Virus Profile: W32/Bagle.dt@mm

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 2/14/2006
Date Added: 2/14/2006
Origin: Unknown
Length: N/A
Type: Virus
Subtype: E-mail worm
DAT Required: 4696
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Propagation via Mail:

The following files types are read by the worm in order to harvest email addresses from an infected system.

.wab
.txt
.msg
.htm
.shtm
.stm
.xml
.dbx
.mbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.wsh
.adb
.tbb
.sht
.xls
.oft
.uin
.cgi
.mht
.dhtm
.jsp

Mailbody:

Constructs an email message with the following characteristics:

From: [SPOOFED]

Subject: (Any of the following)

FREE OLYMPIC TICKETS LOTTERY!
2006 Winter Games in Torino
2006 Torino Winter Games FREE Tickets

Message body:  (Any of the following)

Our company (TicketWorld) is the world's largest supplier of tickets to all major international events including the 2006 Winter Games and 2006 Torino Tickets. We sell tickets to every sporting event in Torino including the preliminary competitions as well as Olympic Finals tickets. You can order Winter Games tickets for all categories for every match. All Winter Games tickets are guaranteed 200%.

All ticket prices are in US Currency ($).

OPEN ATTACHMENT ARCHIVE TO GET INFORMATION HOW TO OBTAIN A FREE TOCKET.

Please call our United States office at +1.512.4{BLOCKED}.5797 or from the United Kingdom 0800.7{BLOCKED}.0819 if you have questions.

========================================

The Torino Winter games will be the most celebrated Olympics of our era. If you are looking to witness this historic event for yourself, look no further. SuperTicketing Premium Seating is your source for Olympics tickets. We have access to tickets for nearly every Olympic event from Opening to Closing Ceremonies, Curling to Figure Skating.

FREE TICKECKS AVAILABLE NOW ON LOTTERY BASIS. CHECK ATTACHED FILE.

DISCLAIMER
TickCo Premium Seating buys and resells tickets on the secondary market at above face value. Our prices can be substantially higher than the original ticket price, as they reflect the cost of obtaining premium seating. Any trademarked terms that appear on this page are used for descriptive purposes only.

========================================

Attention: you recieved free ticket invitation with attachment!

Coast to Coast Tickets provides the most comprehensive inventory of Opening Ceremony tickets available on the secondary market. If the Opening Ceremony tickets you are looking for are not available, please check back as our inventory is constantly updated. Orders for Opening Ceremony tickets that are no longer available will be cancelled or substituted at the customer's discretion. All Opening Ceremony tickets are shipped via Federal Express.

If you would like to attend a Opening Ceremony event to see athletes live, or to see a team schedule and information, Coast to Coast Tickets is your source. All it takes is a phone call or a few clicks of the mouse to buy Opening Ceremony tickets. We offer a wide selection of Winter Games tickets for all teams, and we are happy to provide information about schedules at any time.

========================================

Attachment: (Any of the following)

Generated_bill.exe
Order_details.exe
Service_receipt.exe

The worm does not send itself to addresses which contain any of the following strings:

@hotmail
@msn
@microsoft
rating@
f-secur
news
update
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
icrosoft
support
ntivi
unix
linux
listserv
certific
sopho
@foo
@iana
free-av
@messagelab
winzip
google
winrar
samples
abuse
panda
cafee
spam
@avp.
noreply
local
root@
postmaster@

Propagation via Peer-to-Peer Networks:

W32/Bagle.dt@MM copies itself to folders that have the phrase "shar" in the name (such as common peer-to-peer applications: KaZaa, Bearshare, Limewire, etc) To entice users into downloading and executing these file, the worm uses names of popular applications and porn for its dropped copy.

anna benson sex video.exe
kate beckinsale nude pictures.exe
jenna elfman sex anal deepthroat
miss america Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
barrett jackson nude photos, movies, porn video.exe
Britney Spears sex photos.exe
paris hilton Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 10.exe
Windown Vista Beta Leak.exe
IE beta 7.exe
Serials 2005 database.exe
XXX hardcore images.exe
Adobe Photoshop 9 full.exe

Creates the following mutexes to prevent NETSKY variants from executing.
This also ensures that only one instance of W32/Bagle.dt@mm can run on a computer at any time.

____--->>>>U<<<<--____
AdmSkynetJklS003
'D'r'o'p'p'e'd'S'k'y'N'e't'
[SkyNet.cz]SystemsMutex
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D

Additionally the worm creates the following mutexes to aid in its downloading routines:

bagla_super_downloader_1000
smtp_bagla_1000

The following strings are found inside the worm body:

In a difficult world
In a nameless time
I want to survive
So, you will be mine!!

-- Bagle Author, 29.04.04, Germany.

Methods of Infection

W32/Bagle.dt@mm was mass spammed on February 14, 2006.  

Aliases

Email-Worm.Win32.Bagle.fo (Kaspersky), W32.Beagle.DR@mm (Symantec), W32/Bagle-CM (Sophos), WORM_BAGLE.EV (Trend Micro)
   

Virus Characteristics

--Update 2006/02/16--
Avert has raised this threats status to Low-Profiled due to media attention at:
https://www.scmagazine.com/uk/news/article/541115/unsporting-bagle-mutant-turns-turin-ticket-tout
--
(Note: McAfee AVERT has observed instances of this threat, infected with W32/Sality.o, spreading in the wild)

W32/Bagle.dt@MM is a trojan downloader and mailing worm that uses its own SMTP engine to send itself to the email addresses that it harvests on the infected computer. It also contains backdoor functionality which allows unauthorized remote access.

Upon execution, this worm displays the following fake error message:

It creates a copy of itself into the windows system directory:

%Windir%\%SYSDIR%\lsamgr.exe (copy of the worm)
%Windir%\%SYSDIR%\lsamgr.exeopen (copy of worm plus garbage code)
%Windir%\%SYSDIR%\lsamgr.exeopenopen (copy of worm plus garbage code)
%Windir%\Wimanager.exe (downloader detected as W32/Bagle.dt)

Adds the following values to the registry to auto start itself when Windows starts.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"LsaManager"="%Windir%\%SYSDIR%\lsamgr.exe "

Attempts to delete the following values from the registry subkeys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

My AV
Zone Labs Client Ex
9XHtProtect
Antivirus
Special Firewall Service
service
Tiny AV
ICQNet
HtProtect
NetDy
Jammer2nd
FirewallSvr
MsInfo
SysMonXP
EasyAV
PandaAVEngine
Norton Antivirus AV
KasperskyAVEng
SkynetsRevenge
ICQ Net

Attempts to download an updated copy of itself from the following URLs:

https://dook.zoo.by/zorg[Removed]/get.php
https://debut.zoo.com/zorg[Removed]/get.php
https://myphotokool.ferro.com/zorg[Removed]/get.php
https://ijj.t2035.com/zorg[Removed]/get.php
https://209.11.85.20/.%20/pr[Removed]/get.php

NOTE: At the time of writing this description, AVERT did not see the downloading of any files as they may have been moved or deleted at the remote site.

Open a backdoor on TCP port 6777 and listens for commands.

   

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

 

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95