Another new Bagle variant - Bagle.BA. This variant is similar
to recent ones, it also arrives in emails with variable
subjects and attachments, has Peer-to-Peer spreading
capabilities and contains a backdoor that listens on TCP port 81.
Bagle.BA arrives in email as a packed executable. Bagle.BA can also
spread with a prepended Windows Control Panel Applet (CPL) stub.
System Infection
When the worm's file is run, it copies itself as sysformat.exe
to Windows System folder and creates a startup key for this file
in the Registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"sysformat" = "%SystemDir%\sysformat.exe"
%SystemDir% represents the Windows System folder name, for
example C:\Windows\System32 on Windows XP systems.
Email Propagation
Bagle.BA scans the hard drive to collect e-mail addresses of
possible victims. Files with the following extensions are
checked:
.wab
.txt
.msg
.htm
.shtm
.stm
.xml
.dbx
.mbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.wsh
.adb
.tbb
.sht
.xls
.oft
.uin
.cgi
.mht
.dhtm
.jsp
The worm ignores e-mail addresses that contain any of the following
strings:
@microsoft
rating@
f-secur
news
update
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
icrosoft
support
ntivi
unix
linux
listserv
certific
sopho
@foo
@iana
free-av
@messagelab
winzip
google
winrar
samples
abuse
panda
cafee
spam
@avp.
noreply
local
root@
postmaster@
Bagle.BA spreads itself in e-mails with randomly-chosen subject
lines, mail bodies and attachment names. The worm can attach itself
to e-mails as an executable file with COM, EXE, SCR and CPL extensions.
When spreading as a Windows Control Panel Applet (CPL) file, the
worm prepends a small binary dropper to its executable file.
When the CPL file is activated, it copies itself as cjector.exe
file to Windows folder and then drops the worm's file into Windows
System folder.
Bagle.BA uses the following text strings as subjects for infected
e-mails that it sends:
Delivery service mail
Delivery by mail
Registration is accepted
Is delivered mail
You are made active
Message bodies are randomly chosen from a predefined list:
Thanks for use of our software
Before use read the help
Attachment names can be one of the following names with EXE, SCR,
COM, and CPL extension:
wsd01
viupd02
siupd02
guupd02
zupd02
upd02
Jol03
Backdoor
The worm has a backdoor that listens on port 81. The backdoor
code is encrypted with a password. The worm author who knows the
password can connect to the computer and execute arbitrary programs.
Infected computers are reported to the worm's author by accessing
several predefined URLs.
File downloading and executing
The worm tries to download and execute a file from list of
predefined URLs. The downloaded file is saved on disk under
the following name:
%SystemDir%\re_file.exe
Propagation Through Peer-to-Peer Clients
Bagle.BA is capable of spreading to shared folders of Peer-to-Peer
clients. It scans all available drives and if it finds a folder name
that contains 'shar' substring, the worm copies itself there with the
following names:
1.exe
2.exe
3.exe
4.exe
5.exe
6.exe
7.exe
8.exe
9.exe
10.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe
Terminating Security Software
Bagle.BA terminates processes of security and antivirus software
as well as some other applications. Processes of the following
applications are terminated:
mcagent.exe
mcvsshld.exe
mcshield.exe
mcvsescn.exe
mcvsrte.exe
DefWatch.exe
Rtvscan.exe
ccEvtMgr.exe
NISUM.EXE
ccPxySvc.exe
navapsvc.exe
NPROTECT.EXE
nopdb.exe
ccApp.exe
Avsynmgr.exe
VsStat.exe
Vshwin32.exe
alogserv.exe
RuLaunch.exe
Avconsol.exe
PavFires.exe
FIREWALL.EXE
ATUPDATER.EXE
LUALL.EXE
DRWEBUPW.EXE
AUTODOWN.EXE
NUPGRADE.EXE
OUTPOST.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ESCANH95.EXE
AVXQUAR.EXE
ESCANHNT.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
AVWUPD32.EXE
AVPUPD.EXE
CFIAUDIT.EXE
UPDATE.EXE
NUPGRADE.EXE
MCUPDATE.EXE
pavsrv50.exe
AVENGINE.EXE
APVXDWIN.EXE
pavProxy.exe
navapw32.exe
navapsvc.exe
ccProxy.exe
navapsvc.exe
NPROTECT.EXE
SAVScan.exe
SNDSrvc.exe
symlcsvc.exe
LUCOMS~1.EXE
blackd.exe
bawindo.exe
FrameworkService.exe
VsTskMgr.exe
SHSTAT.EXE
UpdaterUI.exe
