Bagle.N
| Name : | Bagle.N |
| Category: | Virus |
| Type: | Virus |
| Platform: | Win32 |
Summary
A new Bagle variant - Bagle.N was found in the wild late one evening
on March 13th, 2004. Some antivirus programs might detect this
new variant as "Beagle.M".
Additional Details
Bagle.N sends highly variable emails, containing a PIF or EXE attachment.
The icon for the EXE attachments resembles the icon for TrueType fonts:
Sometimes this attachment is compresses inside a ZIP or RAR archive.
Sometimes this archive is encrypted with a password. If so, the password is not listed in the email in plaintext (as in some previous Bagle variants),
but instead shown as a BMP, JPG or GIF graphic image, such as:
Password:
The virus body contains a picture of a butterfly made with ASCII graphics...which is never shown:
Bagle.N executable is packed with an unmodified version of UPX. Once the unpacking is performed, it follows a small de-scrambling routine, which goes through the worm's code section. After this step the main code starts running.
This variant of the Beagle worm will terminate processes from the following list, which includes all kinds of security software:
System Infection
It will copy itself to folders in the infected system, with filenames from the list:
This worm is also capable of infecting EXE files.
Email Spreading
It will collect addresses from files with the following extensions:
The e-mail messages in which the worm spreads will have the characteristics detailed as below.
Subject will be one of the following:
The body of the message will contain different warning messages and notifications addressed to the recipient of the infected message.
The icon for the EXE attachments resembles the icon for TrueType fonts:
Sometimes this attachment is compresses inside a ZIP or RAR archive.
Sometimes this archive is encrypted with a password. If so, the password is not listed in the email in plaintext (as in some previous Bagle variants),
but instead shown as a BMP, JPG or GIF graphic image, such as:
Password:
The virus body contains a picture of a butterfly made with ASCII graphics...which is never shown:
Bagle.N executable is packed with an unmodified version of UPX. Once the unpacking is performed, it follows a small de-scrambling routine, which goes through the worm's code section. After this step the main code starts running.
This variant of the Beagle worm will terminate processes from the following list, which includes all kinds of security software:
• CLEANER3.EXE
• au.exe
• d3dupdate.exe
• CLEANPC.EXE
• AVprotect9x.exe
• CMGRDIAN.EXE
• CMON016.EXE
• CPF9X206.EXE
• CPFNT206.EXE
• CV.EXE
• CWNB181.EXE
• CWNTDWMO.EXE
• ICSSUPPNT.EXE
• DEFWATCH.EXE
• DEPUTY.EXE
• DPF.EXE
• DPFSETUP.EXE
• DRWATSON.EXE
• ENT.EXE
• ESCANH95.EXE
• AVXQUAR.EXE
• ESCANHNT.EXE
• ESCANV95.EXE
• AVPUPD.EXE
• EXANTIVIRUS-CNET.EXE
• FAST.EXE
• FIREWALL.EXE
• FLOWPROTECTOR.EXE
• FP-WIN_TRIAL.EXE
• FRW.EXE
• FSAV.EXE
• AUTODOWN.EXE
• FSAV530STBYB.EXE
• FSAV530WTBYB.EXE
• FSAV95.EXE
• GBMENU.EXE
• GBPOLL.EXE
• GUARD.EXE
• GUARDDOG.EXE
• HACKTRACERSETUP.EXE
• HTLOG.EXE
• HWPE.EXE
• IAMAPP.EXE
• IAMAPP.EXE
• IAMSERV.EXE
• ICLOAD95.EXE
• ICLOADNT.EXE
• ICMON.EXE
• ICSUPP95.EXE
• ICSUPPNT.EXE
• IFW2000.EXE
• IPARMOR.EXE
• IRIS.EXE
• JAMMER.EXE
• ATUPDATER.EXE
• AUPDATE.EXE
• KAVLITE40ENG.EXE
• KAVPERS40ENG.EXE
• KERIO-PF-213-EN-WIN.EXE
• KERIO-WRL-421-EN-WIN.EXE
• BORG2.EXE
• BS120.EXE
• CDP.EXE
• CFGWIZ.EXE
• CFIADMIN.EXE
• CFIAUDIT.EXE
• AUTOUPDATE.EXE
• CFINET.EXE
• NAVAPW32.EXE
• NAVDX.EXE
• NAVSTUB.EXE
• NAVW32.EXE
• NC2000.EXE
• NCINST4.EXE
• AUTOTRACE.EXE
• NDD32.EXE
• NEOMONITOR.EXE
• NETARMOR.EXE
• NETINFO.EXE
• NETMON.EXE
• NETSCANPRO.EXE
• NETSPYHUNTER-1.2.EXE
• NETSTAT.EXE
• NISSERV.EXE
• NISUM.EXE
• NMAIN.EXE
• NORTON_INTERNET_SECU_3.0_407.EXE
• NPF40_TW_98_NT_ME_2K.EXE
• NPFMESSENGER.EXE
• NPROTECT.EXE
• NSCHED32.EXE
• NTVDM.EXE
• NVARCH16.EXE
• KERIO-WRP-421-EN-WIN.EXE
• KILLPROCESSSETUP161.EXE
• LDPRO.EXE
• LOCALNET.EXE
• LOCKDOWN.EXE
• LOCKDOWN2000.EXE
• LSETUP.EXE
• OUTPOST.EXE
• CFIAUDIT.EXE
• LUCOMSERVER.EXE
• AGENTSVR.EXE
• ANTI-TROJAN.EXE
• ANTI-TROJAN.EXE
• ANTIVIRUS.EXE
• ANTS.EXE
• APIMONITOR.EXE
• APLICA32.EXE
• APVXDWIN.EXE
• ATCON.EXE
• ATGUARD.EXE
• ATRO55EN.EXE
• ATWATCH.EXE
• AVCONSOL.EXE
• AVGSERV9.EXE
• AVSYNMGR.EXE
• BD_PROFESSIONAL.EXE
• BIDEF.EXE
• BIDSERVER.EXE
• BIPCP.EXE
• BIPCPEVALSETUP.EXE
• BISP.EXE
• BLACKD.EXE
• BLACKICE.EXE
• BOOTWARN.EXE
• NWINST4.EXE
• NWTOOL16.EXE
• OSTRONET.EXE
• OUTPOSTINSTALL.EXE
• OUTPOSTPROINSTALL.EXE
• PADMIN.EXE
• PANIXK.EXE
• PAVPROXY.EXE
• DRWEBUPW.EXE
• PCC2002S902.EXE
• PCC2K_76_1436.EXE
• PCCIOMON.EXE
• PCDSETUP.EXE
• PCFWALLICON.EXE
• PCFWALLICON.EXE
• PCIP10117_0.EXE
• PDSETUP.EXE
• PERISCOPE.EXE
• PERSFW.EXE
• PF2.EXE
• AVLTMAIN.EXE
• PFWADMIN.EXE
• PINGSCAN.EXE
• PLATIN.EXE
• POPROXY.EXE
• POPSCAN.EXE
• PORTDETECTIVE.EXE
• PPINUPDT.EXE
• PPTBC.EXE
• PPVSTOP.EXE
• PROCEXPLORERV1.0.EXE
• PROPORT.EXE
• PROTECTX.EXE
• PSPF.EXE
• WGFE95.EXE
• WHOSWATCHINGME.EXE
• AVWUPD32.EXE
• NUPGRADE.EXE
• WHOSWATCHINGME.EXE
• WINRECON.EXE
• WNT.EXE
• WRADMIN.EXE
• WRCTRL.EXE
• WSBGATE.EXE
• WYVERNWORKSFIREWALL.EXE
• XPF202EN.EXE
• ZAPRO.EXE
• ZAPSETUP3001.EXE
• ZATUTOR.EXE
• CFINET32.EXE
• CLEAN.EXE
• CLEANER.EXE
• CLEANER3.EXE
• CLEANPC.EXE
• CMGRDIAN.EXE
• CMON016.EXE
• CPD.EXE
• CFGWIZ.EXE
• CFIADMIN.EXE
• PURGE.EXE
• PVIEW95.EXE
• QCONSOLE.EXE
• QSERVER.EXE
• RAV8WIN32ENG.EXE
• REGEDT32.EXE
• REGEDIT.EXE
• UPDATE.EXE
• RESCUE.EXE
• RESCUE32.EXE
• RRGUARD.EXE
• RSHELL.EXE
• RTVSCN95.EXE
• RULAUNCH.EXE
• SAFEWEB.EXE
• SBSERV.EXE
• SD.EXE
• SETUP_FLOWPROTECTOR_US.EXE
• SETUPVAMEEVAL.EXE
• SFC.EXE
• SGSSFW32.EXE
• SH.EXE
• SHELLSPYINSTALL.EXE
• SHN.EXE
• SMC.EXE
• SOFI.EXE
• SPF.EXE
• SPHINX.EXE
• SPYXX.EXE
• SS3EDIT.EXE
• ST2.EXE
• SUPFTRL.EXE
• LUALL.EXE
• SUPPORTER5.EXE
• SYMPROXYSVC.EXE
• SYSEDIT.EXE
• TASKMON.EXE
• TAUMON.EXE
• TAUSCAN.EXE
• TC.EXE
• TCA.EXE
• TCM.EXE
• TDS2-98.EXE
• TDS2-NT.EXE
• TDS-3.EXE
• TFAK5.EXE
• TGBOB.EXE
• TITANIN.EXE
• TITANINXP.EXE
• TRACERT.EXE
• TRJSCAN.EXE
• TRJSETUP.EXE
• TROJANTRAP3.EXE
• UNDOBOOT.EXE
• VBCMSERV.EXE
• VBCONS.EXE
• VBUST.EXE
• VBWIN9X.EXE
• VBWINNTW.EXE
• VCSETUP.EXE
• VFSETUP.EXE
• VIRUSMDPERSONALFIREWALL.EXE
• VNLAN300.EXE
• VNPC3000.EXE
• VPC42.EXE
• VPFW30S.EXE
• VPTRAY.EXE
• VSCENU6.02D30.EXE
• VSECOMR.EXE
• VSHWIN32.EXE
• VSISETUP.EXE
• VSMAIN.EXE
• VSMON.EXE
• VSSTAT.EXE
• VSWIN9XE.EXE
• VSWINNTSE.EXE
• VSWINPERSE.EXE
• W32DSM89.EXE
• W9X.EXE
• WATCHDOG.EXE
• WEBSCANX.EXE
• CFIAUDIT.EXE
• CFINET.EXE
• ICSUPP95.EXE
• MCUPDATE.EXE
• CFINET32.EXE
• CLEAN.EXE
• CLEANER.EXE
• LUINIT.EXE
• MCAGENT.EXE
• MCUPDATE.EXE
• MFW2EN.EXE
• MFWENG3.02D30.EXE
• MGUI.EXE
• MINILOG.EXE
• MOOLIVE.EXE
• MRFLUX.EXE
• MSCONFIG.EXE
• MSINFO32.EXE
• MSSMMC32.EXE
• MU0311AD.EXE
• NAV80TRY.EXE
• ZAUINST.EXE
• ZONALM2601.EXE
• ZONEALARM.EXE
System Infection
It will copy itself to folders in the infected system, with filenames from the list:
• Microsoft Office 2003 Crack, Working!.exe
• Microsoft Windows XP, WinXP Crack, working Keygen.exe
• Microsoft Office XP working Crack, Keygen.exe
• Porno, sex, oral, anal cool, awesome!!.exe
• Porno Screensaver.scr
• Serials.txt.exe
• Porno pics arhive, xxx.exe
• Windows Sourcecode update.doc.exe
• Ahead Nero 7.exe
• Windown Longhorn Beta Leak.exe
• Opera 8 New!.exe
• XXX hardcore images.exe
• WinAmp 6 New!.exe
• WinAmp 5 Pro Keygen Crack Update.exe
• Adobe Photoshop 9 full.exe
• Matrix 3 Revolution English Subtitles.exe
• ACDSee 9.exe
This worm is also capable of infecting EXE files.
Email Spreading
It will collect addresses from files with the following extensions:
• .wab
• .txt
• .msg
• .htm
• .shtm
• .stm
• .xml
• .dbx
• .mbx
• .mdx
• .eml
• .nch
• .mmf
• .ods
• .cfg
• .asp
• .php
• .wsh
• .adb
• .tbb
• .sht
• .xls
• .oft
• .uin
• .cgi
• .mht
• .dhtm
• .jsp
The e-mail messages in which the worm spreads will have the characteristics detailed as below.
Subject will be one of the following:
• E-mail account security warning.
• Notify about using the e-mail account.
• Warning about your e-mail account.
• Important notify about your e-mail account.
• Email account utilization warning.
• E-mail technical support message.
• E-mail technical support warning.
• Email report
• Important notify
• Account notify
• E-mail warning
• Notify from e-mail technical support.
• Notify about your e-mail account utilization.
• E-mail account disabling warning.
• Re: Msg reply
• Re: Hello
• Re: Yahoo!
• Re: Thank you!
• Re: Thanks :)
• RE: Text message
• Re: Document
• Incoming message
• Re: Incoming Message
• Re: Incoming Fax
• Hidden message
• Fax Message Received
• Protected message
• RE: Protected message
• Forum notify
• Request response
• Site changes
• Re: Hi
• Encrypted document
The body of the message will contain different warning messages and notifications addressed to the recipient of the infected message.