Virus Profile: W32/Bagle.du@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 2/15/2006
Date Added: 2/15/2006
Origin: Unknown
Length: N/A
Type: Virus
Subtype: E-mail worm
DAT Required: 4697
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Propagation via Mail:

The following files types are read by the worm in order to harvest email addresses from an infected system.

.wab
.txt
.msg
.htm
.shtm
.stm
.xml
.dbx
.mbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.wsh
.adb
.tbb
.sht
.xls
.oft
.uin
.cgi
.mht
.dhtm
.jsp

Mailbody:

Constructs an email message with the following characteristics:


 
From: [SPOOFED]

Subject: (Any of the following)

Will You Be My Valentine?
Love you with all my heart!
See you tonight!
Come Be With Me, my Love!
My dream is coming true!

Message body:  (Any of the following)

Click to attachment to load a picture

Love at the lips was touch
As sweet as I could bear;
And once that seemed too much;
I lived on air
That crossed me from sweet things,
The flow of - was it musk
From hidden grapevine springs
Down hill at dusk?
I had the swirl and ache
From sprays of honeysuckle
That when they re gathered shake
Dew on the knuckle.
I craved strong sweets, but those
Seemed strong when I was young;
The petal of the roseIt was that stung.
Now no joy but lacks salt
That is not dashed with pain
And weariness and fault;
I crave the stain
Of tears,the aftermark
Of almost too much love,
The sweet of bitter bark
And burning clove.
When stiff and sore and scarred
I take away my hand
From leaning on it hard
In grass and sand
The hurt is not enough:
I long for weight and strength
To feel the earth as rough
To all my length.

========================================

Execute attachment to load a movie

A stranger came to the door at eve,
And he spoke the bridegroom fair.
He bore a green-white stick in his hand,
And, for all burden, care.
He asked with the eyes more than the lips
For a shelter for the night,
And he turned and looked at the road afar
Without a window light.
The bridegroom came forth into the porch
With, "Let us look at the sky,
And question what of the night to be,
Stranger, you and I.
"The woodbine leaves littered the yard,
The woodbine berries were blue,
Autumn, yes, winter was in the wind;
"Stranger, I wish I knew."
Within, the bride in the dusk alone
Bent over the open fire,
Her face rose-red with the glowing coal
And the thought of the heart's desire.
The bridegroom looked at the weary road,
Yet saw but her within,
And wished her heart in a case of gold
And pinned with a silver pin.
The bridegroom thought it little to give
A dole of bread, a purse,
A heartfelt prayer for the poor of God,
Or for the rich a curse;
But whether or not a man was asked
To mar the love of two
by harboring woe in the bridal house,
The bridegroom wished he knew.

========================================

Click to attachment to load a movie

I woke up in a white room
with white lace curtains.
Snow covered landscape;
I.m in Memphis for certain
Yesterday, it took over three hours
just to travel the last twenty miles.
But nothing is like my wife.s family
always being greeted with smiles
I was hoping for a White Christmas.
You.d be surprise how simple I am.
Be careful what you wish for
God may be listening to your plan.
Most of the nation is covered
with that dangerous and beautiful thing
I am grateful for arriving safely
for my wife.s happiness is everything.
She wanted to see her family,
her father, uncles and aunts.
I ve kept her in Southwest Texas too long;
this trip I most willingly grant.
So, here we are now
in a snowy southern wonderland.
Waiting for Christmas dinner to come;
a present only my wife can understand

========================================

Attachment: (Any of the following)

love_me.exe
mplay.exe
love_me_now.exe

In some cases, the worm also attaches a harmless text file called "Description.txt", which contains the text: 

Order attach

The worm does not send itself to addresses which contain any of the following strings:

@hotmail
@msn
@microsoft
rating@
f-secur
news
update
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
icrosoft
support
ntivi
unix
linux
listserv
certific
sopho
@foo
@iana
free-av
@messagelab
winzip
google
winrar
samples
abuse
panda
cafee
spam
@avp.
noreply
local
root@
postmaster@

Propagation via Peer-to-Peer Networks:

W32/Bagle.du@MM copies itself to folders that have the phrase "shar" in the name (such as common peer-to-peer applications: KaZaa, Bearshare, Limewire, etc)
To entice users into downloading and executing these file, the worm uses names of popular applications and porn for its dropped copy.

anna benson sex video.exe
kate beckinsale nude pictures.exe
jenna elfman sex anal deepthroat
miss america Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
barrett jackson nude photos, movies, porn video.exe
Britney Spears sex photos.exe
paris hilton Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 10.exe
Windown Vista Beta Leak.exe
IE beta 7.exe
Serials 2005 database.exe
XXX hardcore images.exe
Adobe Photoshop 9 full.exe

Creates the following mutexes to prevent NETSKY variants from executing.
This also ensures that only one instance of W32/Bagle.du@MM can run on a computer at any time.

AdmSkynetJklS003
'D'r'o'p'p'e'd'S'k'y'N'e't'
____--->>>>U<<<<--____
[SkyNet.cz]SystemsMutex
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D

Additionally the worm creates the following mutexes to aid in its downloading routines:

bagla_magla_super_downloader_1000

The following strings are found inside the worm body:

In a difficult world
In a nameless time
I want to survive
So, you will be mine!!

-- Bagle Author, 29.04.04, Germany.

Methods of Infection

W32/Bagle.du@MM was mass spammed on February 15, 2006.

Aliases

Email-Worm.Win32.Bagle.ae (Kaspersky), W32.Beagle.DS@mm (Symantec), Win32/Bagle.FF (ESET), WORM_BAGLE.EW (Trend Micro)
   

Virus Characteristics

Note: McAfee AVERT has observed instances of this threat, infected with W32/Sality.o, spreading in the wild

W32/Bagle.du@MM is a trojan downloader and mailing worm that uses its own SMTP engine to send itself to the email addresses that it harvests on the infected computer. It also contains backdoor functionality which allows unauthorized remote access.

Upon execution, this worm displays the following fake error message:

It creates a copy of itself into the windows system directory:

%Windir%\%SYSDIR%\lmovie.exe  (copy of the worm)
%Windir%\%SYSDIR%\lmovie.exeopen  (copy of worm plus garbage code)
%Windir%\%SYSDIR%\lmovie.exeopenopen  (copy of worm plus garbage code)
%Windir%\vcualts32.exe  (downloader detected as W32/Bagle.dldr)

Adds the following values to the registry to auto start itself when Windows starts.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"MovieM" = "%Windir%\%SYSDIR%\lmovie.exe"

Attempts to create the following registry entry to add its downloader component to the WinXp firewall exception list, thus enabling it to bypass the firewall settings:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\
Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

"%Windir%\vcualts32.exe" = "%Windir%\vcualts32exe:*:Enabled:ipsec"

Attempts to delete the following values from the registry subkeys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

My AV
Zone Labs Client Ex
9XHtProtect
Antivirus
Special Firewall Service
service
Tiny AV
ICQNet
HtProtect
NetDy
Jammer2nd
FirewallSvr
MsInfo
SysMonXP
EasyAV
PandaAVEngine
Norton Antivirus AV
KasperskyAVEng
SkynetsRevenge
ICQ Net

Attempts to download an updated copy of itself from the following URLs:

https://dook.zoo.by/darko/[Removed]zor.php
https://debut.zoo.com/darko/[Removed]50webs.%20./
https://bit.korzo.com/d%20/[Removed]?id_valentine
https://ijj.t1035.com/[Removed]?counter
https://200.81.16.147/[Removed].%20/pr

NOTE: At the time of writing this description, AVERT did not see the downloading of any files as they may have been moved or deleted at the remote site.

Each time the worm runs, it also contacts the url https://ijj.t35.com.
At the time of writing, this url contained what appears to be a counter.

W32/Bagle.du@MM also opens a backdoor on TCP port 6777 and listens for commands.

   

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

 

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95