Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Bagle.E@mm

Overview

Threat Risk LOW LOW
Destructivity MEDIUM MEDIUM
Payload Backdoor, terminates AV processes
Detection files published
Description created 28 Feb 2004 01:06:00
Description updated 28 Feb 2004 02:06:00
Malware type WORM
Alias
Spreading mechanism EMAIL
Summary None

W32/Bagle.E@mm

Spreading

When run this worm will copy itself to the Windows System directory using the file name [SYSTEM]i1ru74n4.exe.It will also extract and install two other files: [SYSTEM]godo.exe [SYSTEM]ii455nj4.exe These are additional components of the worm. GODO.EXE (18944 bytes) contains the main worm functionality, as well as a backdoor. II455NJ4.EXE (1536 bytes) is a program that loads GODO.EXE as a DLL. GODO.EXE installs a Mutex called imain_mutex to avoid being loaded twice.Registry keys created by the worm: HKCUSOFTWAREDateTime4 port = [listen port] HKCUSOFTWAREDateTime4 frun = 1HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunrate.exe = [SYSTEM]i1ru74n4.exeThe worm contains its own SMTP engine and will send itself to addresses found on the local computer. These addresses are picked from files of type .wab,.txt,.htm,.html,.dbx,.mdx,.eml,.nch,.mmf,.ods,.cfg,.asp,.php,.pl,.adb and.sht. Note: Mails may have fake FROM: addresses. "You have sent a virus" warnings from mail scanners are usually not correct.Mails subjects are composed from the following:Price New Price-list Hardware devices price-list Weekly activity report Daily activity report Maria Jenny Jessica Registration confirmation USA government abolishes the capital punishment Freedom for everyone Flayers among us From Hair-cutter Melissa Camila Price-list Pricelist Price list Hello my friend Hi! Well... Greet the day The account Looking for the report You really love me? he he You are dismissed Accounts department From me Monthly incomings summary The summary Proclivity to servitude Ello! Ahtung! The employeePossible mail bodies:Subj Request Empty Response Everything inside the attach Look it through CyaAttachmentAttachment is a zip file with a random letter file name. When the worm has installed itself, it will open a Notepad window and exit.

Payload Details

The worm installs a backdoor on the computer. It listens by default on port 2745. This backdoor can f.ex. be used for uploading and executing a program. It attempts to contact the following web sites http://permail.uni-muenster.de/scr.php http://www.songtext.net/de/scr.php http://www.sportscheck.de/scr.php It accesses these web addresses with user ID and port no. as parameters; that way the hacker can log who is vulnerable and on which port. It also looks for and kills the following processes: ATUPDATER.EXE AVWUPD32.EXE AVPUPD.EXE LUALL.EXE DRWEBUPW.EXE ICSSUPPNT.EXE ICSUPP95.EXE UPDATE.EXE NUPGRADE.EXE ATUPDATER.EXE AUPDATE.EXE AUTODOWN.EXE AUTOTRACE.EXE AUTOUPDATE.EXE AVXQUAR.EXE CFIAUDIT.EXE MCUPDATE.EXE NUPGRADE.EXE OUTPOST.EXE AVLTMAIN.EXE

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:14