F-Secure
Tools
Bagle.FM
| Name : | Bagle.FM |
| Category: | Malware |
| Type: | Worm, Email-Worm |
| Platform: | Win32 |
| Date of Discovery: | February 09, 2006 |
Summary
This Bagle mass-mailer first appeared on February 9th, 2006. It spreads in e-mails sometimes pretending to be an antivirus definition file from Symantec. The worm also spreads to shared folders. In addition it drops a trojan downloader.
Additional Details
Installation to system
When the worm's file is started it displays a fake error messagebox:
Error!
Can't find a viewer associated with the file.
Then it copies itself to Windows System folder as regmaping.exe file and also creates copies of itself with the following names:
regmaping.exeopen
regmaping.exeopenopen
The startup registry key value is then created for the copied file:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Regmonitor" = "%WinSysDir%\regmaping.exe"
where %WinSysDir% represents Windows System folder. The worm creates several mutexes:
MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
'D'r'o'p'p'e'd'S'k'y'N'e't'
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
[SkyNet.cz]SystemsMutex
AdmSkynetJklS003
____--->>>>U<<<<--____
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
Spreading in e-mails
Before spreading in e-mails the worm scans local drives to collect e-mail addresses. Files with the following extensions are scanned:
The worm ignores e-mail addresses that contain any of the following:
The worm can send several different messages. The following text can be used in subject line ( %number% stands for a randomly generated number):
Your Receipt %number%-
Order reminder: ID
Billing department, order-
The body text can be one of the following:
Dear Sir or Madam,
This notification is just a friendly reminder (not a bill or a second charge) that on 15-JAN-06, you placed an order from Symantec Store. This order was paid using your Visa, whose last 4 digits are ************2346, and will be appearing on your billing statement shortly. The charge will appear as DR *Symantec. This is just a reminder to help you recognize the charge. You will not be charged again.
You antivirus definition file is attached to this email, please install it to be perfectly protected from the latest viruses and other internet threats.
OR
******************************************************************
Details about your reciept attached with this email. You have to use Adobe Acrobat Reader to open it.
Transaction Number:
This is your receipt for your $1490 purchase of a 1.0 months
subscription which will appear on your statement as- - .
Your membership will automatically renew per the terms and conditions.
Should you ever have any
problems whatsoever, please don't hesitate to contact our live technical support staff - available 24 hours a day 7 days a week. We can be reached by phone toll free in the US at 800-534-8593. Rather use email?
Drop us a line at bill@gmail.com and we'll always get back to you within an hour.
Enjoy the service!
Support
******************************************************************
OR
Your email %e-mail% has exceeded its
bandwidth quota in the period beginning on 2006-01-01.
Your quota is set to 104'85760 bytes (10.0 MB), and
your email has consumed 559189702 bytes (533.285 MB) beyond that quota.
Our over-b'andwidth charges are
Additional Bandwidth/Month Monthly'Cost
100 Mb $200.00
200 MB $360.00
300 MB ' $480.00
400 MB $624.00
500 Mb $740.00
- your over-usage
600 Mb $850.00
Our automatically generated bill is attached with this email.
Sincerely,
Sales Manager.
The %e-mail% stands for the recipient's e-mail address.
The first extension of the attachment can be any of the following:
The second extension of the attachment can be any of the following:
The worm can spread in a password-protected ZIP archive. The password is sent with the infected message as an image.
Spreading to shared folders
When the worm scans a hard drive, it looks for folders that have 'shar' substring in their names. If such folder is found, the worm copies itself to that folder with the following names:
anna benson sex video.exe
kate beckinsale nude pictures.exe
jenna elfman sex anal deepthroat
miss america Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
barrett jackson nude photos, movies, porn video.exe
Britney Spears sex photos.exe
paris hilton Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 10.exe
Windown Vista Beta Leak.exe
IE beta 7.exe
Serials 2005 database.exe
XXX hardcore images.exe
Adobe Photoshop 9 full.exe
Payload
The worm also drops a file named winresw.exe to Windows folder and starts it. This file is a trojan downloader that downloads and runs files from Internet.
Also the worm starts a backdoor on port 6777. The backdoor allows to update the worm's file from Internet.
Bagle.FM worm deletes certain values from the following Registry keys:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
These values are:
My AV
Zone Labs Client Ex
9XHtProtect
Antivirus
Special Firewall Service
service
Tiny AV
ICQNet
HtProtect
NetDy
Jammer2nd
FirewallSvr
MsInfo
SysMonXP
EasyAV
PandaAVEngine
Norton Antivirus AV
KasperskyAVEng
SkynetsRevenge
ICQ Net
The worm starts a thread that periodically accesses the 'ijj.t35.com' website. This site contains a page to download some third-party Registry cleaning software and the worm tries to artificially increment the number of hits for that page.
Other
The worm has the original Bagle's author text in its body:
In a difficult world
In a nameless time
I want to survive
So, you will be mine!!
-- Bagle Author, 29.04.04, Germany.
When the worm's file is started it displays a fake error messagebox:
Error!
Can't find a viewer associated with the file.
Then it copies itself to Windows System folder as regmaping.exe file and also creates copies of itself with the following names:
regmaping.exeopen
regmaping.exeopenopen
The startup registry key value is then created for the copied file:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Regmonitor" = "%WinSysDir%\regmaping.exe"
where %WinSysDir% represents Windows System folder. The worm creates several mutexes:
MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
'D'r'o'p'p'e'd'S'k'y'N'e't'
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
[SkyNet.cz]SystemsMutex
AdmSkynetJklS003
____--->>>>U<<<<--____
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
Spreading in e-mails
Before spreading in e-mails the worm scans local drives to collect e-mail addresses. Files with the following extensions are scanned:
• .adb
• .asp
• .cfg
• .cgi
• .dbx
• .dhtm
• .eml
• .htm
• .jsp
• .mbx
• .mdx
• .mht
• .mmf
• .msg
• .nch
• .ods
• .oft
• .php
• .pl
• .sht
• .shtm
• .stm
• .tbb
• .txt
• .uin
• .wab
• .wsh
• .xls
• .xml
• @avp.
• @foo
• @hotmail
• @iana
• @messagelab
• @microsoft
• @msn
• abuse
• admin
• anyone@
• bsd
• bugs@
• cafee
• certific
• contract@
• feste
• free-av
• f-secur
• gold-certs@
• google
• help@
• icrosoft
• info@
• kasp
• linux
• listserv
• local
• news
• nobody@
• noone@
• noreply
• ntivi
• panda
• pgp
• postmaster@
• rating@
• root@
• samples
• sopho
• spam
• support
• unix
• update
• winrar
• winzip
Your Receipt
Order reminder: ID
Billing department, order
The body text can be one of the following:
Dear Sir or Madam,
This notification is just a friendly reminder (not a bill or a second charge) that on 15-JAN-06, you placed an order from Symantec Store. This order was paid using your Visa, whose last 4 digits are ************2346, and will be appearing on your billing statement shortly. The charge will appear as DR *Symantec. This is just a reminder to help you recognize the charge. You will not be charged again.
You antivirus definition file is attached to this email, please install it to be perfectly protected from the latest viruses and other internet threats.
OR
******************************************************************
Details about your reciept attached with this email. You have to use Adobe Acrobat Reader to open it.
Transaction Number:
This is your receipt for your $1490 purchase of a 1.0 months
subscription which will appear on your statement as
Your membership will automatically renew per the terms and conditions.
Should you ever have any
problems whatsoever, please don't hesitate to contact our live technical support staff - available 24 hours a day 7 days a week. We can be reached by phone toll free in the US at 800-534-8593. Rather use email?
Drop us a line at bill@gmail.com and we'll always get back to you within an hour.
Enjoy the service!
Support
******************************************************************
OR
Your email %e-mail% has exceeded its
bandwidth quota in the period beginning on 2006-01-01.
Your quota is set to 104'85760 bytes (10.0 MB), and
your email has consumed 559189702 bytes (533.285 MB) beyond that quota.
Our over-b'andwidth charges are
Additional Bandwidth/Month Monthly'Cost
100 Mb $200.00
200 MB $360.00
300 MB ' $480.00
400 MB $624.00
500 Mb $740.00
- your over-usage
600 Mb $850.00
Our automatically generated bill is attached with this email.
Sincerely,
Sales Manager.
The %e-mail% stands for the recipient's e-mail address.
The first extension of the attachment can be any of the following:
• .cfg
• .def
• .dll
• .ini
• .txt
• .vxd
• .exe
• .hta
• .vbs
• .zip
Spreading to shared folders
When the worm scans a hard drive, it looks for folders that have 'shar' substring in their names. If such folder is found, the worm copies itself to that folder with the following names:
anna benson sex video.exe
kate beckinsale nude pictures.exe
jenna elfman sex anal deepthroat
miss america Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
barrett jackson nude photos, movies, porn video.exe
Britney Spears sex photos.exe
paris hilton Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 10.exe
Windown Vista Beta Leak.exe
IE beta 7.exe
Serials 2005 database.exe
XXX hardcore images.exe
Adobe Photoshop 9 full.exe
Payload
The worm also drops a file named winresw.exe to Windows folder and starts it. This file is a trojan downloader that downloads and runs files from Internet.
Also the worm starts a backdoor on port 6777. The backdoor allows to update the worm's file from Internet.
Bagle.FM worm deletes certain values from the following Registry keys:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
These values are:
My AV
Zone Labs Client Ex
9XHtProtect
Antivirus
Special Firewall Service
service
Tiny AV
ICQNet
HtProtect
NetDy
Jammer2nd
FirewallSvr
MsInfo
SysMonXP
EasyAV
PandaAVEngine
Norton Antivirus AV
KasperskyAVEng
SkynetsRevenge
ICQ Net
The worm starts a thread that periodically accesses the 'ijj.t35.com' website. This site contains a page to download some third-party Registry cleaning software and the worm tries to artificially increment the number of hits for that page.
Other
The worm has the original Bagle's author text in its body:
In a difficult world
In a nameless time
I want to survive
So, you will be mine!!
-- Bagle Author, 29.04.04, Germany.
Detection
F-Secure Anti-Virus detects this malware with the following updates:
[FSAV_Database_Version]
Version = 2006-02-09_03.