Classification

Category :

Malware

Type :

-

Aliases :

Worm.Win32.Bagif, Win32/KME, W32/Bagif

Summary

Bagif is a polymorphic parasitic virus-worm that utilises EPO (entry point obscuring) techniques.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

When the infected file is run, it creates the file named NTLOADER.EXE in Windows System folder and modifies the EXE file startup key in System Registry:

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@ = %winsysdir%\ntloader.exe "%1" %*"

The NTLOADER.EXE file acts as a virus dropper and it is activated every time a user of an infected computer runs an EXE file.

Then the virus creates a file named WIN32S.EXE in the startup folder for current computer user:

\Start Menu\Programs\Startup

This folder is located in main Windows folder on 9x systems. In Windows XP and 2000 this folder is located in the following location:

\Documents and Settings\%profile%\

In Windows NT this folder is located in the following location:

\WinNT\Profiles\%profile%\

The %profile% is current user's profile name. Copying the dropper to Startup folder is done to make the virus dropper start every time Windows starts.

The virus polymorphic engine is quite strong. It uses FPU and 386+ processor instructions and simple anti-emulation tricks. The virus unpacks itself in 2 steps. First it unpacks a part of its code into stack area and passes control to it. That code locates KERNEL32.DLL library and gets addresses of 2 API functions from there. After that the virus allocates a chunk of memory and decrypts its main body into that area. Then the control is passed to the main virus body.

The virus scans local hard disks and tries to infect EXE and SCR files. It can not infect all executable files, it only can infect files with certain characteristics. Upon infection the virus appends itself to the first section of a file. This is not a typical infection technique.

The virus can infect files that have ExitProcess function exported from KERNEL32.DLL library. When infecting a file the virus looks for ExitProcess function call in the file's startup code area and replaces it with a call routine to it own decryptor. So the control is only passed to the virus code when an infected file exits. The virus does not modify the entry point address of an infected file, nor the beginning of a file's startup code as many other viruses do. The technique that the Bagif virus uses to hide its entry point is called EPO (entry point obscuring) and it makes such viruses harder to detect.

The virus also avoids infecting files that start with the following strings:

EXPL UNRE HL

Besides, the virus tries to spread to other computers over local network. It enumerates shares and tries to locate remote folders with the following names:

WINDOWS WINNT WIN95 WIN98 WINME WIN2000 WIN2K WINXP

If such folder is found, the virus copies its dropper there as TSOC32.EXE and modifies WIN.INI file on a remote computer. The virus adds the startup string for TSOC32.EXE file after RUN= variable in WIN.INI file. As a result Windows 9x computers affected that way will be infected after their restart. Windows NT, 2000 and XP computers will not be affected unless the TSOC32.EXE file is manually started there.

The virus has the following text string in its body:

HI CHUNK OF SH*T !
IT'S ME
SUPRA VIRUS
BY GRIFIN
I HATE SCHOOL & USA
KILL 'EM ALL