkynetsRevenge
ICQ Net
Additionally the worm creates several MUTEXes with names that are used by NetSky worm, so that certain versions of NetSky will not infect a system where the Bagle.AT worm is active.