Virus Profile: W32/Bagle.cb@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 8/4/2005
Date Added: 8/4/2005
Origin: Unknown
Length: 21,696 bytes
Type: Virus
Subtype: Email
DAT Required: 4550
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

When executed, the worm installs itself to the victim machine with the Windows system folder as WINHOST.EXE. For example:

  • C:\WINNT\SYSTEM32\WINHOST.EXE

The following regsitry run key is created to load the worm at startup:

  •  HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "winhost.exe" = C:\WINDOWS\System32\winhost.exe

A marker registry key is also created:

  • HKEY_CURRENT_USER\Software\Timeout

Methods of Infection

Mail Propagation

The virus constructs outgoing messages with its own SMTP engine. Target email addresses are harvested from the victim machine. Files with the following extensions are searched:

  • .wab
  • .txt
  • .msg
  • .htm
  • .html
  • .shtm
  • .stm
  • .xml
  • .dbx
  • .mbx
  • .mdx
  • .eml
  • .nch
  • .mmf
  • .ods
  • .cfg
  • .asp
  • .php
  • .pl
  • .wsh
  • .adb
  • .tbb
  • .sht
  • .xls
  • .oft
  • .uin
  • .cgi
  • .mht
  • .dhtm
  • .jsp

The virus does not mail itself to email addresses containing the following strings:

  • virus
  • norton
  • @msn
  • @microsoft
  • rating@
  • f-secur
  • news
  • update
  • anyone@
  • bugs@
  • contract@
  • feste
  • gold-certs@
  • help@
  • info@
  • nobody@
  • noone@
  • kasp
  • admin
  • icrosoft
  • support
  • ntivi
  • unix
  • bsd
  • linux
  • listserv
  • certific
  • sopho
  • @foo
  • @iana
  • free-av
  • @messagelab
  • winzip
  • google
  • winrar
  • samples
  • abuse
  • panda
  • cafee
  • spam
  • pgp
  • @avp.
  • noreply
  • local
  • root@
  • postmaster@

P2P Propagation

The worm copies itself using enticing filenames to folders on the victim machine containing the string 'shar' . The following filenames are used:

  • Microsoft Office 2003 Crack, Working!.exe
  • Microsoft Windows XP, WinXP Crack, working Keygen.exe
  • Microsoft Office XP working Crack, Keygen.exe
  • Porno, sex, oral, anal cool, awesome!!.exe
  • Porno Screensaver.scr
  • Serials.txt .exe
  • text.txt .exe
  • Kaspersky Antivirus 5.0
  • Porno pics arhive, xxx.exe
  • Windows Sourcecode update.doc .exe
  • Ahead Nero 7.exe
  • Windown Longhorn Beta Leak.exe
  • New document.doc .exe
  • XXX hardcore images.exe
  • WinAmp 6 New!.exe
  • hardcore arhive.exe
  • install.exe
  • important.exe
  • important update.exe
  • update.exe
  • patch.exe
  • New patch.exe
  • setup.exe
  • message.msg .exe

Process Termination Payload

The virus terminates the following processes if they are running on the victim machine:

  • OUTPOST.EXE
  • SAVSCAN.EXE
  • navapsvc.exe
  • NPROTECT.EXE
  • ccApp.exe
  • ccEvtMgr.exe
  • SymWSC.exe
  • NavShExt.dll
  • NMAIN.EXE
  • NORTON_INTERNET_SECU_3.0_407.EXE
  • NPF40_TW_98_NT_ME_2K.EXE
  • NPFMESSENGER.EXE
  • NPROTECT.EXE
  • NSCHED32.EXE
  • NTVDM.EXE
  • NVARCH16.EXE
  • KERIO-WRP-421-EN-WIN.EXE
  • KILLPROCESSSETUP161.EXE
  • LDPRO.EXE
  • LOCALNET.EXE
  • LOCKDOWN.EXE
  • LOCKDOWN2000.EXE
  • LSETUP.EXE
  • CLEANPC.EXE
  • AVprotect9x.exe
  • CMGRDIAN.EXE
  • CMON016.EXE
  • CPF9X206.EXE
  • CPFNT206.EXE
  • CV.EXE
  • CWNB181.EXE
  • CWNTDWMO.EXE
  • ICSSUPPNT.EXE
  • DEFWATCH.EXE
  • DEPUTY.EXE
  • DPF.EXE
  • DPFSETUP.EXE
  • DRWATSON.EXE
  • ENT.EXE
  • ESCANH95.EXE
  • AVXQUAR.EXE
  • ESCANHNT.EXE
  • ESCANV95.EXE
  • AVPUPD.EXE
  • EXANTIVIRUS-CNET.EXE
  • FAST.EXE
  • FIREWALL.EXE
  • FLOWPROTECTOR.EXE
  • FP-WIN_TRIAL.EXE
  • FRW.EXE
  • FSAV.EXE
  • AUTODOWN.EXE
  • FSAV530STBYB.EXE
  • FSAV530WTBYB.EXE
  • FSAV95.EXE
  • GBMENU.EXE
  • GBPOLL.EXE
  • GUARD.EXE
  • GUARDDOG.EXE
  • HACKTRACERSETUP.EXE
  • HTLOG.EXE
  • HWPE.EXE
  • IAMAPP.EXE
  • IAMAPP.EXE
  • IAMSERV.EXE
  • ICLOAD95.EXE
  • ICLOADNT.EXE
  • ICMON.EXE
  • ICSUPP95.EXE
  • ICSUPPNT.EXE
  • IFW2000.EXE
  • IPARMOR.EXE
  • IRIS.EXE
  • JAMMER.EXE
  • ATUPDATER.EXE
  • AUPDATE.EXE
  • KAVLITE40ENG.EXE
  • KAVPERS40ENG.EXE
  • KERIO-PF-213-EN-WIN.EXE
  • KERIO-WRL-421-EN-WIN.EXE
  • BORG2.EXE
  • BS120.EXE
  • CDP.EXE
  • CFGWIZ.EXE
  • CFIADMIN.EXE
  • CFIAUDIT.EXE
  • AUTOUPDATE.EXE
  • CFINET.EXE
  • NAVAPW32.EXE
  • NAVDX.EXE
  • NAVSTUB.EXE
  • NAVW32.EXE
  • NC2000.EXE
  • NCINST4.EXE
  • AUTOTRACE.EXE
  • NDD32.EXE
  • NEOMONITOR.EXE
  • NETARMOR.EXE
  • NETINFO.EXE
  • NETMON.EXE
  • NETSCANPRO.EXE
  • NETSPYHUNTER-1.2.EXE
  • NETSTAT.EXE
  • NISSERV.EXE
  • NISUM.EXE
  • CFIAUDIT.EXE
  • LUCOMSERVER.EXE
  • AGENTSVR.EXE
  • ANTI-TROJAN.EXE
  • ANTI-TROJAN.EXE
  • ANTIVIRUS.EXE
  • ANTS.EXE
  • APIMONITOR.EXE
  • APLICA32.EXE
  • APVXDWIN.EXE
  • ATCON.EXE
  • ATGUARD.EXE
  • ATRO55EN.EXE
  • ATWATCH.EXE
  • AVCONSOL.EXE
  • AVGSERV9.EXE
  • AVSYNMGR.EXE
  • BD_PROFESSIONAL.EXE
  • BIDEF.EXE
  • BIDSERVER.EXE
  • BIPCP.EXE
  • BIPCPEVALSETUP.EXE
  • BISP.EXE
  • BLACKD.EXE
  • BLACKICE.EXE
  • BOOTWARN.EXE
  • NWINST4.EXE
  • NWTOOL16.EXE
  • OSTRONET.EXE
  • OUTPOSTINSTALL.EXE
  • OUTPOSTPROINSTALL.EXE
  • PADMIN.EXE
  • PANIXK.EXE
  • PAVPROXY.EXE
  • DRWEBUPW.EXE
  • PCC2002S902.EXE
  • PCC2K_76_1436.EXE
  • PCCIOMON.EXE
  • PCDSETUP.EXE
  • PCFWALLICON.EXE
  • PCFWALLICON.EXE
  • PCIP10117_0.EXE
  • PDSETUP.EXE
  • PERISCOPE.EXE
  • PERSFW.EXE
  • PF2.EXE
  • AVLTMAIN.EXE
  • PFWADMIN.EXE
  • PINGSCAN.EXE
  • PLATIN.EXE
  • POPROXY.EXE
  • POPSCAN.EXE
  • PORTDETECTIVE.EXE
  • PPINUPDT.EXE
  • PPTBC.EXE
  • PPVSTOP.EXE
  • PROCEXPLORERV1.0.EXE
  • PROPORT.EXE
  • PROTECTX.EXE
  • PSPF.EXE
  • WGFE95.EXE
  • WHOSWATCHINGME.EXE
  • AVWUPD32.EXE
  • NUPGRADE.EXE
  • WHOSWATCHINGME.EXE
  • WINRECON.EXE
  • WNT.EXE
  • WRADMIN.EXE
  • WRCTRL.EXE
  • WSBGATE.EXE
  • WYVERNWORKSFIREWALL.EXE
  • XPF202EN.EXE
  • ZAPRO.EXE
  • ZAPSETUP3001.EXE
  • ZATUTOR.EXE
  • CFINET32.EXE
  • CLEAN.EXE
  • CLEANER.EXE
  • CLEANER3.EXE
  • CLEANPC.EXE
  • CMGRDIAN.EXE
  • CMON016.EXE
  • CPD.EXE
  • CFGWIZ.EXE
  • CFIADMIN.EXE
  • PURGE.EXE
  • PVIEW95.EXE
  • QCONSOLE.EXE
  • QSERVER.EXE
  • RAV8WIN32ENG.EXE
  • REGEDT32.EXE
  • REGEDIT.EXE
  • UPDATE.EXE
  • RESCUE.EXE
  • RESCUE32.EXE
  • RRGUARD.EXE
  • RSHELL.EXE
  • RTVSCN95.EXE
  • RULAUNCH.EXE
  • SAFEWEB.EXE
  • SBSERV.EXE
  • SD.EXE
  • SETUP_FLOWPROTECTOR_US.EXE
  • SETUPVAMEEVAL.EXE
  • SFC.EXE
  • SGSSFW32.EXE
  • SH.EXE
  • SHELLSPYINSTALL.EXE
  • SHN.EXE
  • SMC.EXE
  • SOFI.EXE
  • SPF.EXE
  • SPHINX.EXE
  • SPYXX.EXE
  • SS3EDIT.EXE
  • ST2.EXE
  • SUPFTRL.EXE
  • LUALL.EXE
  • SUPPORTER5.EXE
  • SYMPROXYSVC.EXE
  • SYSEDIT.EXE
  • TASKMON.EXE
  • TAUMON.EXE
  • TAUSCAN.EXE
  • TC.EXE
  • TCA.EXE
  • TCM.EXE
  • TDS2-98.EXE
  • TDS2-NT.EXE
  • TDS-3.EXE
  • TFAK5.EXE
  • TGBOB.EXE
  • TITANIN.EXE
  • TITANINXP.EXE
  • TRACERT.EXE
  • TRJSCAN.EXE
  • TRJSETUP.EXE
  • TROJANTRAP3.EXE
  • UNDOBOOT.EXE
  • VBCMSERV.EXE
  • VBCONS.EXE
  • VBUST.EXE
  • VBWIN9X.EXE
  • VBWINNTW.EXE
  • VCSETUP.EXE
  • VFSETUP.EXE
  • VIRUSMDPERSONALFIREWALL.EXE
  • VNLAN300.EXE
  • VNPC3000.EXE
  • VPC42.EXE
  • VPFW30S.EXE
  • VPTRAY.EXE
  • VSCENU6.02D30.EXE
  • VSECOMR.EXE
  • VSHWIN32.EXE
  • VSISETUP.EXE
  • VSMAIN.EXE
  • VSMON.EXE
  • VSSTAT.EXE
  • VSWIN9XE.EXE
  • VSWINNTSE.EXE
  • VSWINPERSE.EXE
  • W32DSM89.EXE
  • W9X.EXE
  • WATCHDOG.EXE
  • WEBSCANX.EXE
  • CFIAUDIT.EXE
  • CFINET.EXE
  • ICSUPP95.EXE
  • MCUPDATE.EXE
  • CFINET32.EXE
  • CLEAN.EXE
  • CLEANER.EXE
  • LUINIT.EXE
  • MCAGENT.EXE
  • MCUPDATE.EXE
  • MFW2EN.EXE
  • MFWENG3.02D30.EXE
  • MGUI.EXE
  • MINILOG.EXE
  • MOOLIVE.EXE
  • MRFLUX.EXE
  • MSCONFIG.EXE
  • MSINFO32.EXE
  • MSSMMC32.EXE
  • MU0311AD.EXE
  • NAV80TRY.EXE
  • ZAUINST.EXE
  • ZONALM2601.EXE
  • ZONEALARM.EXE

BackDoor Component

The worm opens port 9030 (TCP) on the victim machine. Initial analysis suggests this is a file execution backdoor. Once listening, the hacker is able to connect to a victim machine, and execute a file on that machine.

Downloading

This threat contacts a list of websites to retrieve files.  At the time of writing, this file was not available on any of the sites.

  • https://thehiphops.com
  • https://68.24.54.122/
  • https://paromy.ru/_old_img/
  • https://www.ladywears.com/
  • https://64.12.212.12/
  • https://nine-one-one.ca/
  • https://www.evocreations.com/
  • https://sexyforum.ru/
  • https://rescan.com/
  • https://www.cardgoods.com/
  • https://blockism.net/
  • https://talent2k.com/
  • https://64.246.44.10
  • http://motivethree.com/img
  • https://zalala.net
  • https://biiig.org
  • https://tovarisi.net

Aliases

Email-Worm.Win32.Bagle.bw (AVP), W32.Beagle.BY@mm (Symantec), W32/Bagle.CG@mm (F-PROT), Win32/Bagle.BR (ESET)
   

Virus Characteristics

This mass-mailing worm arrives as an email attachment in a message with the following characteristics:

From: (spoofed / forged)
Subject: The subject line is one of the following:

  • Re: Msg reply
  • Re: Hello
  • Re:
  • Re:
  • Re: Yahoo!
  • Re: Thank you!
  • Re: Thanks :)
  • RE: Text message
  • Re: Document
  • Incoming message
  • Re: Incoming Message
  • RE: Incoming Msg
  • RE: Message Notify
  • Notification
  • Changes..
  • Update
  • Fax Message
  • Protected message
  • RE: Protected message
  • Forum notify
  • Site changes
  • Re: Hi
  • Encrypted document

Message Body: The message body will be one of the following:

  • Read the attach.
  • Your file is attached.
  • Try this.
  • More info is in attach
  • See attach.
  • Please, have a look at the attached file.
  • Your document is attached.
  • Please, read the document.
  • Attach tells everything.
  • Attached file tells everything.
  • Check attached file for details.
  • Check attached file.
  • Pay attention at the attach.
  • See the attached file for details.
  • Message is in attach
  • Here is the file.

Attachment: The attachment is an executable of name:

  • Information.exe
  • Details.exe
  • text_document.exe
  • Updates.exe
  • Readme.exe
  • Document.exe
  • Info.exe
  • Details.exe
  • MoreInfo.exe
  • Message.exe
  • Sources.exe

The attachment may also be a ZIP archive containing the executable.  The archive may be protected with a random password, and the message body may contain additional information.

  • For security reasons attached file is password protected. The password is
  • For security purposes the attached file is password protected. Password --
  • Note: Use password  to open archive
  • Attached file is protected with the password for security reasons. Password is
  • In order to read the attach you have to use the following password:
  • Archive password:
  • Password -
  • Password:
   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

  • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • Select the Windows installation that is compromised and provide the administrator password.
  • Issue 'fixmbr' command to restore the Master Boot Record
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

  • Insert the Windows CD into the CD-ROM drive and restart the computer.
  • Click on "Repair Your Computer".
  • When the System Recovery Options dialog comes up, choose the Command Prompt.
  • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.
   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95