Home / malware

PDF

Win32.Bagle.AE@mm

First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Bagle.AE@mm is also known as I-Worm.Bagle.ad, WORM_BAGLE.AE.

Explanation :

The worm comes by mail in the following form:

From: [spoofed]

Subject: one of the following:

Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks :)
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
RE: Incoming Msg
RE: Message Notify
Notification
Changes..
Update
Fax Message
Protected message
RE: Protected message
Forum notify
Site changes
Re: Hi
Encrypted document
Attachment: has a .exe, .scr, .com, .zip, .vbs, .hta or .cpl extension and one of the following names:

Information
Details
text_document
Updates
Readme
Document
Info
Details
MoreInfo
Message
Sources
Body text: may contain one or more of the following:

Read the attach.
Your file is attached.
More info is in attach
See attach.
Please, have a look at the attached file.
Your document is attached.
Please, read the document.
Attach tells everything.
Attached file tells everything.
Check attached file for details.
Check attached file.
Pay attention at the attach.
See the attached file for details.
Message is in attach
Here is the file.
For security reasons attached file is password protected. The password is [password]
For security purposes the attached file is password protected. Password -- [password]
Note: Use password [password] to open archive.
Attached file is protected with the password for security reasons. Password is [password]
In order to read the attach you have to use the following password: [password]
Archive password: [password]
Password - [password]
Password: [password]

When ran, the worm displays a fake error message:

Can't find a viewer associated with the file

and creates one of the following mutexes:

|MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
'D'r'o'p'p'e'd'S'k'y'N'e't'
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
[SkyNet.cz]SystemsMutex
AdmSkynetJklS003
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
then creates the following files:

%SYSDIR%loader_name.exe -- worm executable file
where %SYSDIR% is Windows System directory (eg. C:WindowsSystem, C:WinNTSystem32)
%SYSDIR%loader_name.exeopen -- worm copy with some garbage appended
%SYSDIR%loader_name.exeopenopen -- worm zipped (may be password protected)
and creates the registry key:

HKCUSoftwareMicrosoftWindowsCurrentVersionRun
with the value:
"reg_key"="%SYSDIR%loader_name.exe
The key above is created ten times per second, so deleting it will not help unless the process (loader_name.exe) is killed.

The worm tries to remove the following registry keys:
HKCUSoftwareMicrosoftWindowsMy AV
HKCUSoftwareMicrosoftWindowsone Labs Client Ex
HKCUSoftwareMicrosoftWindows9XHtProtect
HKCUSoftwareMicrosoftWindowsAntivirus
HKCUSoftwareMicrosoftWindowsSpecial Firewall Service
HKCUSoftwareMicrosoftWindowsservice
HKCUSoftwareMicrosoftWindowsTiny AV
HKCUSoftwareMicrosoftWindowsICQNet
HKCUSoftwareMicrosoftWindowsHtProtect
HKCUSoftwareMicrosoftWindowsNetDy
HKCUSoftwareMicrosoftWindowsJammer2nd
HKCUSoftwareMicrosoftWindowsFirewallSvr
HKCUSoftwareMicrosoftWindowsMsInfo
HKCUSoftwareMicrosoftWindowsSysMonXP
HKCUSoftwareMicrosoftWindowsEasyAV
HKCUSoftwareMicrosoftWindowsPandaAVEngine
HKCUSoftwareMicrosoftWindowsNorton Antivirus AV
HKCUSoftwareMicrosoftWindowsKasperskyAVEng
HKCUSoftwareMicrosoftWindowsSkynetsRevenge
HKCUSoftwareMicrosoftWindowsICQ Net
To mail itself, the worm searches the local hard-disk for e-mail addresses inside files with the following extensions:

.wab, .txt, .msg, .htm, .shtm, .stm, .xml, .dbx, .mbx, .mdx, .eml, .nch, .mmf, .ods, .cfg, .asp, .php, .wsh, .adb, .tbb, .sht, .xls, .oft, .uin, .cgi, .mht, .dhtm, .jsp

and uses its own SMTP engine to resolve the target mail server and to send mail to it, skipping e-mail addresses that contain:

@hotmail, @msn, @microsoft, rating@, f-secur, news, update, anyone@, bugs@, contract@, feste, gold-certs@, help@, info@, nobody@, noone@, kasp, admin, icrosoft, support, ntivi, unix, linux, listserv, certific, sopho, @foo, @iana, free-av, @messagelab, winzip, google, winrar, samples, abuse, panda, cafee, spam, @avp., noreply, local, root@, postmaster@.

Also the worm copies itself to directories that have shar in their names (for instance the P2P shared folders) with one of the following names:

Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe

The worm also runs as backdoor on port 1234.

Last update 21 November 2011

 

TOP