Virus Profile: W32/Bagle.z@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 4/26/2004
Date Added: 4/26/2004
Origin: N/A
Length: Various (Appended garbage)
Type: Virus
Subtype: E-mail worm
DAT Required: 4353
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

  • Port 2535 (TCP) open on the victim machine
  • Outgoing messages matching the described characteristics
  • Files/Registry keys as described
  • Methods of Infection

    Mail Propagation

    This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:

    • .adb
    • .asp
    • .cfg
    • .cgi
    • .dbx
    • .dhtm
    • .eml
    • .htm
    • .jsp
    • .mbx
    • .mdx
    • .mht
    • .mmf
    • .msg
    • .nch
    • .ods
    • .oft
    • .php
    • .pl
    • .sht
    • .stm
    • .tbb
    • .shtm
    • .txt
    • .uin
    • .wab
    • .wsh
    • .xls
    • .xml
     

    The virus spoofs the sender address by using a harvested address in the From: field.

    The virus avoids sending itself to addresses containing the following:

    • @hotmail
    • @msn
    • @microsoft
    • rating@
    • f-secur
    • news
    • update
    • anyone@
    • bugs@
    • contract@
    • feste
    • gold-certs@
    • help@
    • info@
    • nobody@
    • noone@
    • kasp
    • admin
    • icrosoft
    • support
    • ntivi
    • unix
    • bsd
    • linux
    • listserv
    • certific
    • sopho
    • @foo
    • @iana
    • free-av
    • @messagelab
    • winzip
    • google
    • winrar
    • samples
    • abuse
    • panda
    • cafee
    • spam
    • pgp
    • @avp.
    • noreply
    • local
    • root@
    • postmaster@

    Peer To Peer Propagation

    Files are created in folders that contain the phrase shar :

    • Microsoft Office 2003 Crack, Working!.exe
    • Microsoft Windows XP, WinXP Crack, working Keygen.exe
    • Microsoft Office XP working Crack, Keygen.exe
    • Porno, sex, oral, anal cool, awesome!!.exe
    • Porno Screensaver.scr
    • Serials.txt.exe
    • KAV 5.0
    • Kaspersky Antivirus 5.0
    • Porno pics arhive, xxx.exe
    • Windows Sourcecode update.doc.exe
    • Ahead Nero 7.exe
    • Windown Longhorn Beta Leak.exe
    • Opera 8 New!.exe
    • XXX hardcore images.exe
    • WinAmp 6 New!.exe
    • WinAmp 5 Pro Keygen Crack Update.exe
    • Adobe Photoshop 9 full.exe
    • Matrix 3 Revolution English Subtitles.exe
    • ACDSee 9.exe

    Remote Access Component

    The virus listens on TCP port 2535 for remote connections. It attempts to notify the author that the infected system is ready to accept commands, by contacting various websites, calling a PHP script on the remote sites. At the time of this writing this script does not exist on any of these sites.

    • https://www.spiegel.de/5.php
    • https://www.leipziger-messe.de/5.php
    • https://www.mobile.de/5.php
    • https://www.neformal.de/5.php
    • https://www.avh.de/5.php
    • https://www.goethe.de/5.php
    • https://www.degruyter.de/5.php
    • https://www.heise.de/5.php
    • https://www.autoscout24.de/5.php
    • https://www.russische-botschaft.de/5.php
    • https://www.bmbf.de/5.php
    • https://www.berlinale.de/5.php
    • https://www.hamann-motorsport.de/5.php
    • https://Spaceclub.de/5.php
    • https://www.fracht-24.de/5.php
    • https://www.loveparade.de/5.php
    • https://www.dalnoboyshik.de/5.php
    • https://www.deutschland.de/5.php
    • https://www.ac-schnitzer.de/5.php
    • https://abakan.strana.de/5.php
    • https://www.emis.de/5.php
    • https://www.dwd.de/5.php
    • https://www.ifdesign.de/5.php
    • https://www.beckers-systems.de/5.php
    • https://www.pri-wo-hamburg.de/5.php
    • https://virtualzone.de/5.php
    • https://www.mitsumi.de/5.php
    • https://www.fu-berlin.de/5.php
    • https://www.nabu.de/5.php
    • https://www.tekeli.de/5.php
    • https://www.welt.de/5.php
    • https://www.gospel-nations.de/5.php
    • https://www.neznakomez.de/5.php
    • https://www.tecchannel.de/5.php
    • https://www.php-resource.de/5.php
    • https://www.windac.de/5.php
    • https://www.gsi.de/5.php
    • https://www.turism.de/5.php
    • https://jakimov.golos.de/5.php
    • https://www.www.mirko-becker.gmxhome.de/5.php
    • https://vg.xtonne.de/5.php
    • https://www.go-amman.de/5.php
    • https://3treepoint.com/5.php
    • https://www.restarted-alliance.de/5.php
    • https://2udar.ligakvn.de/5.php
    • https://www.sprach-zertifikat.de/5.php
    • https://www.dfg.de/5.php
    • https://www.kliniken.de/5.php
    • https://www.winfuture.de/5.php
    • https://www.hamburg.de/5.php
    • https://www.auma.de/5.php
    • https://www.teac.de/5.php
    • https://www.eumetsat.de/5.php
    • https://www.documenta.de/5.php
    • https://hardvision.ru/5.php
    • https://www.bruecke-osteuropa.de/5.php
    • https://www.mk-motorsport.de/5.php
    • https://www.bundesregierung.de/5.php
    • https://ditec.um.es/5.php
    • https://www.insel-ruegen-hotel.de/5.php
    • https://www.tib.uni-hannover.de/5.php
    • https://www.chugai.de/5.php
    • https://www.blauer-engel.de/5.php
    • https://www.partner-inform.de/5.php
    • https://250x.com/5.php
    • https://villakinderbunt.de/5.php
    • https://s318.evanzo-server.de/5.php
    • https://andimeisslein.de/5.php
    • https://tobimayer.de/5.php
    • https://markusgimenez.de/5.php
    • https://www.fiz-karlsruhe.de/5.php
    • https://www.gdch.de/5.php
    • https://www.intermatgmbh.de/5.php
    • https://www.hotel-pension-spree.de/5.php
    • https://vg.xtonne.de/5.php
    • https://www.low-spirit.de/5.php
    • https://www.red-dot.de/5.php
    • https://www.fernuni-hagen.de/5.php
    • https://www.ruletka.de/5.php
    • https://www.deutsch-als-fremdsprache.de/5.php
    • https://www.uni-oldenburg.de/5.php
    • https://fotos.schneider.bards.de/5.php
    • https://www.deutsches-museum.de/5.php
    • https://www.de-bug.de/5.php
    • https://www.uni-stuttgart.de/5.php
    • https://www.embl-heidelberg.de/5.php
    • https://www.mdz-moskau.de/5.php
    • https://www.mitsubishi-evs.de/5.php
    • https://www.siegenia-aubi.com/5.php
    • https://www.cicv.fr/5.php
    • https://www.paromi.de/5.php
    • https://www.jura.uni-sb.de/5.php
    • https://www.exactaudiocopy.de/5.php

    Aliases

    I-Worm/Bagle.AA (GRISoft), W32/Bagle.Y@mm (F-PROT)
       

    Virus Characteristics

    - Update 26th April 11:50 a.m PST --
    The EXTRA.DAT packages have been updated for enhanced detection.
    --

    - Update 26th April 09:37 PST --
    Due to increased prevalence, this threat has had its risk assessment raised to medium.
    --

    This is a new variant of W32/Bagle@MM.  It is packed using UPX.  It is not polymorphic and a static MD5 is not suitable as  garbage is always appended to the file.

    If you think that you may be infected with this threat, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present.  This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).

    Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

    This is a mass-mailing worm with the following characteristics:

    • contains its own SMTP engine to construct outgoing messages
    • harvests email addresses from the victim machine
    • the From: address of messages is spoofed
    • attachment can be a password-protected zip file, with the password included in the message body.
    • contains a remote access component (notification is sent to hacker)
    • copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)

    When executed it will display a false message as follows:

    Mail Propagation

    The details are as follows:

    From : (address is spoofed)

    It may use the following strings at times:

    • lizie@
    • annie@
    • ann@
    • christina@
    • secretGurl@
    • jessie@
    • christy@

    Subject :

    • Hello!
    • Hey!
    • Let's socialize, my friend!
    • Let's talk, my friend!
    • I'm bored with this life
    • Notify from a known person ;-)
    • I like you
    • I just need a friend
    • I'm a sad girl...
    • Re: Msg reply
    • Re: Hello
    • Re: Yahoo!
    • Re: Thank you!
    • Re: Thanks :)
    • RE: Text message
    • Re: Document
    • Incoming message
    • Re: Incoming Message
    • Re: Incoming Fax
    • Hidden message
    • Fax Message Received
    • Protected message
    • RE: Protected message
    • Forum notify
    • Request response
    • Site changes
    • Re: Hi
    • Encrypted document

    Body Text:

    • Uses various constructed strings

    Attachment: May be one of the follwing:

    • Script dropper - using one of the following file extensions:
      • HTA
      • VBS
    • Password-protected ZIP archive (detected as W32/Bagle.gen!pwdzip)
    • Executable, using one of the following file extensions:
      • exe
      • scr
      • com
      • cpl
    • Executable dropper, CPL file with .CPL file extension.

    The executable uses the following icon:

    The CPL file uses the following icon:

    The virus copies itself into the Windows System directory as drvsys.exe. For example:

    • C:\WINNT\SYSTEM32\drvsys.exe

    It also creates other files in this directory to perform its functions:

    • drvsys.exeopen (Copy of the worm)
    • drvsys.exeopenopen  (Copy of the worm)

    The following Registry key is added to hook system startup:

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\
      CurrentVersion\Run "drvsys.exe" = C:\WINNT\SYSTEM32\drvsys.exe

    This worm attempts to terminate the process of security programs with the the following filenames:

    • AGENTSVR.EXE
    • ANTI-TROJAN.EXE
    • ANTIVIRUS.EXE
    • ANTS.EXE
    • APIMONITOR.EXE
    • APLICA32.EXE
    • APVXDWIN.EXE
    • ATCON.EXE
    • ATGUARD.EXE
    • ATRO55EN.EXE
    • ATUPDATER.EXE
    • ATWATCH.EXE
    • AUPDATE.EXE
    • AUTODOWN.EXE
    • AUTOTRACE.EXE
    • AUTOUPDATE.EXE
    • AVCONSOL.EXE
    • AVGSERV9.EXE
    • AVLTMAIN.EXE
    • AVPUPD.EXE
    • AVSYNMGR.EXE
    • AVWUPD32.EXE
    • AVXQUAR.EXE
    • AVprotect9x.exe
    • BD_PROFESSIONAL.EXE
    • BIDEF.EXE
    • BIDSERVER.EXE
    • BIPCP.EXE
    • BIPCPEVALSETUP.EXE
    • BISP.EXE
    • BLACKD.EXE
    • BLACKICE.EXE
    • BOOTWARN.EXE
    • BORG2.EXE
    • BS120.EXE
    • CDP.EXE
    • CFGWIZ.EXE
    • CFIADMIN.EXE
    • CFIAUDIT.EXE
    • CFINET.EXE
    • CFINET32.EXE
    • CLEAN.EXE
    • CLEANER.EXE
    • CLEANER3.EXE
    • CLEANPC.EXE
    • CMGRDIAN.EXE
    • CMON016.EXE
    • CPD.EXE
    • CPF9X206.EXE
    • CPFNT206.EXE
    • CV.EXE
    • CWNB181.EXE
    • CWNTDWMO.EXE
    • DEFWATCH.EXE
    • DEPUTY.EXE
    • DPF.EXE
    • DPFSETUP.EXE
    • DRWATSON.EXE
    • DRWEBUPW.EXE
    • ENT.EXE
    • ESCANH95.EXE
    • ESCANHNT.EXE
    • ESCANV95.EXE
    • EXANTIVIRUS-CNET.EXE
    • FAST.EXE
    • FIREWALL.EXE
    • FLOWPROTECTOR.EXE
    • FP-WIN_TRIAL.EXE
    • FRW.EXE
    • FSAV.EXE
    • FSAV530STBYB.EXE
    • FSAV530WTBYB.EXE
    • FSAV95.EXE
    • GBMENU.EXE
    • GBPOLL.EXE
    • GUARD.EXE
    • GUARDDOG.EXE
    • HACKTRACERSETUP.EXE
    • HTLOG.EXE
    • HWPE.EXE
    • IAMAPP.EXE
    • IAMSERV.EXE
    • ICLOAD95.EXE
    • ICLOADNT.EXE
    • ICMON.EXE
    • ICSSUPPNT.EXE
    • ICSUPP95.EXE
    • ICSUPPNT.EXE
    • IFW2000.EXE
    • IPARMOR.EXE
    • IRIS.EXE
    • JAMMER.EXE
    • KAVLITE40ENG.EXE
    • KAVPERS40ENG.EXE
    • KERIO-PF-213-EN-WIN.EXE
    • KERIO-WRL-421-EN-WIN.EXE
    • KERIO-WRP-421-EN-WIN.EXE
    • KILLPROCESSSETUP161.EXE
    • LDPRO.EXE
    • LOCALNET.EXE
    • LOCKDOWN.EXE
    • LOCKDOWN2000.EXE
    • LSETUP.EXE
    • LUALL.EXE
    • LUCOMSERVER.EXE
    • LUINIT.EXE
    • MCAGENT.EXE
    • MCUPDATE.EXE
    • MFW2EN.EXE
    • MFWENG3.02D30.EXE
    • MGUI.EXE
    • MINILOG.EXE
    • MOOLIVE.EXE
    • MRFLUX.EXE
    • MSCONFIG.EXE
    • MSINFO32.EXE
    • MSSMMC32.EXE
    • MU0311AD.EXE
    • NAV80TRY.EXE
    • NAVAPW32.EXE
    • NAVDX.EXE
    • NAVSTUB.EXE
    • NAVW32.EXE
    • NC2000.EXE
    • NCINST4.EXE
    • NDD32.EXE
    • NEOMONITOR.EXE
    • NETARMOR.EXE
    • NETINFO.EXE
    • NETMON.EXE
    • NETSCANPRO.EXE
    • NETSPYHUNTER-1.2.EXE
    • NETSTAT.EXE
    • NISSERV.EXE
    • NISUM.EXE
    • NMAIN.EXE
    • NORTON_INTERNET_SECU_3.0_407.EXE
    • NPF40_TW_98_NT_ME_2K.EXE
    • NPFMESSENGER.EXE
    • NPROTECT.EXE
    • NSCHED32.EXE
    • NTVDM.EXE
    • NUPGRADE.EXE
    • NVARCH16.EXE
    • NWINST4.EXE
    • NWTOOL16.EXE
    • OSTRONET.EXE
    • OUTPOST.EXE
    • OUTPOSTINSTALL.EXE
    • OUTPOSTPROINSTALL.EXE
    • PADMIN.EXE
    • PANIXK.EXE
    • PAVPROXY.EXE
    • PCC2002S902.EXE
    • PCC2K_76_1436.EXE
    • PCCIOMON.EXE
    • PCDSETUP.EXE
    • PCFWALLICON.EXE
    • PCIP10117_0.EXE
    • PDSETUP.EXE
    • PERISCOPE.EXE
    • PERSFW.EXE
    • PF2.EXE
    • PFWADMIN.EXE
    • PINGSCAN.EXE
    • PLATIN.EXE
    • POPROXY.EXE
    • POPSCAN.EXE
    • PORTDETECTIVE.EXE
    • PPINUPDT.EXE
    • PPTBC.EXE
    • PPVSTOP.EXE
    • PROCEXPLORERV1.0.EXE
    • PROPORT.EXE
    • PROTECTX.EXE
    • PSPF.EXE
    • PURGE.EXE
    • PVIEW95.EXE
    • QCONSOLE.EXE
    • QSERVER.EXE
    • RAV8WIN32ENG.EXE
    • REGEDIT.EXE
    • REGEDT32.EXE
    • RESCUE.EXE
    • RESCUE32.EXE
    • RRGUARD.EXE
    • RSHELL.EXE
    • RTVSCN95.EXE
    • RULAUNCH.EXE
    • SAFEWEB.EXE
    • SBSERV.EXE
    • SD.EXE
    • SETUPVAMEEVAL.EXE
    • SETUP_FLOWPROTECTOR_US.EXE
    • SFC.EXE
    • SGSSFW32.EXE
    • SH.EXE
    • SHELLSPYINSTALL.EXE
    • SHN.EXE
    • SMC.EXE
    • SOFI.EXE
    • SPF.EXE
    • SPHINX.EXE
    • SPYXX.EXE
    • SS3EDIT.EXE
    • ST2.EXE
    • SUPFTRL.EXE
    • SUPPORTER5.EXE
    • SYMPROXYSVC.EXE
    • SYSEDIT.EXE
    • TASKMON.EXE
    • TAUMON.EXE
    • TAUSCAN.EXE
    • TC.EXE
    • TCA.EXE
    • TCM.EXE
    • TDS-3.EXE
    • TDS2-98.EXE
    • TDS2-NT.EXE
    • TFAK5.EXE
    • TGBOB.EXE
    • TITANIN.EXE
    • TITANINXP.EXE
    • TRACERT.EXE
    • TRJSCAN.EXE
    • TRJSETUP.EXE
    • TROJANTRAP3.EXE
    • UNDOBOOT.EXE
    • UPDATE.EXE
    • VBCMSERV.EXE
    • VBCONS.EXE
    • VBUST.EXE
    • VBWIN9X.EXE
    • VBWINNTW.EXE
    • VCSETUP.EXE
    • VFSETUP.EXE
    • VIRUSMDPERSONALFIREWALL.EXE
    • VNLAN300.EXE
    • VNPC3000.EXE
    • VPC42.EXE
    • VPFW30S.EXE
    • VPTRAY.EXE
    • VSCENU6.02D30.EXE
    • VSECOMR.EXE
    • VSHWIN32.EXE
    • VSISETUP.EXE
    • VSMAIN.EXE
    • VSMON.EXE
    • VSSTAT.EXE
    • VSWIN9XE.EXE
    • VSWINNTSE.EXE
    • VSWINPERSE.EXE
    • W32DSM89.EXE
    • W9X.EXE
    • WATCHDOG.EXE
    • WEBSCANX.EXE
    • WGFE95.EXE
    • WHOSWATCHINGME.EXE
    • WINRECON.EXE
    • WNT.EXE
    • WRADMIN.EXE
    • WRCTRL.EXE
    • WSBGATE.EXE
    • WYVERNWORKSFIREWALL.EXE
    • XPF202EN.EXE
    • ZAPRO.EXE
    • ZAPSETUP3001.EXE
    • ZATUTOR.EXE
    • ZAUINST.EXE
    • ZONALM2601.EXE
    • ZONEALARM.EXE

    The worm opens port 2535 (TCP) on the victim machine.

       

    All Users :
    Use the specified DAT files for detection and removal.

    Additional Windows ME/XP removal considerations

    Stinger
    Stinger   has been updated to assist in detecting and repairing this threat.

    Manual Removal Instructions
    To remove this virus "by hand", follow these steps:

    1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
    2. Delete the following files from your WINDOWS System directory (typically C:\Windows\System or C:\Winnt\System32)
      drvddll.exe
      drvddll.exeopen     
      drvddll.exeopenopen
    3. Edit the registry
      • Delete the "drvddll.exe" value from
        • HKEY_CURRENT_USER\Software\Microsoft\
          Windows\CurrentVersion\Run
    4. Reboot the system into Default Mode

    McAfee Threatscan
    ThreatScan signatures that can detect the W32/Bagle.aa@MM virus are available from:

          -Threatscan 2.5 - ftp.nai.com/pub/security/tsc25/updates/winnt
          -Threatscan 2.0/2.1 - ftp.nai.com/pub/security/tsc20/updates/winnt

    ThreatScan Signature version: 2004-04-28
    ThreatScan users can detect the virus by running a ThreatScan task using the following settings:

    • Select the "Remote Infection Detection" category and "Windows Virus Checks" template.
      -or-
    • Select the "Other" category and "Scan All Vulnerabilities" template.

    For additional information:

    • Run the "ThreatScan Template Report"
    • Look for module number #4071

    ThreatScan users can detect the remote access component by running a Resource Discovery Task using the following settings:

    • Select TCP Port scan
    • Enter port: 2535

    McAfee Desktop Firewall
    To prevent possible remote access McAfee Desktop Firewall users can block incoming TCP port 2535.

    McAfee System Compliance Profiler
    Create a rule that matches a file

    • Choose SYSTEM_DIR from the drop-down
    • Type in DRVDDLL.EXE for the file name
    • Choose "File does not exist" in the next drop-down

    Sniffer Customers
    Filters have been developed that will look for Bagle traffic [Sniffer Distributed 4.1/4.2/4.3, Sniffer Portable 4.7/4.7.5, and Netasyst].

       

    PC Infected? Get Expert Help

    McAfee
    Virus Removal Service

    Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

    $89.95