F-Secure Virus Descriptions : Bagle.CI

[Summary] | [Detailed Description] | [Detection]

NAME:	Bagle.CI
ALIAS:	Email-Worm.Bagle.CI

Summary

Another new Bagle variant - Bagle.CI has been found on August 12th, 2005. This Bagle sends infected messages containing another Bagle-related component, Bagle.CF.

The worm also contains a backdoor that listens on TCP port 80.

Detailed Description

Installation to system

When the worm's file is run, it copies itself as 'svc23.exe' to Windows System folder. It installs the following registry key:

 [HKCU\Software\Microsoft\Windows\CurrentVersion\Ru1n]
 "erthgdr2" = "%Sysdir%\svc23.exe"

%SysDir% represents the Windows System folder name, for example C:\Windows\System32 on Windows XP systems.

Email Propagation

Bagle.CI gathers email-addresses from web servers. The servers host a PHP script that generates dynamically seemingly random list of e-mail addresses. The servers are polled periodically and the returned file is saved as 'eml.exe' in the Windows folder. At the time of this writing, some of the servers are functional.

Here's the list of servers that host the PHP script:

 amerikansk-bulldog.dk
 carnwoodcontracting.com
 clickhare.com
 cptna.com
 creacionesartisticasandaluzas.com
 dggraphicsonline.com
 directeenhuis.nl
 doelker-torbau.de
 dorelvis.com
 downwiththesickness.com
 dreamdecor.com.pl
 dunajec.zakliczyn.pnth.net
 ekshrine.com
 essonline.us
 eventpeopleforyou.com
 falconframingco.com
 familiasmaltratadas.com
 fiberdesign.co.uk
 fiberfeed.com
 findingmodels.net
 fpcoc.org
 fyeye.com
 gamespy.cz
 golosmira.com
 goto.mk.ua
 ligapichangueras.cl
 phdenmark.dk
 representacion4380.net

The worm ignores e-mail addresses that contain any of the following strings:

 abuse
 admin
 anyone@
 @avp.
 bsd
 bugs@
 cafee
 certific
 contract@
 @derewrdgrs
 @eerswqe
 feste
 @foo
 free-av
 f-secur
 gold-certs@
 google
 help@
 @iana
 icrosoft
 info@
 kasp
 linux
 listserv
 local
 @messagelab
 @microsoft
 news
 nobody@
 noone@
 noreply
 ntivi
 panda
 pgp
 postmaster@
 rating@
 root@
 samples
 sopho
 spam
 support
 unix
 update
 winrar
 winzip

The e-mail body and subject line are empty.

The worm attachs a file from its body to e-mails. This file is a ZIP archive containing a downloader component. When extracted, the archive drops a file named 'Taxes.exe'. This file is detected as 'Email-Worm.Win32.Bagle.cf'.

Please see the following description for more information:

http://www.f-secure.com/v-descs/bagle_cf.shtml

The attached file can have one of the following filenames:

 Taxes.rar
 The_taxation.rar
 The_reporting_of_taxes.rar
 Work and taxes.rar
 Increase_in_the_tax.rar
 To_reduce_the_tax.rar

Note: the attachment is actually a ZIP archive with RAR extension.

Payload

This variant of Bagle tries to remove the following Netsky worm startup keys:

 My AV
 Zone Labs Client Ex
 9XHtProtect
 Antivirus
 Special Firewall Service
 service
 Tiny AV
 ICQNet
 HtProtect
 NetDy
 Jammer2nd
 FirewallSvr
 MsInfo
 SysMonXP
 EasyAV
 PandaAVEngine
 Norton Antivirus AV
 KasperskyAVEng
 SkynetsRevenge
 ICQ Net

Additionally the worm creates several mutexes with names that are used by Netsky worm.

Backdoor

The worm has a backdoor that listens on port 80. The backdoor code is encrypted with a password. The worm author who knows the password can connect to the computer and execute arbitrary programs.

Detection

F-Secure Anti-Virus detects Bagle.CI starting from the following update:

[FSAV_Database_Version]

Version=2005-08-12_04

Back to the Top

Technical Details: Jarkko Turkulainen August 12th, 2005;

F-Secure Corporation