Threat Description

Bagz.G

Details

Category: Malware
Type: Worm
Platform: W32
Aliases: I-Worm.Bagz.g, W32/Bagz.G@mm, Bagz.g

Summary


Bagz.G worm variant was found on November 2nd, 2004. The first report from the field was received from Japan. The worm spreads itself in e-mails with various subject and body texts. The attachment is either an executable file or a ZIP archive. Additionally the worm drops a Growom proxy trojan variant.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.



Technical Details


Installation to system

Bagz.G worm spreads in e-mails inside a dropper. When the dropper's file is run, it drops 2 files in Windows System folder:

  sysinfo32.exe
trace32.exe
 

The 'sysinfo32.exe' is a Growom proxy trojan variant. The 'trace32.exe' file is the main component of the worm. It attempts to start as a service. After being started, this component creates another file in Windows System folder:

  sqlssl.doc  [lots of spaces]
.exe
 

This file is the copy of the worm's dropper (can be different in size) that will be used for spreading.

Spreading in e-mails

Before spreading the worm looks for victims' e-mail addresses. To collect addresses the worm scans files with the following extensions:

.TBB
.tbb
.TBI
.tbi
.DBX
.dbx
.HTM
.htm
.TXT
.txt   

The worm ignores e-mail addresses if they contain any of the following substrings:

  @avp  @foo  @iana  @messagelab  @microsoft  abuse  admin  administrator@  all@  anyone@  bsd  bugs@  cafee  certific  certs@  contact@  contract@  f-secur  feste  free-av  gold-  gold-certs@  google  help@  hostmaster@  icrosoft  info@  kasp  linux  listserv  local  netadmin@  news  nobody@  noone@  noreply  ntivi  panda  postmaster@  rating@  root@  samples  sopho  spam  support  support@  unix  update  webmaster@  winrar  winzip   

The worm uses its own SMTP engine to send e-mails. The subject of an infected e-mail is selected from the following variants:

  Allert!  re: order  re: please  re: Andrey  Vasia  text  Warning  Administrator  best regards  waiting  attach  attachments  Amirecans  Russian's  Hello  Have a nice day  office  Money  contract  toxic  urgent  Read this  please responce  ASAP   

The body of an infected e-mail is selected from the following variants:

  Hi  Did you get the previous document I attached for you?  I resent it in this email just in case, because I  really need you to check it out asap.  Best Regards   

--- or ---

  Hi  I made a mistake and forgot to click attach  on the previous email I sent you. Please give me  your opinion on this opportunity when you get a chance.  Best Regards   

--- or ---

  Hi  I was supposed to send you this document yesterday.  Sorry for the delay, please forward this to your family if possible.  It contains important info for both of you.   

--- or ---

  Hi  Sorry, I forgot to send an important  document to you in that last email. I had an important phone call.  Please checkout attached doc file when you have a moment.  Best Regards   

--- or ---

  Hi  I was in a rush and I forgot to attach an important  document. Please see attached doc file.  Best Regards,   

--- or ---

  Sorry to bother you, but I am having a problem receiving your emails.  I am responding to your last email in the attached file.  Please get back to me if there is any problem reading the attachment.   

--- or ---

  I am responding to your last email in the attached file.  I had a delivery problem with your inbox, so maybe you'll receive this now.   

--- or ---

  Can you please check out the email I have attached?  For some reason, I received only part of your last several emails.  I want to make sure that there are no problems with either of our accounts.   

--- or ---

  This email is being sent as attachment because  it was previously blocked by your email filters.  Please view the attachment and respond.  Thanks   

--- or ---

  I resent this email as attachment because  it was previously blocked by your email filters.  Please read the attachment and respond.  Thanks   

--- or ---

  I apologize, but I need you to verify  that I have the correct contact info for you.  My system crashed last weekend and  I lost most of my friends and work contacts.  Please check the attached (.pdf) and  please let me know if your info is current.   

--- or ---

  My last email to you was returned.  The reason is that I am not currently  added to your allowed contact list.  Please add my updated contact info  provided in the attached (.pdf) file  so I can send you emails in the future.  Sincerely   

--- or ---

  I have updated my email address  See the (.pdf) file attached and  please respond if you have any questions.   

--- or ---

  We have made recent updates to our database.  Please verify your mailing address on file is correct.  We have attached a (.pdf) sheet for you to use for your response.   

--- or ---

  Hello  Our contact information has changed.  See the attached (.pdf) sheet for details.  Sincerely,   

--- or ---

  ***URGENT: SERVICE SHUTDOWN NOTICE***  Due to your failure to comply with our email  Rules and Regulations, your email account has been  temporarily suspended for 24 hours unless we are contacted regarding  this situation.  You must read the attached document for further  instructions. Failure to comply will result in termination of your account.  Regards,  Net Operator  ***URGENT: SERVICE SHUTDOWN NOTICE***   

--- or ---

  ***ATTENTION: YOUR EMAIL IS NOT BEING DELIVERED!***  You are currently unable to send emails.  This may be a billing issue.  Please call the billing center.  The # for the billing office is located in the attached  contact list for your convenience.  ***ATTENTION: YOUR EMAIL IS NOT BEING DELIVERED!***   

--- or ---

  ***YOUR MESSAGE HAS BEEN RECOGNIZED AS SPAM***  Hello,  The previous email you sent has been recognized as spam.  This means your email was not delivered to your friend or client.  You must open the attached file to receive more information.  ***YOUR MESSAGE HAS BEEN RECOGNIZED AS SPAM***   

--- or ---

  Hello,  What version of windows you are using?  This last document I received from you came out weird.  Please see the attached word file and resend the file to me.  Many thanks,  User   

--- or ---

  Hello,  My PC crashed while I was sending that last email.  I have re-attached the document of yours that I discovered.  Please read attached document and respond ASAP.  Sincerely,  User   

--- or ---

  Hello,  Your email was sent in an INVALID format.  To verify this email was sent from you,  simply open the attached email (.eml) file  and click yes in the sender options box.  Thank You,  User   

--- or ---

  Hello,   Your email was received.  YOUR REPLY IS URGENT!  Please view the attached text file for instructions.  Regards,  User   

--- or ---

  Hello,    I was in a hurry and I forgot to attach an important    document. Please see attached.   Best Regards,  User   

--- or ---

  Hello,   I resent this email as attachment because   it was previously blocked by your email filters.   Please read the attachment and respond.  Thanks,User   

--- or ---

  Hello,  Sorry, I forgot to attach the new contact information.  Please view the attached (.pdf) contact sheet.  Sincerely, User   

The worm attaches its body to e-mail messages that it sends out. The infected attachment name is selected from the following variants:

  docs.zip
documentation.zip
ataches.zip
zip.zip
rar.zip
save.zip
outbox.zip
inbox.zip
manual.zip
archives.zip
payment.zip
photos.zip
help.zip
readme.zip
about.zip
archivator.zip
admin.zip
backup.zip
docs.doc  [lots of spaces]
.exe
documentation.doc  [lots of spaces]
.exe
ataches.doc  [lots of spaces]
.exe
zip.doc  [lots of spaces]
.exe
rar.doc  [lots of spaces]
.exe
save.doc  [lots of spaces]
.exe
outbox.doc  [lots of spaces]
.exe
inbox.doc  [lots of spaces]
.exe
manual.doc  [lots of spaces]
.exe
archives.doc  [lots of spaces]
.exe
payment.doc  [lots of spaces]
.exe
photos.doc  [lots of spaces]
.exe
help.doc  [lots of spaces]
.exe
readme.doc  [lots of spaces]
.exe
about.doc  [lots of spaces]
.exe
archivator.doc  [lots of spaces]
.exe
admin.doc  [lots of spaces]
.exe
backup.doc  [lots of spaces]
.exe
 

When the worm sends itself in a ZIP archive, the worm's file is stored in that archive in a non-compressed format.

Payload

The worm overwrites the HOSTS file to block access from an infected computer to the following sites:

  ad.doubleclick.net  ad.fastclick.net  ads.fastclick.net  ar.atwola.com  atdmt.com  avp.ch  avp.com  avp.ru  awaps.net  banner.fastclick.net  banners.fastclick.net  ca.com  click.atdmt.com  clicks.atdmt.com  dispatch.mcafee.com  download.mcafee.com  download.microsoft.com  downloads.microsoft.com  engine.awaps.net  fastclick.net  f-secure.com  ftp.f-secure.com  ftp.sophos.com  go.microsoft.com  liveupdate.symantec.com  mast.mcafee.com  mcafee.com  media.fastclick.net  msdn.microsoft.com  my-etrust.com  nai.com  networkassociates.com  office.microsoft.com  phx.corporate-ir.net  secure.nai.com  securityresponse.symantec.com  service1.symantec.com  sophos.com  spd.atdmt.com  support.microsoft.com  symantec.com  update.symantec.com  updates.symantec.com  us.mcafee.com  vil.nai.com  viruslist.ru  windowsupdate.microsoft.com  www.avp.ch  www.avp.com  www.avp.ru  www.awaps.net  www.ca.com  www.fastclick.net  www.f-secure.com  www.kaspersky.ru  www.mcafee.com  www.my-etrust.com  www.nai.com  www.networkassociates.com  www.sophos.com  www.symantec.com  www.trendmicro.com  www.viruslist.ru  www3.ca.com   

The worm checks the whole Registry and deletes all key values associated with the following files:

mpfagent.exe
mpfconsole.exe
mpfservice.exe
mpftray.exe
mpfui.dll
mpfupdchk.dll
mpfwizard.exe
mvtx.exe
dunzip32.dll
mcappins.exe
mcinfo.exe
mghtml.exe
804mbd1.chk  804mbd1.img  appinit.ini  ashldres.dll
edisk.dll
emscnres.dll
ftscnres.dll
imscnbin.inf  imscnres.inf  mcavtsub.dll
mcmnhdlr.exe
mcscan32.dll
mcshield.exe
mcurial.dll
mcvsctl.dll
mcvsescn.exe
mcvsftsn.exe
mcvsmap.exe
mcvsrte.exe
mcvsscrp.dll
mcvsshl.dll
mcvsshld.exe
mcvsskt.dll
mcvsworm.dll
naiann.dll
naievent.dll
ntclient.dll
outscan.dll
outscres.dll
patchw32.dll
scan.dat  scanserv.dll
scrpres.dll
scrpsbin.inf  scrstres.inf  shextbin.inf  shextres.inf  shlres.dll
vsagntui.dll
mcshield.dll
vsoui.dll
vsoupd.dll
vsowow.dll
wormres.dll
alert.zap  email.zap  filter.zap  firewall.zap  framewrk.dll
idlock.zap  programs.zap  security.zap  tutorwiz.dll
zatutor.exe
zauninst.exe
zav.zap  zlclient.exe
zl_priv.htm  zonealarm.exe
camupd.dll
cerbprovider.pvx  ssleay32.dll
vsavpro.dll
vsdb.dll
vsmon.exe
vsruledb.dll
vsvault.dll
zlparser.dll
aboutplg.dll
apwcmdnt.dll
apwutil.dll
avcompbr.dll
avres.dll
bootwarn.exe
ccavmail.dll
ccimscan.dll
ccimscn.exe
cfgwiz.exe
cfgwzres.dll
defalert.dll
djsalert.dll
ltchkres.dll
n32call.dll
n32exclu.dll
navap32.dll
navapscr.dll
navapsvc.exe
navapw32.dll
navapw32.exe
navcfgwz.dll
navcomui.dll
naverror.dll
navevent.dll
navlcom.dll
navlnch.dll
navlogv.dll
navlucbk.dll
navntutl.dll
navoptrf.dll
navopts.dll
navprod.dll
navshext.dll
navstats.dll
navstub.exe
navtasks.dll
navtskwz.dll
navui.dll
navui.nsi  navuihtm.dll
navw32.exe
navwnt.exe
netbrext.dll
oeheur.dll
officeav.dll
opscan.exe
patch25d.dll
probegse.dll
ptchinst.dll
qconres.dll
qconsole.exe
qspak32.dll
quar32.dll
quarantine  quaropts.dat  s32integ.dll
s32navo.dll
savrt.sys  savrt32.dll
savrtpel.sys  savscan.exe
scandlvr.dll
scandres.dll
scanmgr.dll
scriptui.dll
sdpck32i.dll
sdsnd32i.dll
sdsok32i.dll
sdstp32i.dll
statushp.dll
symnavo.dll
ashavast.exe
ashbug.exe
ashchest.exe
ashdisp.exe
ashlogv.exe
ashmaisv.exe
ashpopwz.exe
ashquick.exe
ashserv.exe
ashsimpl.exe
ashskpcc.exe
ashskpck.exe
aswboot.exe
aswregsvr.exe
aswupdsv.exe
sched.exe
persfw.exe
pfwadmin.exe
 

Also the worm deletes all services that are associated with the files listed above.



Detection


Detection for this malware was published on November 2nd, 2004 in the following F-Secure Anti-Virus updates:

Detection Type: PC
Database: 2004-11-02_03



Technical Details:Alexey Podrezov, November 2nd, 2004


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More