F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Bagle.X

[Summary] | [Disinfection] | [Detailed Description] | [Detection]



NAME:Bagle.X
ALIAS:I-Worm.Bagle.w, TrojanProxy.Win32.Mitglieder.AJ, W32/Bagle.X
ALIAS:W32/Mitglieder.AJ
SIZE:16896

Summary

A new Bagle variant appeared on April 19th, 2004. It is very similar to Bagle.W variant, but drops a bit different Mitglieder proxy trojan variant on an infected computer. Bagle.X, like the previous variant does not have its own replication routine, so it was most likely spammed in e-mail using computers where proxy trojans were installed.

Disinfection

F-Secure provides the special disinfection utility to eliminate Bagle.X worm infection. You can download this utility from our ftp site:

ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.exe

ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.zip

Disinfection instructions can be found here:

ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.txt

System administrators who are using F-Secure Policy Manager, can distribute the tool as a JAR package automatically to all workstations.

System administrators can download the JAR version from:

http://www.europe.f-secure.com/tools/f-bagle.jar

ftp://ftp.europe.f-secure.com/anti-virus/tools/f-bagle.jar

Back to the Top


Detailed Description

The Bagle.X's file is a PE executable about 16896 bytes in size packed with UPX file compressor.

When it is run, it copies itself as IRUN4.EXE file to Windows System folder and creates a startup key for this file in the Registry: 

 [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
 "ssgrate.exe" = "%winsysdir%\irun4.exe"

where %winsysdir% represents Windows System folder name.

Then Bagle.X drops 2 more files into Windows System folder: SYSTEM.EXE and IINJ4.EXE. Both files are DLLs (Dynamic Link Libraries). The IINJ4.EXE is a loader for SYSTEM.EXE file. It allows both files to become DLLs used by EXPLORER.EXE file (one of the main Windows components).

The SYSTEM.EXE file is a new variant of Mitglieder proxy trojan. When activated it opens a backdoor on port 18881, listens for remote commands and works as a mail relay. The trojan connects to several websites to report infected computer's IP address and proxy port. Also the trojan connects to several websites to download a list of banned IP addresses that the proxy will ignore.

Additionally the trojan tries to kill processes that belong to certain anti-virus and security software. Here's the list of the processes that the trojan kills: 

 OUTPOST.EXE
 NMAIN.EXE
 NORTON_INTERNET_SECU_3.0_407.EXE
 NPF40_TW_98_NT_ME_2K.EXE
 NPFMESSENGER.EXE
 NPROTECT.EXE
 NSCHED32.EXE
 NTVDM.EXE
 NVARCH16.EXE
 KERIO-WRP-421-EN-WIN.EXE
 KILLPROCESSSETUP161.EXE
 LDPRO.EXE
 LOCALNET.EXE
 LOCKDOWN.EXE
 LOCKDOWN2000.EXE
 LSETUP.EXE
 CLEANPC.EXE
 AVprotect9x.exe
 CMGRDIAN.EXE
 CMON016.EXE
 CPF9X206.EXE
 CPFNT206.EXE
 CV.EXE
 CWNB181.EXE
 CWNTDWMO.EXE
 ICSSUPPNT.EXE
 DEFWATCH.EXE
 DEPUTY.EXE
 DPF.EXE
 DPFSETUP.EXE
 DRWATSON.EXE
 ENT.EXE
 ESCANH95.EXE
 AVXQUAR.EXE
 ESCANHNT.EXE
 ESCANV95.EXE
 AVPUPD.EXE
 EXANTIVIRUS-CNET.EXE
 FAST.EXE
 FIREWALL.EXE
 FLOWPROTECTOR.EXE
 FP-WIN_TRIAL.EXE
 FRW.EXE
 FSAV.EXE
 AUTODOWN.EXE
 FSAV530STBYB.EXE
 FSAV530WTBYB.EXE
 FSAV95.EXE
 GBMENU.EXE
 GBPOLL.EXE
 GUARD.EXE
 GUARDDOG.EXE
 HACKTRACERSETUP.EXE
 HTLOG.EXE
 HWPE.EXE
 IAMAPP.EXE
 IAMAPP.EXE
 IAMSERV.EXE
 ICLOAD95.EXE
 ICLOADNT.EXE
 ICMON.EXE
 ICSUPP95.EXE
 ICSUPPNT.EXE
 IFW2000.EXE
 IPARMOR.EXE
 IRIS.EXE
 JAMMER.EXE
 ATUPDATER.EXE
 AUPDATE.EXE
 KAVLITE40ENG.EXE
 KAVPERS40ENG.EXE
 KERIO-PF-213-EN-WIN.EXE
 KERIO-WRL-421-EN-WIN.EXE
 BORG2.EXE
 BS120.EXE
 CDP.EXE
 CFGWIZ.EXE
 CFIADMIN.EXE
 CFIAUDIT.EXE
 AUTOUPDATE.EXE
 CFINET.EXE
 NAVAPW32.EXE
 NAVDX.EXE
 NAVSTUB.EXE
 NAVW32.EXE
 NC2000.EXE
 NCINST4.EXE
 AUTOTRACE.EXE
 NDD32.EXE
 NEOMONITOR.EXE
 NETARMOR.EXE
 NETINFO.EXE
 NETMON.EXE
 NETSCANPRO.EXE
 NETSPYHUNTER-1.2.EXE
 NETSTAT.EXE
 NISSERV.EXE
 NISUM.EXE
 CFIAUDIT.EXE
 LUCOMSERVER.EXE
 AGENTSVR.EXE
 ANTI-TROJAN.EXE
 ANTI-TROJAN.EXE
 ANTIVIRUS.EXE
 ANTS.EXE
 APIMONITOR.EXE
 APLICA32.EXE
 APVXDWIN.EXE
 ATCON.EXE
 ATGUARD.EXE
 ATRO55EN.EXE
 ATWATCH.EXE
 AVCONSOL.EXE
 AVGSERV9.EXE
 AVSYNMGR.EXE
 BD_PROFESSIONAL.EXE
 BIDEF.EXE
 BIDSERVER.EXE
 BIPCP.EXE
 BIPCPEVALSETUP.EXE
 BISP.EXE
 BLACKD.EXE
 BLACKICE.EXE
 BOOTWARN.EXE
 NWINST4.EXE
 NWTOOL16.EXE
 OSTRONET.EXE
 OUTPOSTINSTALL.EXE
 OUTPOSTPROINSTALL.EXE
 PADMIN.EXE
 PANIXK.EXE
 PAVPROXY.EXE
 DRWEBUPW.EXE
 PCC2002S902.EXE
 PCC2K_76_1436.EXE
 PCCIOMON.EXE
 PCDSETUP.EXE
 PCFWALLICON.EXE
 PCFWALLICON.EXE
 PCIP10117_0.EXE
 PDSETUP.EXE
 PERISCOPE.EXE
 PERSFW.EXE
 PF2.EXE
 AVLTMAIN.EXE
 PFWADMIN.EXE
 PINGSCAN.EXE
 PLATIN.EXE
 POPROXY.EXE
 POPSCAN.EXE
 PORTDETECTIVE.EXE
 PPINUPDT.EXE
 PPTBC.EXE
 PPVSTOP.EXE
 PROCEXPLORERV1.0.EXE
 PROPORT.EXE
 PROTECTX.EXE
 PSPF.EXE
 WGFE95.EXE
 WHOSWATCHINGME.EXE
 AVWUPD32.EXE
 NUPGRADE.EXE
 WHOSWATCHINGME.EXE
 WINRECON.EXE
 WNT.EXE
 WRADMIN.EXE
 WRCTRL.EXE
 WSBGATE.EXE
 WYVERNWORKSFIREWALL.EXE
 XPF202EN.EXE
 ZAPRO.EXE
 ZAPSETUP3001.EXE
 ZATUTOR.EXE
 CFINET32.EXE
 CLEAN.EXE
 CLEANER.EXE
 CLEANER3.EXE
 CLEANPC.EXE
 CMGRDIAN.EXE
 CMON016.EXE
 CPD.EXE
 CFGWIZ.EXE
 CFIADMIN.EXE
 PURGE.EXE
 PVIEW95.EXE
 QCONSOLE.EXE
 QSERVER.EXE
 RAV8WIN32ENG.EXE
 REGEDT32.EXE
 REGEDIT.EXE
 UPDATE.EXE
 RESCUE.EXE
 RESCUE32.EXE
 RRGUARD.EXE
 RSHELL.EXE
 RTVSCN95.EXE
 RULAUNCH.EXE
 SAFEWEB.EXE
 SBSERV.EXE
 SD.EXE
 SETUP_FLOWPROTECTOR_US.EXE
 SETUPVAMEEVAL.EXE
 SFC.EXE
 SGSSFW32.EXE
 SH.EXE
 SHELLSPYINSTALL.EXE
 SHN.EXE
 SMC.EXE
 SOFI.EXE
 SPF.EXE
 SPHINX.EXE
 SPYXX.EXE
 SS3EDIT.EXE
 ST2.EXE
 SUPFTRL.EXE
 LUALL.EXE
 SUPPORTER5.EXE
 SYMPROXYSVC.EXE
 SYSEDIT.EXE
 TASKMON.EXE
 TAUMON.EXE
 TAUSCAN.EXE
 TC.EXE
 TCA.EXE
 TCM.EXE
 TDS2-98.EXE
 TDS2-NT.EXE
 TDS-3.EXE
 TFAK5.EXE
 TGBOB.EXE
 TITANIN.EXE
 TITANINXP.EXE
 TRACERT.EXE
 TRJSCAN.EXE
 TRJSETUP.EXE
 TROJANTRAP3.EXE
 UNDOBOOT.EXE
 VBCMSERV.EXE
 VBCONS.EXE
 VBUST.EXE
 VBWIN9X.EXE
 VBWINNTW.EXE
 VCSETUP.EXE
 VFSETUP.EXE
 VIRUSMDPERSONALFIREWALL.EXE
 VNLAN300.EXE
 VNPC3000.EXE
 VPC42.EXE
 VPFW30S.EXE
 VPTRAY.EXE
 VSCENU6.02D30.EXE
 VSECOMR.EXE
 VSHWIN32.EXE
 VSISETUP.EXE
 VSMAIN.EXE
 VSMON.EXE
 VSSTAT.EXE
 VSWIN9XE.EXE
 VSWINNTSE.EXE
 VSWINPERSE.EXE
 W32DSM89.EXE
 W9X.EXE
 WATCHDOG.EXE
 WEBSCANX.EXE
 CFIAUDIT.EXE
 CFINET.EXE
 ICSUPP95.EXE
 MCUPDATE.EXE
 CFINET32.EXE
 CLEAN.EXE
 CLEANER.EXE
 LUINIT.EXE
 MCAGENT.EXE
 MCUPDATE.EXE
 MFW2EN.EXE
 MFWENG3.02D30.EXE
 MGUI.EXE
 MINILOG.EXE
 MOOLIVE.EXE
 MRFLUX.EXE
 MSCONFIG.EXE
 MSINFO32.EXE
 MSSMMC32.EXE
 MU0311AD.EXE
 NAV80TRY.EXE
 ZAUINST.EXE
 ZONALM2601.EXE
 ZONEALARM.EXE

The description of the original Mitglieder proxy trojan can be found here:

http://www.f-secure.com/v-descs/mitglieder_h.shtml


Back to the Top


Detection

F-Secure Anti-Virus detects Bagle.X and Mitglieder.AJ in the following update:

[FSAV_Database_Version]

Version=2004-04-19_01

Back to the Top


Technical Details: Alexey Podrezov, April 19th, 2004;

Description Updated: Alexey Podrezov, May 5th, 2004;

F-Secure Corporation