F-Secure Email Worm Information Pages : Bagle.EY
This Bagle mass-mailer was found on December 15th 2005. It mass-mails the downloader that we detect as W32/Bagle.EX. The downloader is sent out in e-mail messages with ZIP archive attachments. The name of the downloader's files inside those archives is S3700020.EXE.
Installation to System
The worm's file is a PE packed executable about 20 kilobytes long. When run, it copies itself to Windows System folder with WIND2LL2.EXE file. The worm creates a mutexes with the following names:
MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
'D'r'o'p'p'e'd'S'k'y'N'e't'
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
[SkyNet.cz]SystemsMutex
AdmSkynetJklS003
____--->>>>U<<<<--____
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
Spreading in E-mails
The worm does not go through an infected computer's hard disk to search for e-mail addresses. Instead, it connects to Internet to get them. The worm has a list of websites that it connects to. If connection is successful, the site provides the worm with a list of 1000 e-mail addresses, which are different every time. Bagle.EY ignores e-mail addresses that contain any of the following:
@eerswqe
@derewrdgrs
@microsoft
rating@
f-secur
news
update
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
sopho
@foo
@iana
free-av
@messagelab
winzip
google
winrar
samples
abuse
panda
cafee
spam
pgp
@avp.
noreply
local
root@
postmaster@
The worm sends out ZIP archives with a trojan downloader that we detect as Bagle.EX. The attachment name is randomly selected from the following variants:
Elizabeth
Elizabethe
Anne
Ann
Anna
Anne
Annes
Mary
Marie
Marye
Margaret
Margaret
Margarett
Margerie
Margerye
Margret
Margrett
Sara
Dorothy
Dorithie
Dorothee
Jane
Katherine
Katherine
Katheryne
Susanna
Susanna
Suzanna
Francis
Frances
Fraunces
Joane
Judith
Judeth
Judith
Judithe
Alice
Ales
Alice
Alyce
Ellen
Ellen
Ellyn
Grace
Isabell
Isabel
Isabell
Martha
Susan
Winifred
Wynefreed
Wynefrede
Wynnefreede
Avis
Avis
Avice
Bennet
Bennet
Bennett
Christian
Christian
Christean
Constance
Cybil
Sybell
Sybyll
Ester
Rebecka
Rose
Sidney
Sindony
Syndony
John
John
Johen
Thomas
William
Richard
Richarde
Richard
Rycharde
Robert
Roberte
Robert
George
Edward
Edwarde
Edward
Nicholas
Nicholas
Nycholas
Nicholaus
James
Jeames
James
Henry
Henrie
Henry
Henrye
Edmund
Edmonde
Edmond
Edmund
Harry
Harrye
Harry
Anthony
Anthonye
Anthonie
Roger
Peter
Nathaniel
Nathaniell
Nathaniel
Nathanyell
Stephen
Jeffrey
Jeffrye
Geoffraie
Francis
Andrew
Androw
Androwe
Valentyne
Samuell
Ralph
Michael
Michael
Mychaell
Leonard
Leonard
Leonarde
Josias
Humphrey
Humphrey
Humphrie
Hughe
Gabriell
Emanual
Emanuell
Emanuel
Daniel
Daniel
Danyell
The subject of infected e-mails can contain any of the following:
New Year's
New Year's Day.
Happy New Year
We congratulate happy New Year
New 2006
Payload
Bagle.EY tries to delete certain Registry key values from this key:
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n]
My AV
Zone Labs Client Ex
9XHtProtect
Antivirus
Special Firewall Service
service
Tiny AV
ICQNet
HtProtect
NetDy
Jammer2nd
FirewallSvr
MsInfo
SysMonXP
EasyAV
PandaAVEngine
Norton Antivirus AV
KasperskyAVEng
SkynetsRevenge
ICQ Net
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n]
My AV
Zone Labs Client Ex
9XHtProtect
Antivirus
Special Firewall Service
service
Tiny AV
ICQNet
HtProtect
NetDy
Jammer2nd
FirewallSvr
MsInfo
SysMonXP
EasyAV
PandaAVEngine
Norton Antivirus AV
KasperskyAVEng
SkynetsRevenge
ICQ Net
Note the misspelled key name 'Ru1n'. Because of this the payload doesn't work as it should.
This Bagle variant terminates processes with the following names:
1t1epad.exe
t1es1t.exe
The worm has the ability to download and run files from Internet.
Technical Details: Alexey Podrezov, December 15, 2005
F-Secure Corporation
|
![](/images/pixel.gif"){kind=tracking}
