Virus Profile: W32/Bagle.bb@mm

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 10/29/2004
Date Added: 10/29/2004
Origin: Unknown
Length: Varies
Type: Virus
Subtype: E-mail worm
DAT Required: 4402
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

When executed, the worm installs itself to the victim machine with the Windows system folder as WINGO.EXE. For example:

  • C:\WINNT\SYSTEM32\WINGO.EXE

The following Registry key is added to hook system startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run "wingo" = C:\WINNT\SYSTEM32\WINGO.EXE

The following Registry key is also added to store data (within a "TimeKey" key):

  • HKEY_CURRENT_USER\Software\Params

Additionally, the virus may make multiple copies of itself in the Windows system directory, appending the string "open" to the filename. For example:

  • C:\WINNT\SYSTEM32\WINGO.EXEOPEN
  • C:\WINNT\SYSTEM32\WINGO.EXEOPENOPEN
  • etc

Port 81 (TCP) is also opened on the victim machine.

A mutex is created to ensure only one instance of the worm is running at a time. One of the following mutex names is used in an attempt to stop particular variants of W32/Netsky running on the infected machine:

  • {z4wMuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
  • 'D'r'o'p'p'e'd'S'k'y'N'e't'
  • _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
  • [SkyNet.cz]SystemsMutex
  • AdmSkynetJklS003
  • ____--->>>>U<<<<--____
  • _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

Methods of Infection

Mail Propagation

The virus constructs outgoing messages with its own SMTP engine. Target email addresses are harvested from the victim machine. Files with the following extensions are searched:

  • .wab
  • .txt
  • .msg
  • .htm
  • .shtm
  • .stm
  • .xml
  • .dbx
  • .mbx
  • .mdx
  • .eml
  • .nch
  • .mmf
  • .ods
  • .cfg
  • .asp
  • .php
  • .pl
  • .wsh
  • .adb
  • .tbb
  • .sht
  • .xls
  • .oft
  • .uin
  • .cgi
  • .mht
  • .dhtm
  • .jsp

Outgoing messages are constructed with the varying subject, message body and attachment filename.

The From: address is spoofed.

Subject: The subject line is one of the following:

  • Re:
  • Re: Hello
  • Re: Thank you!
  • Re: Thanks :)
  • Re: Hi

Message Body: The message body will be one of the following:

  • :)
  • :))

Attachment: The attachment is an executable of name:

  • Price
  • price
  • Joke

with one of the following extensions:

  • .exe
  • .scr
  • .com
  • .cpl

The virus does not mail itself to email addresses containing the following strings:

  • @hotmail
  • @msn
  • @microsoft
  • rating@
  • f-secur
  • news
  • update
  • anyone@
  • bugs@
  • contract@
  • feste
  • gold-certs@
  • help@
  • info@
  • nobody@
  • noone@
  • kasp
  • admin
  • icrosoft
  • support
  • ntivi
  • unix
  • bsd
  • linux
  • listserv
  • certific
  • sopho
  • @foo
  • @iana
  • free-av
  • @messagelab
  • winzip
  • google
  • winrar
  • samples
  • abuse
  • panda
  • cafee
  • spam
  • pgp
  • @avp.
  • noreply
  • local
  • root@
  • postmaster@

P2P Propagation

The worm copies itself using enticing filenames to folders on the victim machine containing the string 'shar' . The following filenames are used:

  • Microsoft Office 2003 Crack, Working!.exe
  • Microsoft Windows XP, WinXP Crack, working Keygen.exe
  • Microsoft Office XP working Crack, Keygen.exe
  • Porno, sex, oral, anal cool, awesome!!.exe
  • Porno Screensaver.scr
  • Serials.txt.exe
  • KAV 5.0
  • Kaspersky Antivirus 5.0
  • Porno pics arhive, xxx.exe
  • Windows Sourcecode update.doc.exe
  • Ahead Nero 7.exe
  • Windown Longhorn Beta Leak.exe
  • Opera 8 New!.exe
  • XXX hardcore images.exe
  • WinAmp 6 New!.exe
  • WinAmp 5 Pro Keygen Crack Update.exe
  • Adobe Photoshop 9 full.exe
  • Matrix 3 Revolution English Subtitles.exe
  • ACDSee 9.exe

Process Termination Payload

The virus terminates the following processes if they are running on the victim machine:

  • mcagent.exe
  • mcvsshld.exe
  • mcshield.exe
  • mcvsescn.exe
  • mcvsrte.exe
  • DefWatch.exe
  • Rtvscan.exe
  • ccEvtMgr.exe
  • NISUM.EXE
  • ccPxySvc.exe
  • navapsvc.exe
  • NPROTECT.EXE
  • nopdb.exe
  • ccApp.exe
  • Avsynmgr.exe
  • VsStat.exe
  • Vshwin32.exe
  • alogserv.exe
  • RuLaunch.exe
  • Avconsol.exe
  • PavFires.exe
  • FIREWALL.EXE
  • ATUPDATER.EXE
  • LUALL.EXE
  • DRWEBUPW.EXE
  • AUTODOWN.EXE
  • NUPGRADE.EXE
  • OUTPOST.EXE
  • ICSSUPPNT.EXE
  • ICSUPP95.EXE
  • ESCANH95.EXE
  • AVXQUAR.EXE
  • ESCANHNT.EXE
  • ATUPDATER.EXE
  • AUPDATE.EXE
  • AUTOTRACE.EXE
  • AUTOUPDATE.EXE
  • AVXQUAR.EXE
  • AVWUPD32.EXE
  • AVPUPD.EXE
  • CFIAUDIT.EXE
  • UPDATE.EXE
  • NUPGRADE.EXE
  • MCUPDATE.EXE
  • pavsrv50.exe
  • AVENGINE.EXE
  • APVXDWIN.EXE
  • pavProxy.exe
  • navapw32.exe
  • navapsvc.exe
  • ccProxy.exe
  • navapsvc.exe
  • NPROTECT.EXE
  • SAVScan.exe
  • SNDSrvc.exe
  • symlcsvc.exe
  • LUCOMS~1.EXE
  • blackd.exe
  • bawindo.exe
  • FrameworkService.exe
  • VsTskMgr.exe
  • SHSTAT.EXE
  • UpdaterUI.exe

BackDoor Component

The worm opens port 81 (TCP) on the victim machine. Initial analysis suggests this is a file execution backdoor. Once listening, the hacker is able to connect to a victim machine, and execute a file on that machine.

Downloading

This threat contacts a list of websites to retrieve a file named G.JPG.  At the time of writing, this file was not available on any of the sites.

  • https://www.24-7-transportation.com
  • https://www.adhdtests.com
  • https://www.aegee.org
  • https://www.aimcenter.net
  • https://www.alupass.lu
  • https://www.amanit.ru
  • https://www.andara.com
  • https://www.angelartsanctuary.com
  • https://www.anthonyflanagan.com
  • https://www.approved1stmortgage.com
  • https://www.argontech.net
  • https://www.asianfestival.nl
  • https://www.atlantisteste.hpg.com.br
  • https://www.aviation-center.de
  • https://www.bbsh.org
  • https://www.bga-gsm.ru
  • https://www.boneheadmusic.com
  • https://www.bottombouncer.com
  • https://www.bradster.com
  • https://www.buddyboymusic.com
  • https://www.bueroservice-it.de
  • https://www.calderwoodinn.com
  • https://www.capri-frames.de
  • https://www.celula.com.mx
  • https://www.ceskyhosting.cz
  • https://www.chinasenfa.com
  • https://www.cntv.info
  • https://www.compsolutionstore.com
  • https://www.coolfreepages.com
  • https://www.corpsite.com
  • https://www.couponcapital.net
  • https://www.cpc.adv.br
  • https://www.crystalrose.ca
  • https://www.cscliberec.cz
  • https://www.curtmarsh.com
  • https://www.customloyal.com
  • https://www.DarrkSydebaby.com
  • https://www.deadrobot.com
  • https://www.dontbeaweekendparent.com
  • https://www.dragcar.com
  • https://www.ecofotos.com.br
  • https://www.elenalazar.com
  • https://www.ellarouge.com.au
  • https://www.esperanzaparalafamilia.com
  • https://www.eurostavba.sk
  • https://www.everett.wednet.edu
  • https://www.fcpages.com
  • https://www.featech.com
  • https://www.fepese.ufsc.br
  • https://www.firstnightoceancounty.org
  • https://www.flashcorp.com
  • https://www.fleigutaetscher.ch
  • https://www.fludir.is
  • https://www.freeservers.com
  • https://www.FritoPie.NET
  • https://www.gamp.pl
  • https://www.gci-bln.de
  • https://www.gcnet.ru
  • https://www.generationnow.net
  • https://www.gfn.org
  • https://www.giantrevenue.com
  • https://www.glass.la
  • https://www.handsforhealth.com
  • https://www.hartacorporation.com
  • https://www.himpsi.org
  • https://www.idb-group.net
  • https://www.immonaut.sk
  • https://www.ims-i.com
  • https://www.innnewport.com
  • https://www.irakli.org
  • https://www.irinaswelt.de
  • https://www.jansenboiler.com
  • https://www.jasnet.pl
  • https://www.jhaforpresident.7p.com
  • https://www.jimvann.com
  • https://www.jldr.ca
  • https://www.justrepublicans.com
  • https://www.kencorbett.com
  • https://www.knicks.nl
  • https://www.kps4parents.com
  • https://www.kps4parents.com
  • https://www.kradtraining.de
  • https://www.kranenberg.de
  • https://www.kranenberg.de
  • https://www.lasermach.com
  • https://www.leonhendrix.com
  • https://www.magicbottle.com.tw
  • https://www.mass-i.kiev.ua
  • https://www.mepbisu.de
  • https://www.mepmh.de
  • https://www.metal.pl
  • https://www.mexis.com
  • https://www.mongolische-renner.de
  • https://www.mtfdesign.com
  • https://www.oboe-online.com
  • https://www.ohiolimo.com
  • https://www.onepositiveplace.org
  • https://www.oohlala-kirkland.com
  • https://www.orari.net
  • https://www.pankration.com
  • https://www.pe-sh.com
  • https://www.pfadfinder-leobersdorf.com
  • https://www.pipni.cz
  • https://www.polizeimotorrad.de
  • https://www.programmierung2000.de
  • https://www.pyrlandia-boogie.pl
  • https://www.raecoinc.com
  • https://www.realgps.com
  • https://www.redlightpictures.com
  • https://www.reliance-yachts.com
  • https://www.relocationflorida.com
  • https://www.rentalstation.com
  • https://www.rieraquadros.com.br
  • https://www.scanex-medical.fi
  • https://www.sea.bz.it
  • https://www.selu.edu
  • https://www.sigi.lu
  • https://www.sljinc.com
  • https://www.sljinc.com
  • https://www.smacgreetings.com
  • https://www.soloconsulting.com
  • https://www.spadochron.pl
  • https://www.srg-neuburg.de
  • https://www.ssmifc.ca
  • https://www.sugardas.lt
  • https://www.sunassetholdings.com
  • https://www.szantomierz.art.pl
  • https://www.the-fabulous-lions.de
  • https://www.tivogoddess.com
  • https://www.tkd2xcell.com
  • https://www.topko.sk
  • https://www.transportation.gov.bh
  • https://www.travelchronic.de
  • https://www.traverse.com
  • https://www.uhcc.com
  • https://www.ulpiano.org
  • https://www.uslungiarue.it
  • https://www.vandermost.de
  • https://www.vbw.info
  • https://www.velezcourtesymanagement.com
  • https://www.velocityprint.com
  • https://www.vikingpc.pl
  • https://www.vinirforge.com
  • https://www.wecompete.com
  • https://www.worest.com.ar
  • https://www.woundedshepherds.com
  • https://www.wwwebad.com
  • https://www.wwwebmaster.com

Registry Entry Removal

In both of the following startup locations

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run

The following keys for other worms and security products are deleted:

  • My AV
  • Zone Labs Client Ex
  • 9XHtProtect
  • Antivirus
  • Special Firewall Service
  • service
  • Tiny AV
  • ICQNet
  • HtProtect
  • NetDy
  • Jammer2nd
  • FirewallSvr
  • MsInfo
  • SysMonXP
  • EasyAV
  • PandaAVEngine
  • Norton Antivirus AV
  • KasperskyAVEng
  • SkynetsRevenge
  • ICQ Net

Aliases

I-Worm.Bagle.at (Kasperksy), W32/Bagle-AU (Sophos), W32/Bagle.BC.worm (Panda), WORM_BAGLE.AT (Trend)
   

Virus Characteristics

-- Update February 3, 2005 --

The assessment of this threat has been downgraded to Low-Profiled due to a decrease in prevalence.

--

The risk assessment of this mass-mailing virus has been deemed Medium due to high prevalence. The 4402 DATs have been released early to address this threat.

If you think that you may be infected with W32/Bagle.bb@MM, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present.  This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).

Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

This variant of W32/Bagle bears the following characteristics:

  • packed with PeX
  • contains its own SMTP engine for constructing outgoing email messages. The From: address is spoofed.
  • harvests target email addresses from the victim machine
  • copies itself to local folders on the victim machine (to folders containing the string 'shar')
  • terminates processes associated with various AV/security products
  • uses various mutex names selected from those W32/Netsky variants have used, in order to prevent those W32/Netsky variants running on infected machines
  • deletes registry entries of security programs and other worms
  • opens port 81 for listening. Initial analysis suggests that the backdoor may be used for remote file execution.

Proactive Detection
McAfee gateway products (and the email-scanner plugin within the desktop product) running the 4382 DATs or greater will detect the original email messages generated by this virus as W32/Bagle!eml.gen .

   

All Users :
The specified DATs have been released early for this threat.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Manual Removal Instructions

To remove this worm manually, follow the steps below:

  1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
  2. Delete the following files from your WINDOWS System directory (typically C:\Windows\System or C:\Winnt\System32)
    wingo.exe
    wingo.exeopen     
    wingo.exeopenopen
  3. Edit the registry
    • Delete the "wingo.exe" value from
      • HKEY_CURRENT_USER\Software\Microsoft\
        Windows\CurrentVersion\Run
  4. Reboot the system into Default Mode

McAfee Desktop Firewall
To prevent possibly remote access McAfee Desktop Firewall users can block incoming TCP port 81

Network General Sniffer
A Network General Sniffer filter is available at https://www.networkgeneral.com/SnifferFilters_Details.aspx?Type=1

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95