F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Bagle.CZ

[Summary] | [Detailed Description] | [Detection]



NAME:Bagle.CZ
ALIAS:Email-Worm.Win32.Bagle.cz

Summary

The Bagle.CZ is a mass-mailer. It sends out infected messages containing another Bagle-related component, Bagle.DB. This mass-mailer is downloaded by the Bagle.CX downloader:

http://www.f-secure.com/v-descs/bagle_cx.shtml

Detailed Description

Installation to system

When the worm's file is run, it copies itself as 'windll32.exe' to Windows System folder. It installs the following registry key: 

 [HKCU\Software\Microsoft\Windows\CurrentVersion\Ru1n]
 "erthgdr" = "%Sysdir%\windll32.exe"

%SysDir% represents the Windows System folder name, for example C:\Windows\System32 on Windows XP systems.

Email Propagation

Bagle.CZ gathers email-addresses from web servers. The servers host a PHP script that generates dynamically seemingly random list of e-mail addresses. The servers are polled periodically and the returned file is saved as 'eml.exe' in the Windows folder. At the time of this writing, none of the servers are functional.

Here's the list of servers that host the PHP script: 

 clickhare.com
 amerikansk-bulldog.dk
 eventpeopleforyou.com
 fyeye.com
 ligapichangueras.cl
 ekshrine.com/images
 directeenhuis.nl
 creacionesartisticasandaluzas.com

The worm ignores e-mail addresses that contain any of the following strings: 

 @eerswqe
 @derewrdgrs
 @microsoft
 rating@
 f-secur
 news
 update
 anyone@
 bugs@
 contract@
 feste
 gold-certs@
 help@
 info@
 nobody@
 noone@
 kasp
 admin
 icrosoft
 support
 ntivi
 unix
 bsd
 linux
 listserv
 certific
 sopho
 @foo
 @iana
 free-av
 @messagelab
 winzip
 google
 winrar
 samples
 abuse
 panda
 cafee
 spam
 pgp
 @avp.
 noreply
 local
 root@
 postmaster@

The e-mail subject can be empty, or one of the following: 

 price
 price09

The message body can be empty, or one of the following: 

 price
 new price

The worm attachs a file from its body to e-mails. This file is a ZIP archive containing a downloader component. When extracted, the archive drops a file named 'price_09.exe'. This file is detected as 'Email-Worm.Win32.Bagle.db'.

Please see the following description for more information:

http://www.f-secure.com/v-descs/bagle_db.shtml

The attached file can have one of the following filenames: 

 price.zip
 price2.zip
 price_new.zip
 price_09.zip
 09_price.zip
 newprice.zip
 new_price.zip
 new__price.zip

Payload

This variant of Bagle tries to remove the following registry keys: 

 My AV
 Zone Labs Client Ex
 9XHtProtect
 Antivirus
 Special Firewall Service
 service
 Tiny AV
 ICQNet
 HtProtect
 NetDy
 Jammer2nd
 FirewallSvr
 MsInfo
 SysMonXP
 EasyAV
 PandaAVEngine
 Norton Antivirus AV
 KasperskyAVEng
 SkynetsRevenge
 ICQ Net

Additionally the worm creates several mutexes with names that are used by Netsky worm.

Backdoor

The worm has a backdoor that listens on port 80. The backdoor code is encrypted with a password. The worm author who knows the password can connect to the computer and execute arbitrary programs.


Back to the Top


Detection

F-Secure Anti-Virus detects this malware starting from the following update:

[FSAV_Database_Version]

Version=2005-09-19_05

Back to the Top


Writeup: Alexey Podrezov, September 20th, 2005;

Updated: Jarkko Turkulainen, September 20th, 2005;

F-Secure Corporation