F-Secure Virus Descriptions : Bagle.AW
[Summary] | [Detailed Description] | [Detection]
|
|
|
| NAME: | Bagle.AW |
| ALIAS: | I-Worm.Bagle.aw, W32/Beagle.AW@mm, W32.Beagle.AX@mm |
Bagle.AW is a mass-mailing worm with Peer-to-Peer spreading
capabilities. It was found in the middle of November 2004. This
worm is a close variant of Bagle.Z worm. Bagle.AW spreads using
different subjects, email bodies and attachments. The attachment
is an executable file or a script dropper with one the following
extensions: .EXE .SCR .COM .CPL .HTA or .VBS. The worm can also
send itself in a password-protected ZIP archive.
Bagle.AW arrives in email as an executable or inside a
password-protected ZIP archive. Bagle.AW can also spread with a
prepended Windows Control Panel Applet (CPL) stub (see info
below) or in the form of VBS or HTA dropper.
System Infection
When the worm's file is run, it copies itself as SYSINIT.EXE to
Windows System folder and creates a startup key for this file in
the Registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Syskey" = "%SystemDir%\sysinit.exe"
where %SystemDir% represents the Windows System folder name, for
example C:\Windows\System32 on Windows XP systems.
Additionally the worm creates 2 more files in Windows System
folder:
sysinit.exeopen
sysinit.exeopenopen
These files are used when the worm spreads itself in e-mails.
Email Propagation
Bagle.AW scans the hard drive to collect e-mail addresses of
possible victims. Files with the following extensions are
checked:
.wab
.txt
.msg
.htm
.shtm
.stm
.xml
.dbx
.mbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.pl
.wsh
.adb
.tbb
.sht
.xls
.oft
.uin
.cgi
.mht
.dhtm
.jsp
The worm ignores e-mail addresses that contain any of the
following strings:
@hotmail
@msn
@microsoft
rating@
f-secur
news
update
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
sopho
@foo
@iana
free-av
@messagelab
winzip
google
winrar
samples
abuse
panda
cafee
spam
pgp
@avp.
noreply
local
root@
postmaster@
Bagle.AW spreads itself in e-mails with randomly-chosen subject
lines, mail bodies and attachment names. The worm can attach
itself to e-mails as an executable file with COM, EXE, SCR and
CPL extensions or as a HTA or VBS dropper.
The VBS and the HTA droppers both contain Visual Basic Script
code and use Create Object function to drop Bagle's executable
file to the current folder and run it. The VBS dropper drops the
'VSS_2.EXE' file and the HTA dropper drops the QWRK.EXE file.
When spreading as a Windows Control Panel Applet (CPL) file, the
worm prepends a small binary dropper to its executable file. When
the CPL file is activated, it copies itself as CPLSTUB.EXE file
to Windows folder and then drops the worm's file into Windows
System folder.
Bagle.AW uses the following text strings as subjects for infected
e-mails that it sends:
Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks :)
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
RE: Incoming Msg
RE: Message Notify
Notification
Changes..
Update
Fax Message
Protected message
RE: Protected message
Forum notify
Site changes
Re: Hi
Encrypted document
Message bodies are randomly chosen from a predefined list:
Read the attach.
Your file is attached.
More info is in attach
See attach.
Please, have a look at the attached file.
Your document is attached.
Please, read the document.
Attach tells everything.
Attached file tells everything.
Check attached file for details.
Check attached file.
Pay attention at the attach.
See the attached file for details.
Message is in attach
Here is the file.
Attachment names can be one of the following names with EXE, SCR,
COM, and CPL extension:
Information
Details
text_document
Updates
Readme
Document
Info
Details
MoreInfo
Message
When the worm sends itself in a pasword-protected ZIP archive, it
adds the following text strings to the message body:
For security reasons attached file is password protected. The password is <password>
For security purposes the attached file is password protected. Password -- <password>
Note: Use password <password> to open archive.
Attached file is protected with the password for security reasons. Password is <password>
In order to read the attach you have to use the following password: <password>
Archive password: <password>
Password - <password>
Password: <password>
where <password> is the password for the archive. The password is
not an ASCII string, but a specially created image with password
text.
Backdoor
The worm has a backdoor that listens on port 2002. The backdoor
code is encrypted with a password. The worm author who knows the
password can connect to the computer and execute arbitrary
programs. Infected computers are reported to the worm's author by
accessing a predefined URL on the 'webnomey.net' webserver.
File downloading and executing
The worm tries to download and execute a file from a predefined
URL. The downloaded file is saved on disk as 1.EXE and is then
activated. This file is a spying trojan that is detected by FSAV
as 'Trojan-Spy.Win32.Agent.bx'.
Propagation Through Peer-to-Peer Clients
Bagle.AW is capable of spreading to shared folders of
Peer-to-Peer clients. It scans all available drives and if it
finds a folder name that contains 'shar' substring, the worm
copies itself there with the following names:
Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe
Terminating Security Software
Bagle.AW terminates processes of security and antivirus software
as well as some other applications. Processes of the following
applications are terminated:
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVPUPD.EXE
AVWUPD32.EXE
AVXQUAR.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
DRWEBUPW.EXE
ESCANH95.EXE
ESCANHNT.EXE
FIREWALL.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
MCUPDATE.EXE
NUPGRADE.EXE
OUTPOST.EXE
sys_xp.exe
sysxp.exe
UPDATE.EXE
winxp.exe
kavsvc.exe
Uninstalling the NetSky Worm
To disable the NetSky worm, Bagle.AW removes a number of registry
values from the following keys:
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
These values are:
My AV
Zone Labs Client Ex
9XHtProtect
Antivirus
Special Firewall Service
service
Tiny AV
ICQNet
HtProtect
NetDy
Jammer2nd
FirewallSvr
MsInfo
SysMonXP
EasyAV
PandaAVEngine
Norton Antivirus AV
KasperskyAVEng
SkynetsRevenge
ICQ Net
Additionally the worm creates several mutexes with names that are
used by NetSky worm. So certain versions of NetSky will not
infect a system where the Bagle.AW worm is active.
F-Secure Anti-Virus detects Bagle.AW starting from the following
update:
[FSAV_Database_Version]
Version=2004-11-16_02
Technical Details:
Alexey Podrezov, Kartin Tocheva, Sami Rautiainen, November 17th, 2004;
F-Secure Corporation
|
![](/images/pixel.gif"){kind=tracking}
