Select local site

| Japanese | Simplified Chinese | Traditional Chinese (Hong Kong) | Traditional Chinese (Taiwan)

F-Secure Virus Information Pages: Bagle.C
[Summary] | [Disinfection] | [Detailed Description]

Name : Bagle.C
Alias:W32/Bagle.C@mm, I-Worm.Bagle.C, W32/Bagle.C
Type:Virus
Category:Virus
Platform:Win32
Radar

Summary

A new variant of the Bagle worm, Bagle.C was found in the wild early
morning on February 28th, 2004.

The worm sends emails with different subjects and attachments as a
zipped EXE file with the icon of an Excel spreadsheet file.



Bagle.C has a backdoor listening on TCP port 2745 and disables certain
security software.

This variant was programmed to stop spreading after March 14th, 2004.
Back to the Top

Disinfection


Special Disinfection Tool


F-Secure has developed a special disinfection tool for this worm.
The tool will detect and remove an active Bagle infection from
the computer.

The Bagle removal tool can be downloaded in a ZIP file from:

ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.zip

http://www.f-secure.com/tools/f-bagle.zip

The unpacked version is available from:


ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.exe

ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.txt

http://www.f-secure.com/tools/f-bagle.exe

http://www.f-secure.com/tools/f-bagle.txt



Manual Disinfection


Manual disinfection of Bagle consists of the following steps:

1, Delete the registry value and restart the computer:

[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gouday.exe]

2, Delete the worm's files from the Windows System Directory:

%SysDir%\readme.exe
%SysDir%\onde.exe
%SysDir%\doc.exe
Back to the Top

Detailed Description

System Infection

Upon execution Bagle.C drops several files to the Windows System Directory:

%SysDir%\readme.exe - dropper of other components
%SysDir%\onde.exe - main worm body
%SysDir%\doc.exe - external library helper

'Readme.exe' is added to the registry as

[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gouday.exe]

to ensure that the worm will be activated when Windows starts.

To indicate whether the worm was run for the first time it creates another value in the registry as

[HKCU\Software\DateTime2\frun]

When started the first time the worm starts the Windows Notepad  (notepad.exe) to conceal its presence.

Email Propagation

Bagle.C recursively searches all drives on the infected computer to locate file that could contain email addresses. It parses these files and collects all email addresses it can find.

Files with the following extensions are checked:

.wab
.txt
.htm
.html
.dbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.pl
.adb
.sht

Using its own SMTP engine Bagle sends messages with infected attachments to the collected addresses. The SMTP engine uses direct Mail eXchange (MX) lookup on the target domain so it does not depend on email settings of the infected computer.

The infected emails can have the following subjects:

  • New Price-list
  • Hardware devices price-list
  • Weekly activity report
  • Daily activity report
  • Maria
  • Jenny
  • Jessica
  • Registration confirmation
  • USA government abolishes the capital punishment
  • Freedom for everyone
  • Flayers among us
  • From Hair-cutter
  • Melissa
  • Camila
  • Price-list
  • Pricelist
  • Price list
  • Hello my friend
  • Hi!
  • Well...
  • Greet the day
  • The account
  • Looking for the report
  • You really love me? he he
  • You are dismissed
  • Accounts department
  • From me
  • Monthly incomings summary
  • The summary
  • Proclivity to servitude
  • Ahtung!
  • The employee

Body of the messages is empty. The attachment is a ZIP file with random name which is up to eight characters long and made up of the letters 'a' 'b' and 'c'. The sender address in the email is spoofed.



The mailer routine will ignore all the addresses that contain the
any of these strings:

  • .ch
  • @hotmail.com
  • @msn.com
  • @microsoft
  • @avp.
  • noreply
  • local
  • root@
  • postmaster@

Backdoor


Bagel.C comes with a backdoor that listens on a TCP port 2745 which is hardcoded in the worm's body. The backdoor provides full remote access to the infected computer. It can be used to download and execute arbitrary programs from the Internet.

When the worm is started it connects to a list of predefined web servers and tries to access a PHP file with certain parameters. One of the parameters is the TCP port where the backdoor is listening which suggests that this functionality is used to collect the addresses of infected computers.

Disabling Security Software

The payload of Bagle.C contains a thread that terminates processes with the following names:

  • ATUPDATER.EXE
  • AVWUPD32.EXE
  • AVPUPD.EXE
  • LUALL.EXE
  • DRWEBUPW.EXE
  • ICSSUPPNT.EXE
  • ICSUPP95.EXE
  • UPDATE.EXE
  • NUPGRADE.EXE
  • ATUPDATER.EXE
  • AUPDATE.EXE
  • AUTODOWN.EXE
  • AUTOTRACE.EXE
  • AUTOUPDATE.EXE
  • AVXQUAR.EXE
  • CFIAUDIT.EXE
  • MCUPDATE.EXE
  • NUPGRADE.EXE
  • OUTPOST.EXE
  • AVLTMAIN.EXE
Back to the Top



F-Secure Corporation

Last Modified: January 01, 2006