Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Bagle.C@mm

Overview

Threat Risk MEDIUM MEDIUM
Destructivity MEDIUM MEDIUM
Payload Backdoor, terminates AV update processes
Detection files published
Description created 27 Feb 2004 05:41:00
Description updated 27 Feb 2004 08:13:00
Malware type WORM
Alias
Spreading mechanism
Summary None

W32/Bagle.C@mm

Spreading

When run this worm will copy itself to the Windows System directory using the file name [SYSTEM] eadme.exe. It will also extract and install two other files: [SYSTEM]onde.exe [SYSTEM]doc.exe These are additional components of the worm. ONDE.EXE (18944 bytes) contains the main worm functionality, as well as a backdoor. DOC.EXE (1536 bytes) is a program that loads ONDE.EXE as a DLL. ONDE.EXE installs a Mutex called imain_mutex to avoid being loaded twice. Registry keys created by the worm: HKCUSOFTWAREDateTime2 port = [listen port] HKCUSOFTWAREDateTime2 frun = 1 HKCUSOFTWAREDateTime2 uid = [random no.] HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunGouday.exe = [SYSTEM] eadme.exe The worm contains its own SMTP engine and will send itself to addresses found on the local computer. These addresses are picked from files of type .wab, .txt, .htm, .htm, .dbx, .mdx, .eml, .nch, .mmf, .ods, .cfg, .asp, .php, .pl, .adb and.sht. Mails subjects are composed from the following: Price New Price-list Hardware devices price-list Weekly activity report Daily activity report Maria Jenny Jessica Registration confirmation USA government abolishes the capital punishment Freedom for everyone Flayers among us From Hair-cutter Melissa Camila Price-list Pricelist Price list Hello my friend Hi! Well... Greet the day The account Looking for the report You really love me? he he You are dismissed Accounts department From me Monthly incomings summary The summary Proclivity to servitude Ahtung! The employeeAttachment is a zip file with a random letter file name. When the worm has installed itself, it will open a Notepad window and exit.

Payload Details

The worm installs a backdoor on the computer. It listens by default on port 2745. This backdoor can f.ex. be used for uploading and executing a program.
It attempts to contact the following web sites:
http://permail.uni-muenster.de/scr.php
http://www.songtext.net/de/scr.php
http://www.sportscheck.de/scr.php
It accesses these web addresses with user ID and port no as parameters; that way the hacker can log who is vulnerable and on which port.
It also looks for and kills the following processes:
ATUPDATER.EXE
AVWUPD32.EXE
AVPUPD.EXE
LUALL.EXE
DRWEBUPW.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
UPDATE.EXE
NUPGRADE.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
MCUPDATE.EXE
NUPGRADE.EXE
OUTPOST.EXE
AVLTMAIN.EXE

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:11