Virus Profile: W32/Bagle.p@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 3/15/2004
Date Added: 3/15/2004
Origin: Unknown
Length: Varies
Approx +45kB for infected files
Type: Virus
Subtype: E-mail worm
DAT Required: 4338
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

  • Outgoing messages matching the described characteristics
  • Files/Registry keys as described
  • Increase in filesize of .EXE files by approx. 45Kb
  • The worm opens TCP port 2556 on the victim machine
  • Methods of Infection

    Mail Propagation

    This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:

    • .wab
    • .txt
    • .msg
    • .htm
    • .shtm
    • .stm
    • .xml
    • .dbx
    • .mbx
    • .mdx
    • .eml
    • .nch
    • .mmf
    • .ods
    • .cfg
    • .asp
    • .php
    • .pl
    • .wsh
    • .adb
    • .tbb
    • .sht
    • .xls
    • .oft
    • .uin
    • .cgi
    • .mht
    • .dhtm
    • .jsp

    The virus avoids sending itself to addresses containing the following strings:

    • @hotmail.com
    • @msn
    • @microsoft
    • anyone@
    • bugs@
    • contract@
    • feste
    • gold-certs@
    • help@
    • info@
    • nobody@
    • noone@
    • rating@
    • kasp
    • admin
    • icrosoft
    • support
    • ntivi
    • unix
    • bsd
    • linux
    • listserv
    • certific
    • samples
    • sopho
    • @foo
    • @iana
    • free-av
    • @messagelab
    • winzip
    • google
    • winrar
    • abuse
    • panda
    • cafee
    • spam
    • pgp
    • @avp.
    • noreply
    • local
    • root@
    • postmaster@
    • f-secur

    Peer-to-Peer propagation

    Files are created in folders that contain the phrase shar :

    • Microsoft Office 2003 Crack, Working!.exe
    • Microsoft Windows XP, WinXP Crack, working Keygen.exe
    • Microsoft Office XP working Crack, Keygen.exe
    • Porno, sex, oral, anal cool, awesome!!.exe
    • Porno Screensaver.scr
    • Serials.txt.exe
    • Porno pics arhive, xxx.exe
    • Windows Sourcecode update.doc.exe
    • Ahead Nero 7.exe
    • Windown Longhorn Beta Leak.exe
    • Opera 8 New!.exe
    • XXX hardcore images.exe
    • WinAmp 6 New!.exe
    • WinAmp 5 Pro Keygen Crack Update.exe
    • Adobe Photoshop 9 full.exe
    • Matrix 3 Revolution English Subtitles.exe
    • ACDSee 9.exe

    Aliases

    PE_BAGLE.P (Trend), W32.Beagle.N@mm (NAV), W32/Bagle-O (Sophos), W32/Bagle.p (parasitically infected files)
       

    Virus Characteristics

    -- Update 13th April, 2004--
    This threat has been downgraded to Low-Profiled risk due to a decrease in prevalence.

    -- Update 15th March, 2004--
    This threat has been upgraded to Medium risk due to prevalence

    -- Update 15th March, 2004--
    This threat is considered to be a Low-Profiled risk due to media attention at:
    https://news.com.com/2100%2D7355%2D5173129.html

    If you think that you may be infected with Bagle.p, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present.  This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).

    Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

    This Bagle variant is bears the following characteristics:

    • contains its own SMTP engine to construct outgoing messages
    • harvests email addresses from the victim machine
    • the From: address of messages is spoofed
    • contains a remote access component (notification is sent to hacker)
    • copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
    • encrypted polymorphic parasitic file infector

    Proactive Detection

    This virus is detected as a trojan or variant New Malware.b when scanning with the 4335 DATs or greater, with program heuristics and the scanning of compressed files enabled.

    Parasitically infected files, are detected as virus or variant W32/Bagle.n with the 4337 DATs or greater.

    Mail Propagation

    The message-bodies are constructed very similarly to those for its predecessor, using several parts, to effectively customize the email, to make it appear to be a legitimate warning notification. The details are as follows:

    From : (the address may be spoofed, using the recipient's domain name and a user name taken from the following list, or another address found on the local system)

    • management@
    • administration@
    • staff@
    • noreply@
    • support@ 
    • antivirus@
    • antispam@

    Subject:

    • Password: %s
    • Pass - %s
    • Password - %s
    • E-mail account security warning.
    • Notify about using the e-mail account.
    • Warning about your e-mail account.
    • Important notify about your e-mail account.
    • Email account utilization warning.
    • E-mail technical support message.
    • E-mail technical support warning.
    • Email report
    • Important notify
    • Account notify
    • E-mail warning
    • Notify from e-mail technical support.
    • Notify about your e-mail account utilization.
    • E-mail account disabling warning.
    • Re: Msg reply
    • Re: Hello
    • Re: Yahoo!
    • Re: Thank you!
    • Re: Thanks :)
    • RE: Text message
    • Re: Document
    • Incoming message
    • Re: Incoming Message
    • Re: Incoming Fax
    • Hidden message
    • Fax Message Received
    • Protected message
    • RE: Protected message
    • Forum notify
    • Request response
    • Site changes
    • Re: Hi
    • Encrypted document

    Body text:

    Greeting -

    • Dear user of %s ,
    • Dear user of %s e-mail server gateway,
    • Dear user of "%s " mailing server,
    • Dear user of "%s " mailing domain,
    • Dear user of "%s " domain,
    • Dear user of e-mail server "%s ",
    • Hello user of %s e-mail server,
    • Dear user of "%s " mailing system,
    • Dear user, the management of %s

    (Where %s is the user's domain is chosen from the To: address. For example the user's domain for user@mail.com  would be "mail.com")

    Main body -

    • mailing system wants to let you know that, Your e-mail account has been temporary disabled because of unauthorized access. Our main mailing server will be temporary unavaible for next two days,
      to continue receiving mail in these days you have to configure our free
      auto-forwarding service.
    • Your e-mail account will be disabled because of improper using in next three days, if you are still wishing to use it, please, resign your
      account information.
    • We warn you about some attacks on your e-mail account. Your computer may contain viruses, in order to keep your computer and e-mail account safe, please, follow the instructions.
    • Our antivirus software has detected a large ammount of viruses outgoing from your email account, you may use our free anti-virus tool to clean up your computer software.
    • Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to keep your computer safe, follow the instructions.
    • Read the attach.
    • Your file is attached.
    • More info in attach
    • See attach.
    • Follow the wabbit.
    • Find the white rabbit.
    • Please, have a look at the attached file.
    • See the attached file for details.
    • Message is in attach
    • Here is the file.
    • For more information see the attached file.
    • Further details can be obtained from attached file.
    • Advanced details can be found in attached file.
    • For details see the attach.
    • For details see the attached file.
    • For further details see the attach.
    • Please, read the attach for further details.
    • Pay attention on attached file.

    Password Information -

    • For security reasons attached file is password protected. The password is (attached image inserted)
    • For security purposes the attached file is password protected. Password -- (attached image inserted)
    • Note: Use password (attached image inserted) to open archive.
    • Attached file is protected with the password for security reasons. Password is (attached image inserted)
    • In order to read the attach you have to use the following password: (attached image inserted)
    • Archive password: (attached image inserted)
    • Password - (attached image inserted)
    • Password: (attached image inserted)

    Closing -

    • The Management,
    • Sincerely,
    • Best wishes,
    • Yours,
    • Have a good day,
    • Cheers,
    • Kind regards,

    The %s team (where %s is the user's domain name containing a link)

    Attachment The attachment is a randomly named executable, which may be stored within a ZIP or RAR file (password protected), or simply as a .PIF file. The filename may be:

    • Attach
    • Information
    • Details
    • Encrypted
    • first_part
    • Readme
    • Document
    • Info
    • TextDocument
    • Text
    • details
    • Gift
    • text_document
    • pub_document
    • MoreInfo
    • Message

    The virus copies itself into the Windows System directory as using the following names For example:

    • C:\WINNT\SYSTEM32\WINUPD.EXE
    • C:\WINNT\SYSTEM32\winupd.exeopen
    • C:\WINNT\SYSTEM32\winupd.exeopenopen

    The following Registry key is added to hook system startup:

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\
      CurrentVersion\Run "winupd.exe" = C:\WINNT\SYSTEM32\winupd.exe

    The worm uses the following icon to disguise itself:

    This worm attempts to terminate the process of programs with the the following filenames:

    • CLEANER3.EXE
    • au.exe
    • d3dupdate.exe
    • CLEANPC.EXE
    • AVprotect9x.exe
    • CMGRDIAN.EXE
    • CMON016.EXE
    • CPF9X206.EXE
    • CPFNT206.EXE
    • CV.EXE
    • CWNB181.EXE
    • CWNTDWMO.EXE
    • ICSSUPPNT.EXE
    • DEFWATCH.EXE
    • DEPUTY.EXE
    • DPF.EXE
    • DPFSETUP.EXE
    • DRWATSON.EXE
    • ENT.EXE
    • ESCANH95.EXE
    • AVXQUAR.EXE
    • ESCANHNT.EXE
    • ESCANV95.EXE
    • AVPUPD.EXE
    • EXANTIVIRUS-CNET.EXE
    • FAST.EXE
    • FIREWALL.EXE
    • FLOWPROTECTOR.EXE
    • FP-WIN_TRIAL.EXE
    • FRW.EXE
    • FSAV.EXE
    • AUTODOWN.EXE
    • FSAV530STBYB.EXE
    • FSAV530WTBYB.EXE
    • FSAV95.EXE
    • GBMENU.EXE
    • GBPOLL.EXE
    • GUARD.EXE
    • GUARDDOG.EXE
    • HACKTRACERSETUP.EXE
    • HTLOG.EXE
    • HWPE.EXE
    • IAMAPP.EXE
    • IAMAPP.EXE
    • IAMSERV.EXE
    • ICLOAD95.EXE
    • ICLOADNT.EXE
    • ICMON.EXE
    • ICSUPP95.EXE
    • ICSUPPNT.EXE
    • IFW2000.EXE
    • IPARMOR.EXE
    • IRIS.EXE
    • JAMMER.EXE
    • ATUPDATER.EXE
    • AUPDATE.EXE
    • KAVLITE40ENG.EXE
    • KAVPERS40ENG.EXE
    • KERIO-PF-213-EN-WIN.EXE
    • KERIO-WRL-421-EN-WIN.EXE
    • BORG2.EXE
    • BS120.EXE
    • CDP.EXE
    • CFGWIZ.EXE
    • CFIADMIN.EXE
    • CFIAUDIT.EXE
    • AUTOUPDATE.EXE
    • CFINET.EXE
    • NAVAPW32.EXE
    • NAVDX.EXE
    • NAVSTUB.EXE
    • NAVW32.EXE
    • NC2000.EXE
    • NCINST4.EXE
    • AUTOTRACE.EXE
    • NDD32.EXE
    • NEOMONITOR.EXE
    • NETARMOR.EXE
    • NETINFO.EXE
    • NETMON.EXE
    • NETSCANPRO.EXE
    • NETSPYHUNTER-1.2.EXE
    • NETSTAT.EXE
    • NISSERV.EXE
    • NISUM.EXE
    • NMAIN.EXE
    • NORTON_INTERNET_SECU_3.0_407.EXE
    • NPF40_TW_98_NT_ME_2K.EXE
    • NPFMESSENGER.EXE
    • NPROTECT.EXE
    • NSCHED32.EXE
    • NTVDM.EXE
    • NVARCH16.EXE
    • KERIO-WRP-421-EN-WIN.EXE
    • KILLPROCESSSETUP161.EXE
    • LDPRO.EXE
    • LOCALNET.EXE
    • LOCKDOWN.EXE
    • LOCKDOWN2000.EXE
    • LSETUP.EXE
    • OUTPOST.EXE
    • CFIAUDIT.EXE
    • LUCOMSERVER.EXE
    • AGENTSVR.EXE
    • ANTI-TROJAN.EXE
    • ANTI-TROJAN.EXE
    • ANTIVIRUS.EXE
    • ANTS.EXE
    • APIMONITOR.EXE
    • APLICA32.EXE
    • APVXDWIN.EXE
    • ATCON.EXE
    • ATGUARD.EXE
    • ATRO55EN.EXE
    • ATWATCH.EXE
    • AVCONSOL.EXE
    • AVGSERV9.EXE
    • AVSYNMGR.EXE
    • BD_PROFESSIONAL.EXE
    • BIDEF.EXE
    • BIDSERVER.EXE
    • BIPCP.EXE
    • BIPCPEVALSETUP.EXE
    • BISP.EXE
    • BLACKD.EXE
    • BLACKICE.EXE
    • BOOTWARN.EXE
    • NWINST4.EXE
    • NWTOOL16.EXE
    • OSTRONET.EXE
    • OUTPOSTINSTALL.EXE
    • OUTPOSTPROINSTALL.EXE
    • PADMIN.EXE
    • PANIXK.EXE
    • PAVPROXY.EXE
    • DRWEBUPW.EXE
    • PCC2002S902.EXE
    • PCC2K_76_1436.EXE
    • PCCIOMON.EXE
    • PCDSETUP.EXE
    • PCFWALLICON.EXE
    • PCFWALLICON.EXE
    • PCIP10117_0.EXE
    • PDSETUP.EXE
    • PERISCOPE.EXE
    • PERSFW.EXE
    • PF2.EXE
    • AVLTMAIN.EXE
    • PFWADMIN.EXE
    • PINGSCAN.EXE
    • PLATIN.EXE
    • POPROXY.EXE
    • POPSCAN.EXE
    • PORTDETECTIVE.EXE
    • PPINUPDT.EXE
    • PPTBC.EXE
    • PPVSTOP.EXE
    • PROCEXPLORERV1.0.EXE
    • PROPORT.EXE
    • PROTECTX.EXE
    • PSPF.EXE
    • WGFE95.EXE
    • WHOSWATCHINGME.EXE
    • AVWUPD32.EXE
    • NUPGRADE.EXE
    • WHOSWATCHINGME.EXE
    • WINRECON.EXE
    • WNT.EXE
    • WRADMIN.EXE
    • WRCTRL.EXE
    • WSBGATE.EXE
    • WYVERNWORKSFIREWALL.EXE
    • XPF202EN.EXE
    • ZAPRO.EXE
    • ZAPSETUP3001.EXE
    • ZATUTOR.EXE
    • CFINET32.EXE
    • CLEAN.EXE
    • CLEANER.EXE
    • CLEANER3.EXE
    • CLEANPC.EXE
    • CMGRDIAN.EXE
    • CMON016.EXE
    • CPD.EXE
    • CFGWIZ.EXE
    • CFIADMIN.EXE
    • PURGE.EXE
    • PVIEW95.EXE
    • QCONSOLE.EXE
    • QSERVER.EXE
    • RAV8WIN32ENG.EXE
    • REGEDT32.EXE
    • REGEDIT.EXE
    • UPDATE.EXE
    • RESCUE.EXE
    • RESCUE32.EXE
    • RRGUARD.EXE
    • RSHELL.EXE
    • RTVSCN95.EXE
    • RULAUNCH.EXE
    • SAFEWEB.EXE
    • SBSERV.EXE
    • SD.EXE
    • SETUP_FLOWPROTECTOR_US.EXE
    • SETUPVAMEEVAL.EXE
    • SFC.EXE
    • SGSSFW32.EXE
    • SH.EXE
    • SHELLSPYINSTALL.EXE
    • SHN.EXE
    • SMC.EXE
    • SOFI.EXE
    • SPF.EXE
    • SPHINX.EXE
    • SPYXX.EXE
    • SS3EDIT.EXE
    • ST2.EXE
    • SUPFTRL.EXE
    • LUALL.EXE
    • SUPPORTER5.EXE
    • SYMPROXYSVC.EXE
    • SYSEDIT.EXE
    • TASKMON.EXE
    • TAUMON.EXE
    • TAUSCAN.EXE
    • TC.EXE
    • TCA.EXE
    • TCM.EXE
    • TDS2-98.EXE
    • TDS2-NT.EXE
    • TDS-3.EXE
    • TFAK5.EXE
    • TGBOB.EXE
    • TITANIN.EXE
    • TITANINXP.EXE
    • TRACERT.EXE
    • TRJSCAN.EXE
    • TRJSETUP.EXE
    • TROJANTRAP3.EXE
    • UNDOBOOT.EXE
    • VBCMSERV.EXE
    • VBCONS.EXE
    • VBUST.EXE
    • VBWIN9X.EXE
    • VBWINNTW.EXE
    • VCSETUP.EXE
    • VFSETUP.EXE
    • VIRUSMDPERSONALFIREWALL.EXE
    • VNLAN300.EXE
    • VNPC3000.EXE
    • VPC42.EXE
    • VPFW30S.EXE
    • VPTRAY.EXE
    • VSCENU6.02D30.EXE
    • VSECOMR.EXE
    • VSHWIN32.EXE
    • VSISETUP.EXE
    • VSMAIN.EXE
    • VSMON.EXE
    • VSSTAT.EXE
    • VSWIN9XE.EXE
    • VSWINNTSE.EXE
    • VSWINPERSE.EXE
    • W32DSM89.EXE
    • W9X.EXE
    • WATCHDOG.EXE
    • WEBSCANX.EXE
    • CFIAUDIT.EXE
    • CFINET.EXE
    • ICSUPP95.EXE
    • MCUPDATE.EXE
    • CFINET32.EXE
    • CLEAN.EXE
    • CLEANER.EXE
    • LUINIT.EXE
    • MCAGENT.EXE
    • MCUPDATE.EXE
    • MFW2EN.EXE
    • MFWENG3.02D30.EXE
    • MGUI.EXE
    • MINILOG.EXE
    • MOOLIVE.EXE
    • MRFLUX.EXE
    • MSCONFIG.EXE
    • MSINFO32.EXE
    • MSSMMC32.EXE
    • MU0311AD.EXE
    • NAV80TRY.EXE
    • ZAUINST.EXE
    • ZONALM2601.EXE
    • ZONEALARM.EXE

    Parasitic File Infection

    The worm searches the local drives for *.EXE files and appends them with its own encrypted code. The infected file sizes increases by approximately 45KB. The date stamp for these files are updated as well.

    After Dec 31, 2005, the worm deactivates itself by deleting its registry run key.

       

    All Users
    Use specified
    engine and DAT files (or later) for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Stinger
    Stinger has been updated to assist in detecting and repairing this threat.

    McAfee Threatscan
    ThreatScan signatures that can detect the W32/Bagle.p@MM virus are available from:

    ThreatScan Signature version: 2004-03-15

    ThreatScan users can detect the virus by running a ThreatScan task using the following settings:

    • Select the "Remote Infection Detection" category and "Windows Virus Checks" template.

    -or-

    • Select the "Other" category and "Scan All Vulnerabilities" template.

    For additional information:

    Run the "ThreatScan Template Report"
    Look for module number #4071

    McAfee Desktop Firewall
    To prevent possible remote access McAfee Desktop Firewall users can block incoming TCP port 2556.

    Sniffer® Technologies
    Since this is a mass mailing virus only and does not have any remote component; due to changing offset for subject mail from and the attachments for the emails mentioned in the virus, we cannot create a Sniffer filter for this virus.
    Recommendation for customers:

    1) Create a capture profile with Capture on only SMTP traffic.
    2) Analyze the traffic for Subject, Mail To, and Attachments in the Decode mentioned in
    this description to identify if there is a virus propagating from specific IP's.

       

    PC Infected? Get Expert Help

    McAfee
    Virus Removal Service

    Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

    $89.95