F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Bagle.bw

[Summary] | [Detailed Description] | [Detection]



NAME:Bagle.bw
ALIAS:Email-Worm.Win32.Bagle.bw

Summary

A new Bagle variant - Bagle.bw was found on Aug 4th, 2005 and is spreading in the wild. This variant is very similar to older variants, it sends variable emails containing EXE attachments. It also opens backdoor and can act as proxy and email relay.

Detailed Description

Installation to system

When the worm's file is run, it copies itself as WINHOST.EXE file to Windows System folder and creates a startup key for this file in the Registry: 

 [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
 "winhost.exe" = "%winsysdir%\winhost.exe"

where %winsysdir% represents Windows System folder name.

The worm also sets the following registry values for later use: 

 [HKCU\Software\Timeout]
 "pid"  = <worm process id>
 "port" = <backdoor port>
 "uid"  = <random>

If the worms file is executed with command line option '-upd', the worm kills process with "pid" value above before proceeding. By default, the port is 9030. It can be changed later (see Backdoor).

Searching for e-mail addresses

To find victims' e-mail addresses the worm searches all available hard drives for the files with these extensions: 

 .wab
 .txt
 .msg
 .htm
 .html
 .shtm
 .stm
 .xml
 .dbx
 .mbx
 .mdx
 .eml
 .nch
 .mmf
 .ods
 .cfg
 .asp
 .php
 .wsh
 .adb
 .tbb
 .sht
 .xls
 .oft
 .uin
 .cgi
 .mht
 .dhtm
 .jsp

The worm avoids spreading to e-mail addresses containing any of the following: 

 abuse
 admin
 anyone@
 @avp.
 bugs@
 cafee
 certific
 contract@
 feste
 @foo
 free-av
 f-secur
 gold-certs@
 google
 help@
 @iana
 icrosoft
 info@
 kasp
 linux
 listserv
 local
 @messagelab
 @microsoft
 @msn
 news
 nobody@
 noone@
 noreply
 norton
 ntivi
 panda
 postmaster@
 rating@
 root@
 samples
 sopho
 spam
 support
 unix
 update
 virus
 winrar
 winzip

Spreading in e-mails

The worm spreads itself in e-mail messages as an executable with EXE extension. The worm randomly selects subjects, message bodies and attachment names from its internal lists.

Here are variants of subjects that the worm uses: 

 Changes..
 Encrypted document
 Fax Message
 Forum notify
 Incoming message
 Notification
 Protected message
 Re:
 Re:
 Re: Document
 Re: Hello
 Re: Hi
 Re: Incoming Message
 RE: Incoming Msg
 RE: Message Notify
 Re: Msg reply
 RE: Protected message
 RE: Text message
 Re: Thanks :)
 Re: Thank you!
 Re: Yahoo!
 Site changes
 Update

The message body is one of the following: 

 Attached file tells everything.
 Attach tells everything.
 Check attached file.
 Check attached file for details.
 Here is the file.
 Message is in attach
 More info is in attach
 Pay attention at the attach.
 Please, have a look at the attached file.
 Please, read the document.
 Read the attach.
 See attach.
 See the attached file for details.
 Try this.
 Your document is attached.
 Your file is attached.

Here are variants of attachment names that the worm uses: 

 Details.exe
 Document.exe
 Info.exe
 Information.exe
 Message.exe
 MoreInfo.exe
 Readme.exe
 text_document.exe
 Updates.exe

Spreading to shared folders

The worm spreads to shared folders on an infected computer. Such functionality allows the worm to spread through file sharing clients as well as it can copy itself to their shared folders.

When the worm searches for e-mail addresses on all available hard disks and it finds a folder which name contains 'shar' substring, it copies itself to that folder with one of the following names: 

 Ahead Nero 7.exe
 hardcore arhive.exe
 important.exe
 important update.exe
 install.exe
 Kaspersky Antivirus 5.0
 message.msg                                           .exe
 Microsoft Office 2003 Crack, Working!.exe
 Microsoft Office XP working Crack, Keygen.exe
 Microsoft Windows XP, WinXP Crack, working Keygen.exe
 New document.doc                                           .exe
 New patch.exe
 patch.exe
 Porno pics arhive, xxx.exe
 Porno Screensaver.scr
 Porno, sex, oral, anal cool, awesome!!.exe
 Serials.txt                                           .exe
 setup.exe
 text.txt                                           .exe
 update.exe
 WinAmp 6 New!.exe
 Windown Longhorn Beta Leak.exe
 Windows Sourcecode update.doc                                           .exe
 XXX hardcore images.exe

Killing processes of security software

The worm kills processes of anti-virus and security software that are associated with these files: 

 AGENTSVR.EXE
 ANTI-TROJAN.EXE
 ANTIVIRUS.EXE
 ANTS.EXE
 APIMONITOR.EXE
 APLICA32.EXE
 APVXDWIN.EXE
 ATCON.EXE
 ATGUARD.EXE
 ATRO55EN.EXE
 ATUPDATER.EXE
 ATWATCH.EXE
 AUPDATE.EXE
 AUTODOWN.EXE
 AUTOTRACE.EXE
 AUTOUPDATE.EXE
 AVCONSOL.EXE
 AVGSERV9.EXE
 AVLTMAIN.EXE
 AVPUPD.EXE
 AVSYNMGR.EXE
 AVWUPD32.EXE
 AVXQUAR.EXE
 AVprotect9x.exe
 BD_PROFESSIONAL.EXE
 BIDEF.EXE
 BIDSERVER.EXE
 BIPCP.EXE
 BIPCPEVALSETUP.EXE
 BISP.EXE
 BLACKD.EXE
 BLACKICE.EXE
 BOOTWARN.EXE
 BORG2.EXE
 BS120.EXE
 CDP.EXE
 CFGWIZ.EXE
 CFIADMIN.EXE
 CFIAUDIT.EXE
 CFINET.EXE
 CFINET32.EXE
 CLEAN.EXE
 CLEANER.EXE
 CLEANER3.EXE
 CLEANPC.EXE
 CMGRDIAN.EXE
 CMON016.EXE
 CPD.EXE
 CPF9X206.EXE
 CPFNT206.EXE
 CV.EXE
 CWNB181.EXE
 CWNTDWMO.EXE
 DEFWATCH.EXE
 DEPUTY.EXE
 DPF.EXE
 DPFSETUP.EXE
 DRWATSON.EXE
 DRWEBUPW.EXE
 ENT.EXE
 ESCANH95.EXE
 ESCANHNT.EXE
 ESCANV95.EXE
 EXANTIVIRUS-CNET.EXE
 FAST.EXE
 FIREWALL.EXE
 FLOWPROTECTOR.EXE
 FP-WIN_TRIAL.EXE
 FRW.EXE
 FSAV.EXE
 FSAV530STBYB.EXE
 FSAV530WTBYB.EXE
 FSAV95.EXE
 GBMENU.EXE
 GBPOLL.EXE
 GUARD.EXE
 GUARDDOG.EXE
 HACKTRACERSETUP.EXE
 HTLOG.EXE
 HWPE.EXE
 IAMAPP.EXE
 IAMSERV.EXE
 ICLOAD95.EXE
 ICLOADNT.EXE
 ICMON.EXE
 ICSSUPPNT.EXE
 ICSUPP95.EXE
 ICSUPPNT.EXE
 IFW2000.EXE
 IPARMOR.EXE
 IRIS.EXE
 JAMMER.EXE
 KAVLITE40ENG.EXE
 KAVPERS40ENG.EXE
 KERIO-PF-213-EN-WIN.EXE
 KERIO-WRL-421-EN-WIN.EXE
 KERIO-WRP-421-EN-WIN.EXE
 KILLPROCESSSETUP161.EXE
 LDPRO.EXE
 LOCALNET.EXE
 LOCKDOWN.EXE
 LOCKDOWN2000.EXE
 LSETUP.EXE
 LUALL.EXE
 LUCOMSERVER.EXE
 LUINIT.EXE
 MCAGENT.EXE
 MCUPDATE.EXE
 MFW2EN.EXE
 MFWENG3.02D30.EXE
 MGUI.EXE
 MINILOG.EXE
 MOOLIVE.EXE
 MRFLUX.EXE
 MSCONFIG.EXE
 MSINFO32.EXE
 MSSMMC32.EXE
 MU0311AD.EXE
 NAV80TRY.EXE
 NAVAPW32.EXE
 NAVDX.EXE
 NAVSTUB.EXE
 NAVW32.EXE
 NC2000.EXE
 NCINST4.EXE
 NDD32.EXE
 NEOMONITOR.EXE
 NETARMOR.EXE
 NETINFO.EXE
 NETMON.EXE
 NETSCANPRO.EXE
 NETSPYHUNTER-1.2.EXE
 NETSTAT.EXE
 NISSERV.EXE
 NISUM.EXE
 NMAIN.EXE
 NORTON_INTERNET_SECU_3.0_407.EXE
 NPF40_TW_98_NT_ME_2K.EXE
 NPFMESSENGER.EXE
 NPROTECT.EXE
 NSCHED32.EXE
 NTVDM.EXE
 NUPGRADE.EXE
 NVARCH16.EXE
 NWINST4.EXE
 NWTOOL16.EXE
 NavShExt.dll
 OSTRONET.EXE
 OUTPOST.EXE
 OUTPOSTINSTALL.EXE
 OUTPOSTPROINSTALL.EXE
 PADMIN.EXE
 PANIXK.EXE
 PAVPROXY.EXE
 PCC2002S902.EXE
 PCC2K_76_1436.EXE
 PCCIOMON.EXE
 PCDSETUP.EXE
 PCFWALLICON.EXE
 PCIP10117_0.EXE
 PDSETUP.EXE
 PERISCOPE.EXE
 PERSFW.EXE
 PF2.EXE
 PFWADMIN.EXE
 PINGSCAN.EXE
 PLATIN.EXE
 POPROXY.EXE
 POPSCAN.EXE
 PORTDETECTIVE.EXE
 PPINUPDT.EXE
 PPTBC.EXE
 PPVSTOP.EXE
 PROCEXPLORERV1.0.EXE
 PROPORT.EPROTECTX.EXE
 PSPF.EXE
 PURGE.EXE
 PVIEW95.EXE
 QCONSOLE.EXE
 QSERVER.EXE
 RAV8WIN32ENG.EXE
 REGEDIT.EXE
 REGEDT32.EXE
 RESCUE.EXE
 RESCUE32.EXE
 RRGUARD.EXE
 RSHELL.EXE
 RTVSCN95.EXE
 RULAUNCH.EXE
 SAFEWEB.EXE
 SAVSCAN.EXE
 SBSERV.EXE
 SD.EXE
 SETUPVAMEEVAL.EXE
 SETUP_FLOWPROTECTOR_US.EXE
 SFC.EXE
 SGSSFW32.EXE
 SH.EXE
 SHELLSPYINSTALL.EXE
 SHN.EXE
 SMC.EXE
 SOFI.EXE
 SPF.EXE
 SPHINX.EXE
 SPYXX.EXE
 SS3EDIT.EXE
 ST2.EXE
 SUPFTRL.EXE
 SUPPORTER5.EXE
 SYMPROXYSVC.EXE
 SYSEDIT.EXE
 SymWSC.exe
 TASKMON.EXE
 TAUMON.EXE
 TAUSCAN.EXE
 TC.EXE
 TCA.EXE
 TCM.EXE
 TDS-3.EXE
 TDS2-98.EXE
 TDS2-NT.EXE
 TFAK5.EXE
 TGBOB.EXE
 TITANIN.EXE
 TITANINXP.EXE
 TRACERT.EXE
 TRJSCAN.EXE
 TRJSETUP.EXE
 TROJANTRAP3.EXE
 UNDOBOOT.EXE
 UPDATE.EXE
 VBCMSERV.EXE
 VBCONS.EXE
 VBUST.EXE
 VBWIN9X.EXE
 VBWINNTW.EXE
 VCSETUP.EXE
 VFSETUP.EXE
 VIRUSMDPERSONALFIREWALL.EXE
 VNLAN300.EXE
 VNPC3000.EXE
 VPC42.EXE
 VPFW30S.EXE
 VPTRAY.EXE
 VSCENU6.02D30.EXE
 VSECOMR.EXE
 VSHWIN32.EXE
 VSISETUP.EXE
 VSMAIN.EXE
 VSMON.EXE
 VSSTAT.EXE
 VSWIN9XE.EXE
 VSWINNTSE.EXE
 VSWINPERSE.EXE
 W32DSM89.EXE
 W9X.EXE
 WATCHDOG.EXE
 WEBSCANX.EXE
 WGFE95.EXE
 WHOSWATCHINGME.EXE
 WINRECON.EXE
 WNT.EXE
 WRADMIN.EXE
 WRCTRL.EXE
 WSBGATE.EXE
 WYVERNWORKSFIREWALL.EXE
 XPF202EN.EXE
 ZAPRO.EXE
 ZAPSETUP3001.EXE
 ZATUTOR.EXE
 ZAUINST.EXE
 ZONALM2601.EXE
 ZONEALARM.EXE
 ccApp.exe
 ccEvtMgr.exe
 navapsvc.exe

Connecting to websites

The worm periodically connects to the following websites: 

 64.12.212.12
 64.246.44.10
 68.24.54.122
 biiig.org
 blockism.net
 motivethree.com
 nine-one-one.ca
 paromy.ru
 rescan.com
 sexyforum.ru
 talent2k.com
 thehiphops.com
 tovarisi.net
 www.cardgoods.com
 www.evocreations.com
 www.ladywears.com
 zalala.net

The worm opens PHP scripts on these sites with certain parameters. This is done for tracking purposes as the site owner gets the IP address of an infected computer and the backdoor's port number and version ID.

The worm also tries to download and execute file from domain 'www.cardgoods.com'. At the time of this writing, this file is not online. The worm also downloads periodically a list of IP addresses from the same domain. The worm doesn't use these addresses in anything.

Backdoor

Bagle.bw listens on TCP port 9030. Through this port, the worm can act as a backdoor, SOCKS v4/5 proxy or HTTP CONNECT proxy. When certain byte sequence is sent to the port, the backdoor routine starts. Any other connection is treated as SOCKS or HTTP proxy connection.

The backdoor can perform any of the following actions: 

 - Restart backdoor/proxy on a different port
 - Uninstall worm (delete the worm's file and remove all registry keys)
 - Receive any file and execute it
 - Receive file and execute it with command line argument '-upd'
 - Start SMTP relay


Back to the Top


Detection

F-Secure Anti-Virus detects Bagle.bw worm since the following update:

[FSAV_Database_Version]

Version=2005-08-04_02


Back to the Top


Technical Details: Jarkko Turkulainen, Aug 5th, 2005;

F-Secure Corporation