Threat Description

Bagz.G

Details

Aliases: I-Worm.Bagz.g, W32/Bagz.G@mm, Bagz.g
Category: Malware
Type: Worm
Platform: W32

Summary



Bagz.G worm variant was found on November 2nd, 2004. The first report from the field was received from Japan. The worm spreads itself in e-mails with various subject and body texts. The attachment is either an executable file or a ZIP archive. Additionally the worm drops a Growom proxy trojan variant.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details



Installation to system

Bagz.G worm spreads in e-mails inside a dropper. When the dropper's file is run, it drops 2 files in Windows System folder:

 sysinfo32.exe
 trace32.exe


The 'sysinfo32.exe' is a Growom proxy trojan variant. The 'trace32.exe' file is the main component of the worm. It attempts to start as a service. After being started, this component creates another file in Windows System folder:

 sqlssl.doc  <lost of spaces>  .exe


This file is the copy of the worm's dropper (can be different in size) that will be used for spreading.

Spreading in e-mails

Before spreading the worm looks for victims' e-mail addresses. To collect addresses the worm scans files with the following extensions:

 .TBB
 .tbb
 .TBI
 .tbi
 .DBX
 .dbx
 .HTM
 .htm
 .TXT
 .txt


The worm ignores e-mail addresses if they contain any of the following substrings:

 @avp
 @foo
 @iana
 @messagelab
 @microsoft
 abuse
 admin
 administrator@
 all@
 anyone@
 bsd
 bugs@
 cafee
 certific
 certs@
 contact@
 contract@
 f-secur
 feste
 free-av
 gold-
 gold-certs@
 google
 help@
 hostmaster@
 icrosoft
 info@
 kasp
 linux
 listserv
 local
 netadmin@
 news
 nobody@
 noone@
 noreply
 ntivi
 panda
 postmaster@
 rating@
 root@
 samples
 sopho
 spam
 support
 support@
 unix
 update
 webmaster@
 winrar
 winzip


The worm uses its own SMTP engine to send e-mails. The subject of an infected e-mail is selected from the following variants:

 Allert!
 re: order
 re: please
 re: Andrey
 Vasia
 text
 Warning
 Administrator
 best regards
 waiting
 attach
 attachments
 Amirecans
 Russian's
 Hello
 Have a nice day
 office
 Money
 contract
 toxic
 urgent
 Read this
 please responce
 ASAP


The body of an infected e-mail is selected from the following variants:

 Hi
 Did you get the previous document I attached for you?
 I resent it in this email just in case, because I
 really need you to check it out asap.
 Best Regards


--- or ---

 Hi
 I made a mistake and forgot to click attach
 on the previous email I sent you. Please give me
 your opinion on this opportunity when you get a chance.
 Best Regards


--- or ---

 Hi
 I was supposed to send you this document yesterday.
 Sorry for the delay, please forward this to your family if possible.
 It contains important info for both of you.


--- or ---

 Hi
 Sorry, I forgot to send an important
 document to you in that last email. I had an important phone call.
 Please checkout attached doc file when you have a moment.
 Best Regards


--- or ---

 Hi
 I was in a rush and I forgot to attach an important
 document. Please see attached doc file.
 Best Regards,


--- or ---

 Sorry to bother you, but I am having a problem receiving your emails.
 I am responding to your last email in the attached file.
 Please get back to me if there is any problem reading the attachment.


--- or ---

 I am responding to your last email in the attached file.
 I had a delivery problem with your inbox, so maybe you'll receive this now.


--- or ---

 Can you please check out the email I have attached?
 For some reason, I received only part of your last several emails.
 I want to make sure that there are no problems with either of our accounts.


--- or ---

 This email is being sent as attachment because
 it was previously blocked by your email filters.
 Please view the attachment and respond.
 Thanks


--- or ---

 I resent this email as attachment because
 it was previously blocked by your email filters.
 Please read the attachment and respond.
 Thanks


--- or ---

 I apologize, but I need you to verify
 that I have the correct contact info for you.
 My system crashed last weekend and
 I lost most of my friends and work contacts.
 Please check the attached (.pdf) and
 please let me know if your info is current.


--- or ---

 My last email to you was returned.
 The reason is that I am not currently
 added to your allowed contact list.
 Please add my updated contact info
 provided in the attached (.pdf) file
 so I can send you emails in the future.
 Sincerely


--- or ---

 I have updated my email address
 See the (.pdf) file attached and
 please respond if you have any questions.


--- or ---

 We have made recent updates to our database.
 Please verify your mailing address on file is correct.
 We have attached a (.pdf) sheet for you to use for your response.


--- or ---

 Hello
 Our contact information has changed.
 See the attached (.pdf) sheet for details.
 Sincerely,


--- or ---

 ***URGENT: SERVICE SHUTDOWN NOTICE***
 Due to your failure to comply with our email
 Rules and Regulations, your email account has been
 temporarily suspended for 24 hours unless we are contacted regarding
 this situation.
 You must read the attached document for further
 instructions. Failure to comply will result in termination of your account.
 Regards,
 Net Operator
 ***URGENT: SERVICE SHUTDOWN NOTICE***


--- or ---

 ***ATTENTION: YOUR EMAIL IS NOT BEING DELIVERED!***
 You are currently unable to send emails.
 This may be a billing issue.
 Please call the billing center.
 The # for the billing office is located in the attached
 contact list for your convenience.
 ***ATTENTION: YOUR EMAIL IS NOT BEING DELIVERED!***


--- or ---

 ***YOUR MESSAGE HAS BEEN RECOGNIZED AS SPAM***
 Hello,
 The previous email you sent has been recognized as spam.
 This means your email was not delivered to your friend or client.
 You must open the attached file to receive more information.
 ***YOUR MESSAGE HAS BEEN RECOGNIZED AS SPAM***


--- or ---

 Hello,
 What version of windows you are using?
 This last document I received from you came out weird.
 Please see the attached word file and resend the file to me.
 Many thanks,
 User


--- or ---

 Hello,
 My PC crashed while I was sending that last email.
 I have re-attached the document of yours that I discovered.
 Please read attached document and respond ASAP.
 Sincerely,
 User


--- or ---

 Hello,
 Your email was sent in an INVALID format.
 To verify this email was sent from you,
 simply open the attached email (.eml) file
 and click yes in the sender options box.
 Thank You,
 User


--- or ---

 Hello,
  Your email was received.
 YOUR REPLY IS URGENT!
 Please view the attached text file for instructions.
 Regards,
 User


--- or ---

 Hello,
   I was in a hurry and I forgot to attach an important
   document. Please see attached.
  Best Regards,
 User


--- or ---

 Hello,
  I resent this email as attachment because
  it was previously blocked by your email filters.
  Please read the attachment and respond.
 Thanks,User


--- or ---

 Hello,
 Sorry, I forgot to attach the new contact information.
 Please view the attached (.pdf) contact sheet.
 Sincerely, User


The worm attaches its body to e-mail messages that it sends out. The infected attachment name is selected from the following variants:

 docs.zip
 documentation.zip
 ataches.zip
 zip.zip
 rar.zip
 save.zip
 outbox.zip
 inbox.zip
 manual.zip
 archives.zip
 payment.zip
 photos.zip
 help.zip
 readme.zip
 about.zip
 archivator.zip
 admin.zip
 backup.zip
 docs.doc  <lots of spaces>  .exe
 documentation.doc  <lots of spaces>  .exe
 ataches.doc  <lots of spaces>  .exe
 zip.doc  <lots of spaces>  .exe
 rar.doc  <lots of spaces>  .exe
 save.doc  <lots of spaces>  .exe
 outbox.doc  <lots of spaces>  .exe
 inbox.doc  <lots of spaces>  .exe
 manual.doc  <lots of spaces>  .exe
 archives.doc  <lots of spaces>  .exe
 payment.doc  <lots of spaces>  .exe
 photos.doc  <lots of spaces>  .exe
 help.doc  <lots of spaces>  .exe
 readme.doc  <lots of spaces>  .exe
 about.doc  <lots of spaces>  .exe
 archivator.doc  <lots of spaces>  .exe
 admin.doc  <lots of spaces>  .exe
 backup.doc  <lots of spaces>  .exe


When the worm sends itself in a ZIP archive, the worm's file is stored in that archive in a non-compressed format.

Payload

The worm overwrites the HOSTS file to block access from an infected computer to the following sites:

 ad.doubleclick.net
 ad.fastclick.net
 ads.fastclick.net
 ar.atwola.com
 atdmt.com
 avp.ch
 avp.com
 avp.ru
 awaps.net
 banner.fastclick.net
 banners.fastclick.net
 ca.com
 click.atdmt.com
 clicks.atdmt.com
 dispatch.mcafee.com
 download.mcafee.com
 download.microsoft.com
 downloads.microsoft.com
 engine.awaps.net
 fastclick.net
 f-secure.com
 ftp.f-secure.com
 ftp.sophos.com
 go.microsoft.com
 liveupdate.symantec.com
 mast.mcafee.com
 mcafee.com
 media.fastclick.net
 msdn.microsoft.com
 my-etrust.com
 nai.com
 networkassociates.com
 office.microsoft.com
 phx.corporate-ir.net
 secure.nai.com
 securityresponse.symantec.com
 service1.symantec.com
 sophos.com
 spd.atdmt.com
 support.microsoft.com
 symantec.com
 update.symantec.com
 updates.symantec.com
 us.mcafee.com
 vil.nai.com
 viruslist.ru
 windowsupdate.microsoft.com
 www.avp.ch
 www.avp.com
 www.avp.ru
 www.awaps.net
 www.ca.com
 www.fastclick.net
 www.f-secure.com
 www.kaspersky.ru
 www.mcafee.com
 www.my-etrust.com
 www.nai.com
 www.networkassociates.com
 www.sophos.com
 www.symantec.com
 www.trendmicro.com
 www.viruslist.ru
 www3.ca.com


The worm checks the whole Registry and deletes all key values associated with the following files:

mpfagent.exe
 mpfconsole.exe
 mpfservice.exe
 mpftray.exe
 mpfui.dll
 mpfupdchk.dll
 mpfwizard.exe
 mvtx.exe
 dunzip32.dll
 mcappins.exe
 mcinfo.exe
 mghtml.exe
 804mbd1.chk
 804mbd1.img
 appinit.ini
 ashldres.dll
 edisk.dll
 emscnres.dll
 ftscnres.dll
 imscnbin.inf
 imscnres.inf
 mcavtsub.dll
 mcmnhdlr.exe
 mcscan32.dll
 mcshield.exe
 mcurial.dll
 mcvsctl.dll
 mcvsescn.exe
 mcvsftsn.exe
 mcvsmap.exe
 mcvsrte.exe
 mcvsscrp.dll
 mcvsshl.dll
 mcvsshld.exe
 mcvsskt.dll
 mcvsworm.dll
 naiann.dll
 naievent.dll
 ntclient.dll
 outscan.dll
 outscres.dll
 patchw32.dll
 scan.dat
 scanserv.dll
 scrpres.dll
 scrpsbin.inf
 scrstres.inf
 shextbin.inf
 shextres.inf
 shlres.dll
 vsagntui.dll
 mcshield.dll
 vsoui.dll
 vsoupd.dll
 vsowow.dll
 wormres.dll
 alert.zap
 email.zap
 filter.zap
 firewall.zap
 framewrk.dll
 idlock.zap
 programs.zap
 security.zap
 tutorwiz.dll
 zatutor.exe
 zauninst.exe
 zav.zap
 zlclient.exe
 zl_priv.htm
 zonealarm.exe
 camupd.dll
 cerbprovider.pvx
 ssleay32.dll
 vsavpro.dll
 vsdb.dll
 vsmon.exe
 vsruledb.dll
 vsvault.dll
 zlparser.dll
 aboutplg.dll
 apwcmdnt.dll
 apwutil.dll
 avcompbr.dll
 avres.dll
 bootwarn.exe
 ccavmail.dll
 ccimscan.dll
 ccimscn.exe
 cfgwiz.exe
 cfgwzres.dll
 defalert.dll
 djsalert.dll
 ltchkres.dll
 n32call.dll
 n32exclu.dll
 navap32.dll
 navapscr.dll
 navapsvc.exe
 navapw32.dll
 navapw32.exe
 navcfgwz.dll
 navcomui.dll
 naverror.dll
 navevent.dll
 navlcom.dll
 navlnch.dll
 navlogv.dll
 navlucbk.dll
 navntutl.dll
 navoptrf.dll
 navopts.dll
 navprod.dll
 navshext.dll
 navstats.dll
 navstub.exe
 navtasks.dll
 navtskwz.dll
 navui.dll
 navui.nsi
 navuihtm.dll
 navw32.exe
 navwnt.exe
 netbrext.dll
 oeheur.dll
 officeav.dll
 opscan.exe
 patch25d.dll
 probegse.dll
 ptchinst.dll
 qconres.dll
 qconsole.exe
 qspak32.dll
 quar32.dll
 quarantine
 quaropts.dat
 s32integ.dll
 s32navo.dll
 savrt.sys
 savrt32.dll
 savrtpel.sys
 savscan.exe
 scandlvr.dll
 scandres.dll
 scanmgr.dll
 scriptui.dll
 sdpck32i.dll
 sdsnd32i.dll
 sdsok32i.dll
 sdstp32i.dll
 statushp.dll
 symnavo.dll
 ashavast.exe
 ashbug.exe
 ashchest.exe
 ashdisp.exe
 ashlogv.exe
 ashmaisv.exe
 ashpopwz.exe
 ashquick.exe
 ashserv.exe
 ashsimpl.exe
 ashskpcc.exe
 ashskpck.exe
 aswboot.exe
 aswregsvr.exe
 aswupdsv.exe
 sched.exe
 persfw.exe
 pfwadmin.exe


Also the worm deletes all services that are associated with the files listed above.



Detection


Detection for this malware was published on November 2nd, 2004 in the following F-Secure Anti-Virus updates:
Detection Type: PC
Database: 2004-11-02_03



Technical Details: Alexey Podrezov, November 2nd, 2004


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Disinfect your PC

F-Secure Anti-Virus will disinfect your PC and remove all harmful files

Learn More