Virus Profile: W32/Bagle.dq@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 2/4/2006
Date Added: 2/4/2006
Origin: Unknown
Length: N/A
Type: Virus
Subtype: E-mail worm
DAT Required: 4690
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Propagation via Mail:

The following files types are read by the worm in order to harvest email addresses from an infected system.

.wab
.txt
.msg
.htm
.shtm
.stm
.xml
.dbx
.mbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.wsh
.adb
.tbb
.sht
.xls
.oft
.uin
.cgi
.mht
.dhtm
.jsp

Mailbody:

Constructs an email message with the following characteristics:


 
From: [SPOOFED]

Subject:

Gwd: Msg reply
Gwd: Hello :-)
Gwd: Yahoo!!!
Gwd: Thank you!
Gwd: Thanks :)
Gwd: Text message
Gwd: Document
Gwd: Incoming message
Gwd: Incoming Message
Gwd: Incoming Msg
Gwd: Message Notify
Gwd: Notification
Gwd: Changes..
Gwd: Update
Gwd: Fax Message
Gwd: Protected message
Gwd: Forum notify
Gwd: Site changes
Gwd: Hi
Gwd: crypted document

Message body:

Ok. Read the attach.
Ok. Your file is attached.
Ok. More info is in attach
Ok. See attach.
Ok. Please, have a look at the attached file.
Ok. Your document is attached.
Ok. Please, read the document.
Ok. Attach tells everything.
Ok. Attached file tells everything.
Ok. Check attached file for details.
Ok. Check attached file.
Ok. Pay attention at the attach.
Ok. See the attached file for details.
Ok. Message is in attach
Ok. Here is the file.

Attachment:  (.com or .scr is used as the extension for worm)

www.cumonherface
Details
XXX_livebabes
XXX_PornoUpdates
xxxporno
fuck_her
Info
Common
MoreInfo
Message

The spammed attachment contains a copy of this worm and may also contain a "Description.txt" file containing the following string:

you've got them already

The worm does not send itself to addresses which contain any of the following strings:

@hotmail
@msn
@microsoft
rating@
f-secur
news
update
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
icrosoft
support
ntivi
unix
linux
listserv
certific
sopho
@foo
@iana
free-av
@messagelab
winzip
google
winrar
samples
abuse
panda
cafee
spam
@avp.
noreply
local
root@
postmaster@

Propagation via Peer-to-Peer Networks:

This worm also propagates by dropping a copy of itself in folders that contain the string "shar" in their names. It uses the following file names for its dropped copy:

Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe

Creates the following mutexes to prevent NETSKY variants from executing.
This also ensures that only one instance of W32/Bagle.dq@MM can run on a computer at any time.

MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
____--->>>>U<<<<--____
[SkyNet.cz]SystemsMutex
'D'r'o'p'p'e'd'S'k'y'N'e't'
AdmSkynetJklS003

The following strings are found inside the worm body:

In a difficult world
In a nameless time
I want to survive
So, you will be mine!!

-- Bagle Author, 29.04.04, Germany.

Methods of Infection

W32/Bagle.dq@MM was mass spammed on February 03, 2006.

Aliases

Email-Worm.Win32.Bagle.fk (Kaspersky), W32/Bagle-CF (Sophos), W32/Bagle.GT.worm (Panda), WORM_BAGLE.EF (Trend Micro)
   

Virus Characteristics

W32/Bagle.dq@MM is a mailing worm that uses its own SMTP engine to send itself to the email addresses that it harvests on the infected computer.
It also contains backdoor functionality which allows unauthorized remote access.

Upon execution, it creates a copy of itself into the windows system directory:

%Windir%\%SYSDIR%\windspl.exe

Adds the following values to the registry to auto start itself when windows starts.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"DsplObjects" = "%Windir%\%SYSDIR%\windspl.exe"

Drops a file named "regisp32.exe" in the Windows folder.
"regisp32.exe" is a downloader and is detected as W32/Bagle.dq.

%Windir%\regisp32.exe

Attempts to delete the following registry entries:

My AV
Zone Labs Client Ex
9XHtProtect
Antivirus
Special Firewall Service
service
Tiny AV
ICQNet
HtProtect
NetDy
Jammer2nd
FirewallSvr
MsInfo
SysMonXP
EasyAV
PandaAVEngine
Norton Antivirus AV
KasperskyAVEng
SkynetsRevenge
ICQ Net

Open a backdoor on TCP port 6777 and listens for commands.

   

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

 

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95