F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Bagle.Y

[Summary] | [Disinfection] | [Detailed Description] | [Detection]

THIS VIRUS IS RANKED AS LEVEL 2 ALERT UNDER
F-SECURE RADAR.
Radar Alert LEVEL 2

NAME:Bagle.Y
ALIAS:I-Worm.Bagle.y, W32/Bagle.Y@mm

Summary

Another new Bagle variant was found on April 26th, 2004. This variant differs from the ones that we've seen before. The worm sends itself in several different types of e-mails. Also the worm copies itself to shared folders with different names and opens a backdoor on an infected computer.

The worm's executable file icon looks like a cherry:

Disinfection

F-Secure provides the special disinfection utility to eliminate Bagle.Y worm infection. You can download this utility from our ftp site:

ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.exe

ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.zip

Disinfection instructions can be found here:

ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.txt

System administrators who are using F-Secure Policy Manager, can distribute the tool as a JAR package automatically to all workstations.

System administrators can download the JAR version from:

http://www.europe.f-secure.com/tools/f-bagle.jar

ftp://ftp.europe.f-secure.com/anti-virus/tools/f-bagle.jar

Back to the Top


Detailed Description

The worm is a PE executable about 39 kilobytes long. The worm's file is packed with UPX file compressor. Additionally the worm uses encryption of its code and data areas and adds random garbage to the end of its file as a decoy. The worm can also spread with a prepended CPL stub (see info below).

Installation to system

When the worm's file is run, it copies itself as DRVSYS.EXE file to Windows System folder and creates a startup key for this file in the Registry: 

 [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
 "drvsys.exe" = "%winsysdir%\drvsys.exe"

where %winsysdir% represents Windows System folder name.

The worm creates 2 more files in Windows System folder: 

 drvsys.exeopen
 drvsys.exeopenopen

These files are used when the worm spreads itself in e-mails.

Additionally the worm shows a fake error messagebox with the following text: 

 Error!


 Can't find a viewer associated with the file

Spreading in e-mail

The worm scans a hard drive to collect victims' e-mail addresses. It scans files with the following extensions: 

 .wab
 .txt
 .msg
 .htm
 .shtm
 .stm
 .xml
 .dbx
 .mbx
 .mdx
 .eml
 .nch
 .mmf
 .ods
 .cfg
 .asp
 .php
 .pl
 .wsh
 .adb
 .tbb
 .sht
 .xls
 .oft
 .uin
 .cgi
 .mht
 .dhtm
 .jsp

The worm ignores e-mail addresses that contain the following strings: 

 @hotmail
 @msn
 @microsoft
 rating@
 f-secur
 news
 update
 anyone@
 bugs@
 contract@
 feste
 gold-certs@
 help@
 info@
 nobody@
 noone@
 kasp
 admin
 icrosoft
 support
 ntivi
 unix
 bsd
 linux
 listserv
 certific
 sopho
 @foo
 @iana
 free-av
 @messagelab
 winzip
 google
 winrar
 samples
 abuse
 panda
 cafee
 spam
 pgp
 @avp.
 noreply
 local
 root@
 postmaster@

The worm spreads itself in e-mails. It composes several different types of e-mail messages. The worm can attach itself as an executable file with COM, EXE, SCR and CPL extension (see below), as a ZIP archive (password-protected) and also as an HTA and VBS files that contain a script dropper for the worm's binary file.

The HTA file that the worm sends in e-mails looks like windows update and is minimized and closed quickly. It creates the VBS file named QQ.VBS that drops the BBBS.EXE file - the worm's executable file. The VBS file that the worm sends just drops and runs the BBBS.EXE file.

When spreading as a CPL file, the worm prepends a small binary dropper to its executable file. When the CPL file is activated, it copies itself as CPLSTUB.EXE file to Windows folder and then drops the worm's file into Windows System folder.

The worm can attach an image of a girl to its message. There are 3 girl images inside the worm's body.

Backdoor

The worm has a backdoor that listens to port 2535. When active, the worm periodically connects to websites (it has a hardcoded list of 93 websites) and reports backdoor's ID and backdoor's port to the worm author.

Spreading to shared folders

The worm is capable of spreading to shared folders. It scans all available drives and if it finds a folder name that contains 'shar' substring, the worm copies itself there with the following names: 

 Microsoft Office 2003 Crack, Working!.exe
 Microsoft Windows XP, WinXP Crack, working Keygen.exe
 Microsoft Office XP working Crack, Keygen.exe
 Porno, sex, oral, anal cool, awesome!!.exe
 Porno Screensaver.scr
 Serials.txt.exe
 KAV 5.0
 Kaspersky Antivirus 5.0
 Porno pics arhive, xxx.exe
 Windows Sourcecode update.doc.exe
 Ahead Nero 7.exe
 Windown Longhorn Beta Leak.exe
 Opera 8 New!.exe
 XXX hardcore images.exe
 WinAmp 6 New!.exe
 WinAmp 5 Pro Keygen Crack Update.exe
 Adobe Photoshop 9 full.exe
 Matrix 3 Revolution English Subtitles.exe
 ACDSee 9.exe

This method allows the worm to spread to shared folders if P2P (peer-to-peer) clients and to shared network folders.

Terminating processes

Bagle.Y terminates processes of security and anti-virus software as well as some other applications. Processes of the following applications are terminated: 

 OUTPOST.EXE
 NMAIN.EXE
 NORTON_INTERNET_SECU_3.0_407.EXE
 NPF40_TW_98_NT_ME_2K.EXE
 NPFMESSENGER.EXE
 NPROTECT.EXE
 NSCHED32.EXE
 NTVDM.EXE
 NVARCH16.EXE
 KERIO-WRP-421-EN-WIN.EXE
 KILLPROCESSSETUP161.EXE
 LDPRO.EXE
 LOCALNET.EXE
 LOCKDOWN.EXE
 LOCKDOWN2000.EXE
 LSETUP.EXE
 CLEANPC.EXE
 AVprotect9x.exe
 CMGRDIAN.EXE
 CMON016.EXE
 CPF9X206.EXE
 CPFNT206.EXE
 CV.EXE
 CWNB181.EXE
 CWNTDWMO.EXE
 ICSSUPPNT.EXE
 DEFWATCH.EXE
 DEPUTY.EXE
 DPF.EXE
 DPFSETUP.EXE
 DRWATSON.EXE
 ENT.EXE
 ESCANH95.EXE
 AVXQUAR.EXE
 ESCANHNT.EXE
 ESCANV95.EXE
 AVPUPD.EXE
 EXANTIVIRUS-CNET.EXE
 FAST.EXE
 FIREWALL.EXE
 FLOWPROTECTOR.EXE
 FP-WIN_TRIAL.EXE
 FRW.EXE
 FSAV.EXE
 AUTODOWN.EXE
 FSAV530STBYB.EXE
 FSAV530WTBYB.EXE
 FSAV95.EXE
 GBMENU.EXE
 GBPOLL.EXE
 GUARD.EXE
 GUARDDOG.EXE
 HACKTRACERSETUP.EXE
 HTLOG.EXE
 HWPE.EXE
 IAMAPP.EXE
 IAMAPP.EXE
 IAMSERV.EXE
 ICLOAD95.EXE
 ICLOADNT.EXE
 ICMON.EXE
 ICSUPP95.EXE
 ICSUPPNT.EXE
 IFW2000.EXE
 IPARMOR.EXE
 IRIS.EXE
 JAMMER.EXE
 ATUPDATER.EXE
 AUPDATE.EXE
 KAVLITE40ENG.EXE
 KAVPERS40ENG.EXE
 KERIO-PF-213-EN-WIN.EXE
 KERIO-WRL-421-EN-WIN.EXE
 BORG2.EXE
 BS120.EXE
 CDP.EXE
 CFGWIZ.EXE
 CFIADMIN.EXE
 CFIAUDIT.EXE
 AUTOUPDATE.EXE
 CFINET.EXE
 NAVAPW32.EXE
 NAVDX.EXE
 NAVSTUB.EXE
 NAVW32.EXE
 NC2000.EXE
 NCINST4.EXE
 AUTOTRACE.EXE
 NDD32.EXE
 NEOMONITOR.EXE
 NETARMOR.EXE
 NETINFO.EXE
 NETMON.EXE
 NETSCANPRO.EXE
 NETSPYHUNTER-1.2.EXE
 NETSTAT.EXE
 NISSERV.EXE
 NISUM.EXE
 CFIAUDIT.EXE
 LUCOMSERVER.EXE
 AGENTSVR.EXE
 ANTI-TROJAN.EXE
 ANTI-TROJAN.EXE
 ANTIVIRUS.EXE
 ANTS.EXE
 APIMONITOR.EXE
 APLICA32.EXE
 APVXDWIN.EXE
 ATCON.EXE
 ATGUARD.EXE
 ATRO55EN.EXE
 ATWATCH.EXE
 AVCONSOL.EXE
 AVGSERV9.EXE
 AVSYNMGR.EXE
 BD_PROFESSIONAL.EXE
 BIDEF.EXE
 BIDSERVER.EXE
 BIPCP.EXE
 BIPCPEVALSETUP.EXE
 BISP.EXE
 BLACKD.EXE
 BLACKICE.EXE
 BOOTWARN.EXE
 NWINST4.EXE
 NWTOOL16.EXE
 OSTRONET.EXE
 OUTPOSTINSTALL.EXE
 OUTPOSTPROINSTALL.EXE
 PADMIN.EXE
 PANIXK.EXE
 PAVPROXY.EXE
 DRWEBUPW.EXE
 PCC2002S902.EXE
 PCC2K_76_1436.EXE
 PCCIOMON.EXE
 PCDSETUP.EXE
 PCFWALLICON.EXE
 PCFWALLICON.EXE
 PCIP10117_0.EXE
 PDSETUP.EXE
 PERISCOPE.EXE
 PERSFW.EXE
 PF2.EXE
 AVLTMAIN.EXE
 PFWADMIN.EXE
 PINGSCAN.EXE
 PLATIN.EXE
 POPROXY.EXE
 POPSCAN.EXE
 PORTDETECTIVE.EXE
 PPINUPDT.EXE
 PPTBC.EXE
 PPVSTOP.EXE
 PROCEXPLORERV1.0.EXE
 PROPORT.EXE
 PROTECTX.EXE
 PSPF.EXE
 WGFE95.EXE
 WHOSWATCHINGME.EXE
 AVWUPD32.EXE
 NUPGRADE.EXE
 WHOSWATCHINGME.EXE
 WINRECON.EXE
 WNT.EXE
 WRADMIN.EXE
 WRCTRL.EXE
 WSBGATE.EXE
 WYVERNWORKSFIREWALL.EXE
 XPF202EN.EXE
 ZAPRO.EXE
 ZAPSETUP3001.EXE
 ZATUTOR.EXE
 CFINET32.EXE
 CLEAN.EXE
 CLEANER.EXE
 CLEANER3.EXE
 CLEANPC.EXE
 CMGRDIAN.EXE
 CMON016.EXE
 CPD.EXE
 CFGWIZ.EXE
 CFIADMIN.EXE
 PURGE.EXE
 PVIEW95.EXE
 QCONSOLE.EXE
 QSERVER.EXE
 RAV8WIN32ENG.EXE
 REGEDT32.EXE
 REGEDIT.EXE
 UPDATE.EXE
 RESCUE.EXE
 RESCUE32.EXE
 RRGUARD.EXE
 RSHELL.EXE
 RTVSCN95.EXE
 RULAUNCH.EXE
 SAFEWEB.EXE
 SBSERV.EXE
 SD.EXE
 SETUP_FLOWPROTECTOR_US.EXE
 SETUPVAMEEVAL.EXE
 SFC.EXE
 SGSSFW32.EXE
 SH.EXE
 SHELLSPYINSTALL.EXE
 SHN.EXE
 SMC.EXE
 SOFI.EXE
 SPF.EXE
 SPHINX.EXE
 SPYXX.EXE
 SS3EDIT.EXE
 ST2.EXE
 SUPFTRL.EXE
 LUALL.EXE
 SUPPORTER5.EXE
 SYMPROXYSVC.EXE
 SYSEDIT.EXE
 TASKMON.EXE
 TAUMON.EXE
 TAUSCAN.EXE
 TC.EXE
 TCA.EXE
 TCM.EXE
 TDS2-98.EXE
 TDS2-NT.EXE
 TDS-3.EXE
 TFAK5.EXE
 TGBOB.EXE
 TITANIN.EXE
 TITANINXP.EXE
 TRACERT.EXE
 TRJSCAN.EXE
 TRJSETUP.EXE
 TROJANTRAP3.EXE
 UNDOBOOT.EXE
 VBCMSERV.EXE
 VBCONS.EXE
 VBUST.EXE
 VBWIN9X.EXE
 VBWINNTW.EXE
 VCSETUP.EXE
 VFSETUP.EXE
 VIRUSMDPERSONALFIREWALL.EXE
 VNLAN300.EXE
 VNPC3000.EXE
 VPC42.EXE
 VPFW30S.EXE
 VPTRAY.EXE
 VSCENU6.02D30.EXE
 VSECOMR.EXE
 VSHWIN32.EXE
 VSISETUP.EXE
 VSMAIN.EXE
 VSMON.EXE
 VSSTAT.EXE
 VSWIN9XE.EXE
 VSWINNTSE.EXE
 VSWINPERSE.EXE
 W32DSM89.EXE
 W9X.EXE
 WATCHDOG.EXE
 WEBSCANX.EXE
 CFIAUDIT.EXE
 CFINET.EXE
 ICSUPP95.EXE
 MCUPDATE.EXE
 CFINET32.EXE
 CLEAN.EXE
 CLEANER.EXE
 LUINIT.EXE
 MCAGENT.EXE
 MCUPDATE.EXE
 MFW2EN.EXE
 MFWENG3.02D30.EXE
 MGUI.EXE
 MINILOG.EXE
 MOOLIVE.EXE
 MRFLUX.EXE
 MSCONFIG.EXE
 MSINFO32.EXE
 MSSMMC32.EXE
 MU0311AD.EXE
 NAV80TRY.EXE
 ZAUINST.EXE
 ZONALM2601.EXE
 ZONEALARM.EXE

Uninstalling Netsky worm

Looks like the war between Bagle and Netsky authors is still going on. This variant of Bagle removes the following Netsky worm startup keys: 

 My AV
 Zone Labs Client Ex
 9XHtProtect
 Antivirus
 Special Firewall Service
 service
 Tiny AV
 ICQNet
 HtProtect
 NetDy
 Jammer2nd
 FirewallSvr
 MsInfo
 SysMonXP
 EasyAV
 PandaAVEngine
 Norton Antivirus AV
 KasperskyAVEng
 ICQ Net


Back to the Top


Detection

F-Secure Anti-Virus detects Bagle.Y worm with the following update:

[FSAV_Database_Version]

Version=2004-04-26_03

Back to the Top


Technical Details: Alexey Podrezov and Katrin Tocheva, April 26th, 2004;

Description Updated: Alexey Podrezov, May 5th, 2004;

F-Secure Corporation