F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Bagle.E

[Summary] | [Disinfection] | [Detailed Description] | [Detection]

THIS VIRUS IS RANKED AS LEVEL 2 ALERT UNDER
F-SECURE RADAR.
Radar Alert LEVEL 2

NAME:Bagle.E
ALIAS:W32/Bagle.E, I-Worm.Bagle.E, W32/Bagle.E@mm
SIZE:18394

Summary

Yet another new variant of the Bagle worm, Bagle.E was found in the wild on February 28th, 2004.

This variant is packed with PeX packer instead of UPX used by C and D variants. So the file is a bit larger.

Disinfection

Special Disinfection Tool

F-Secure has developed a special disinfection tool for this worm. The tool will detect and remove an active Bagle infection from the computer.

The Bagle removal tool can be downloaded in a ZIP file from:

ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.zip

http://www.f-secure.com/tools/f-bagle.zip

The unpacked version is available from:

ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.exe

ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.txt

http://www.f-secure.com/tools/f-bagle.exe

http://www.f-secure.com/tools/f-bagle.txt

Manual Disinfection

Manual disinfection of Bagle consists of the following steps:

1, Delete the registry value and restart the computer: 

 [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rate.exe]

2, Delete the worm's files from the Windows System Directory: 

 %SysDir%\i1ru74n4.exe
 %SysDir%\godo.exe
 %SysDir%\ii455nj4.exe


Back to the Top


Detailed Description

Bagle.E is similar to the C and D variant with the following noteworthy differences:

- different packer

- emails now have text in their body

- the ZIP attachment name is built from slightly different random letters

- the UID parameter was removed from the PHP reporting

- The otherwise inactive backdoor port randomizer have been removed

- some changes in internal names (eg: mutex name)

System Infection

Upon execution Bagle.E drops several files to the Windows System Directory: 

 %SysDir%\i1ru74n4.exe - dropper of other components
 %SysDir%\godo.exe - main worm body
 %SysDir%\ii455nj4.exe - external library helper

'i1ru74n4.exe' is added to the registry as

[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rate.exe]

to ensure that the worm will be activated when Windows starts.

To indicate whether the worm was run for the first time it creates another value in the registry as 

 [HKCU\Software\DateTime4\frun]

When started the first time the worm starts the Windows Notepad (notepad.exe) to conceal its presence.

Email Propagation

Bagle.E recursively searches all drives on the infected computer to locate file that could contain email addresses. It parses these files and collects all email addresses it can find.

Files with the following extensions are checked: 

 .wab
 .txt
 .htm
 .html
 .dbx
 .mdx
 .eml
 .nch
 .mmf
 .ods
 .cfg
 .asp
 .php
 .pl
 .adb
 .sht

Using its own SMTP engine Bagle sends messages with infected attachments to the collected addresses. The SMTP engine uses direct Mail eXchange (MX) lookup on the target domain so it does not depend on email settings of the infected computer.

The infected emails can have the following subjects: 

 New Price-list
 Hardware devices price-list
 Weekly activity report
 Daily activity report
 Maria
 Jenny
 Jessica
 Registration confirmation
 USA government abolishes the capital punishment
 Freedom for everyone
 Flayers among us
 From Hair-cutter
 Melissa
 Camila
 Price-list
 Pricelist
 Price list
 Hello my friend
 Hi!
 Well...
 Greet the day
 The account
 Looking for the report
 You really love me? he he
 You are dismissed
 Accounts department
 From me
 Monthly incomings summary
 The summary
 Proclivity to servitude
 Ello!
 Ahtung!
 The employee

Body of the messages might be one of 

 Subj
 Request
 Empty
 Response
 Everything inside the attach
 Look it through
 Cya

The attachment is a ZIP file with random name which is up to eight characters long and made up of the letters 'a' - 'e'. The sender address in the email is spoofed.

The mailer routine will ignore all the addresses that contain the any of these strings: 

 .gr
 @hotmail.com
 @msn.com
 @microsoft
 @avp.
 noreply
 local
 root@
 postmaster@

Backdoor

Bagle.E comes with a backdoor that listens on a TCP port 2745 which is hardcoded in the worm's body. The backdoor provides full remote access to the infected computer. It can be used to download and execute arbitrary programs from the Internet.

When the worm is started it connects to a list of predefined web servers and tries to access a PHP file with certain parameters. The worm this way reports the infected computers to the author.

Disabling Security Software

The payload of Bagle.E starts a thread that terminates processes with the following names: 

 ATUPDATER.EXE
 AVWUPD32.EXE
 AVPUPD.EXE
 LUALL.EXE
 DRWEBUPW.EXE
 ICSSUPPNT.EXE
 ICSUPP95.EXE
 UPDATE.EXE
 NUPGRADE.EXE
 ATUPDATER.EXE
 AUPDATE.EXE
 AUTODOWN.EXE
 AUTOTRACE.EXE
 AUTOUPDATE.EXE
 AVXQUAR.EXE
 CFIAUDIT.EXE
 MCUPDATE.EXE
 NUPGRADE.EXE
 OUTPOST.EXE
 AVLTMAIN.EXE


Back to the Top


Detection

Detection in F-Secure Anti-Virus was published on February 28th, 2004 in update:

[FSAV_Database_Version]

Version=2004-02-28_04


Back to the Top


Description: Mikko Hypponen, February 28th, 2004;

Technical Details: Gergely Erdelyi, February 28th, 2004;

F-Secure Corporation