F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Bagle.BE

[Summary] | [Detailed Description] | [Detection]



NAME:Bagle.BE
ALIAS:Email-Worm.Bagle.BE

Summary

Another new Bagle variant - Bagle.BE has been found on March 1st, 2005. This Bagle sends infected messages containing another Bagle-related component.

The worm also contains a backdoor that listens on TCP port 80.

Detailed Description

Installation to system

When the worm's file is run, it copies itself as 'windlhhl.exe' to Windows System folder. It installs the following registry key: 

 [HKCU\Software\Microsoft\Windows\CurrentVersion\Ru1n]
 "erghgjhgdr" = "%Sysdir%\windlhhl.exe"

%SysDir% represents the Windows System folder name, for example C:\Windows\System32 on Windows XP systems.

Email Propagation

Bagle.BE gathers emai-addresses from a central server that generates dynamically seemingly random list of addresses. The server address is polled periodically and the returned file is saved as 'eml.exe' in the Windows folder. At the time of this writing, the list size is always 50 addresses. The server address is static.

The worm ignores e-mail addresses that contain any of the following strings: 

 @eerswqe
 @derewrdgrs
 @microsoft
 rating@
 f-secur
 news
 update
 anyone@
 bugs@
 contract@
 feste
 gold-certs@
 help@
 info@
 nobody@
 noone@
 kasp
 admin
 icrosoft
 support
 ntivi
 unix
 linux
 listserv
 certific
 sopho
 @foo
 @iana
 free-av
 @messagelab
 winzip
 google
 winrar
 samples
 abuse
 panda
 cafee
 spam
 @avp.
 noreply
 local
 root@
 postmaster@

The e-mail subject line is empty and the body is selected from one the following variants: 

 price
 new price

The worm attachs a file from its body to e-mails. This file is a ZIP archive containing a downloader component. When extracted, the archive drops a file named 'Loader/doc_01.exe'. This file is detected as 'Email-Worm.Win32.Bagle.bb'.

Please see the following description for more information:

http://www.f-secure.com/v-descs/bagle_bb.shtml

The archive can be also password protected. In that case, the worm adds the password in the e-mail body. The following variants can be used: 

 Password: <password>
 The password is: <password>
 Pass - <password>
 Password - <password>

where <password> is an image with a password for the worm's archive. Sometimes the worms sends a password for its archive as an ASCII text. In some cases the whole password information can be sent as an image.

The attached file can have one of the following filenames: 

 price.zip
 price2.zip
 price_new.zip
 price_08.zip
 08_price.zip
 newprice.zip
 new_price.zip
 new__price.zip

Payload

This variant of Bagle tries to remove the following Netsky worm startup keys: 

 My AV
 Zone Labs Client Ex
 9XHtProtect
 Antivirus
 Special Firewall Service
 service
 Tiny AV
 ICQNet
 HtProtect
 NetDy
 Jammer2nd
 FirewallSvr
 MsInfo
 SysMonXP
 EasyAV
 PandaAVEngine
 Norton Antivirus AV
 KasperskyAVEng
 SkynetsRevenge
 ICQ Net

Additionally the worm creates several mutexes with names that are used by Netsky worm.

Backdoor

The worm has a backdoor that listens on port 80. The backdoor code is encrypted with a password. The worm author who knows the password can connect to the computer and execute arbitrary programs.

Detection

F-Secure Anti-Virus detects Bagle.BE starting from the following update:

[FSAV_Database_Version]

Version=2005-03-01_01

Back to the Top


Technical Details: Jarkko Turkulainen Mar 1st, 2005;

F-Secure Corporation