Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Bagle.F@mm

Overview

Threat Risk LOW LOW
Destructivity MEDIUM MEDIUM
Payload Backdoor, terminates AV processes
Detection files published
Description created 29 Feb 2004 10:21:00
Description updated 01 Mar 2004 04:27:00
Malware type WORM
Alias
Spreading mechanism EMAIL
NETWORK
OTHER
Summary None

W32/Bagle.F@mm

Spreading

When run this worm will copy itself to the Windows System directory using the file name [SYSTEM]i1ru54n4.exe. It will also extract and install two other files:[SYSTEM]go54o.exe [SYSTEM]ii5nj4.exe These are additional components of the worm. GO54O.EXE (24064 bytes) contains the main worm functionality, as well as a backdoor. II5NJ4.EXE (1536 bytes) is a program that loads GO54O.EXE as a DLL.GO54O.EXE installs a Mutex called imain_mutex to avoid being loaded twice.Registry keys created by the worm:HKCUSOFTWAREWinword port = [listen port] HKCUSOFTWAREWinword frun = 1HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun rate.exe = [SYSTEM]i1ru54n4.exeShare/P2P propagationThis worm differs from the previous in that it will copy itself to local and shared network drives. The worm looks for folders containing the string "shar" and copies itself into those folders as:Microsoft Office 2003 Crack, Working!.exeMicrosoft Office XP working Crack, Keygen.exeMicrosoft Windows XP, WinXP Crack, workingKeygen.exePorno Screensaver.scrPorno, sex, oral, anal cool, awesome!!.exePorno pics arhive, xxx.exeSerials.txt.exeWindown Longhorn Beta Leak.exeWindows Sourcecode update.doc.exeXXX hardcore images.exeOpera 8 New!.exeWinAmp 5 Pro Keygen Crack Update.exeWinAmp 6 New!.exeMatrix 3 Revolution English Subtitles.exeAdobe Photoshop 9 full.exeAhead Nero 7.exeACDSee 9.exeNote: Folders containing the word "shar" often belongs to file-sharing programs such as Kazaa, Imesh etc. and this enables the worm to spread via P2P software like this as well.Email propagationThe worm contains its own SMTP engine and will send itself to addresses found on the local computer. These addresses are picked from files of  type  .wab, .txt, .htm, .xml, .dbx, .mdx, .eml, .nch, .mmf, .ods, .cfg, .asp, .php, .pl, .adb, .tbb and .sht. Note: Mails may have fake FROM: addresses. "You have sent a virus" warnings from mail scanners are usually not correct. Mails subjects are composed from the following:Hokki =)Weah, hello! :-)Weeeeee! ;)))Hi! :-)My Name is FrenkgroomFotografPhotoalbumMy photoalbumMyphotosMy photosMy beautiful personbeautifulWau... beautiful (-:Gallery photoscarolineKatrinakleopatraCaitieMary-AnneLisaBad girlJulieAlineAnnaBarbiKatrinaJuliMaryMandySararebeccaJammiekateAudrastacyRenaKelleyTammyello! =))Hey, ya! =))^_^ meay-meay!^_^ mew-mew (-:Hey, dude, it’s me ^_^ :PPossible mail bodiesArgh, i don’t like the plaintext :)¨Fell free to chat with me I accept all ages.Don’’’’t worry Idon’’’’t bite........hope to hear from you soon!If you are going to make me cry, at least be there to wipe away the tears *Right now the worst thing for you to tell me that I can find someone better than you, especially when you are all I wantYou don’t know what you’ve got till it’s gone *You hurt me more than I deserve, how can you be so cruel? I love you more than you deserve, how can I be such a fool?I sit with elders of a gentle race, whose world is seldom seen.Who sit and talk of days for which they wait, when all will be revealed. These are song lyrics.I’m a social butterfly and a natural flirt. Very hard to get my complete attention. Very open and will answer almost anything. But please don’t piss me off. I can be sweet and cuddly or a whatever mood I am in that day so every dayLove the outdoors, literature, writing, and athleticsWhen The Trust is Gone So Is The Love That Fades Like the Rain Washing Away All The Sorrows Of Yesterday Why I Ask Myself Must It End Like This Tomorrow, I Tell Myself, I’ll Be Okay For Now, I’ll Just Live In The Memories Of Our Life TogetherI enjoy clean conversations but am open to conversing with women and men with little ones as well. I am very open-minded. All authorization requests will be denied if I don’t receive messages and get to know you first.I love camping, dirt track racing, going for walks, and I have 2 cats - HotRod and Deebo (named from the movie ’Friday’ and he lives up to it!). Life is ever changing, never always easy...i love to chat to just about anyone!!If I’m online, it problably means I’m pretty bored....so feel free to message me and say hi or whatever else comes to mind at the moment.Hey people whats goin on? If there is anything you want to know about me ask me... I am pretty easygoing I won’t bite....not at first anywayz hahaa.....one thing I will say on here tho I am not into the Cyber thing so don’t even ask.....Ciao...Hi! My name is Shreya and I am a goof off!!! So, If you love the outdoors, travelling, books, music, movies, laffing, teasing and/or can poke fun at yourself... please come a hollerin’!!I love to dance, read poetry, make people laugh, and hug as many people a day as i can.Single Mom of 3, Full time college student, Graduate in December with an Associates of Applied Science in Computer Information Systems Love the internet.My hobbies include crochet, sewing, painting lead figures and playing AD&D. Favorite activities include fishing and camping. I love cats, unicorns(go figure), and fantasy in general.I like to be in a company of smart, delicate, and with a good sense of humor people. I am Bulgarian, currently getting my Master’s in International Business in USA. Favorite actor: Michael Dudikoffi’m tall and skiny I’m studying in Pharm. D program in FL. i like music, movie, dancing, sports, SCUBA diving, traveling and make a lot friends.Nice friends, nice men, nice sex and feeling great. I don’t mind the odd bout of cybersex as I love to use my imagination when I masterbate.Hey, guys! by the way, I have no problems with my sexual life, so it’s absolutly useless try to have icq sex or things like that. ThanksI’m an open minded person and enjoy chatting w/ other people. I’m free and willing to chat about anything. So feel free to Imed me if you wanna chat.I love meeting new people and making new friends. I am a Mary Kay Beauty Consultant. I am married to a wonderful man. We have no children, exept for a minature schnauzer that thinks he is a child. Looking forward to meeting you.I am from Taiwan but I study in Camden, New Jersey now. I like to know people from different places.I’m married and I stay at home. And I don’t do cyber sex so leave me the fuck alone Looking forward for a response :PAttachment is a zip file with one of the following file names:PicturecarolineKatrinakleopatraCaitieMary-AnneLisaBad girlJulieAlineAnnaBarbiKatrinaJuliMaryMandySararebeccaJammiekateAudrastacyRenaKelleyTammymyfotosGalleryIt_IPhotoalbumPhotomontageExtension:File extension is either ZIP, EXE or SCR.When the worm comes as a ZIP file, the ZIP has approx 50% chance of being password-protected with a string of 5 random numbers. This may make it hard for antivirus mailscanners to detect the worm purely by the zip contents.In these cases, the mail will have one of the following statements in the mail:archive password:[5 digits] password:[5 digits] pass:[5 digits] password for archive:[5 digits]

Payload Details

The worm installs a backdoor on the computer. It listens by default on port 2745. This backdoor can f.ex. be used for uploading and executing a program.It attempts to contact the following web sites:http://postertog.de/scr.php http://www.gfotxt.net/scr.php http://www.mailklibis.de/scr.php It accesses these web addresses with user ID and port no. as parameters; that way the hacker can log who is vulnerable and on which port. It also looks for and kills the following processes:ATUPDATER.EXE AVWUPD32.EXE AVPUPD.EXE LUALL.EXE DRWEBUPW.EXE ICSSUPPNT.EXE ICSUPP95.EXE UPDATE.EXE NUPGRADE.EXE ATUPDATER.EXE AUPDATE.EXE AUTODOWN.EXE AUTOTRACE.EXE AUTOUPDATE.EXE AVXQUAR.EXE CFIAUDIT.EXE MCUPDATE.EXE NUPGRADE.EXE OUTPOST.EXE AVLTMAIN.EXE

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:11