Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Bagle.N@mm

Overview

Threat Risk LOW LOW
Destructivity MEDIUM MEDIUM
Payload Backdoor functionality/terminates security software
Detection files published
Description created 13 Mar 2004 01:04:00
Description updated 14 Mar 2004 08:49:00
Malware type WORM
Alias
Spreading mechanism EMAIL
FILE_INFECTION
NETWORK
OTHER
Summary None

W32/Bagle.N@mm

Spreading

When executed, this virus will copy itself to the Windows System directory using the name WINUPD.EXE, and add a registry key to start from bootup. Registry keys created by the virus: HKCUSoftwareCurrentVersionMicrosoftWindows   Run [random] = winupd.exe Registry keys deleted by the virus: Any HKCUSoftwareCurrentVersionMicrosoftWindowsRun and HKLMSoftwareCurrentVersionMicrosoftWindows   Run entry containing any of the following strings: "My AV" "Zone Labs Client Ex" "9XHtProtect" "Antivirus" "Special Firewall Service" "service" "Tiny AV" "ICQNet" "HtProtect" "ICQ Net" The virus traverses local and remote drives looking for email addresses in files of following type: .wab .txt .msg .htm .shtm .stm .xml .dbx .mbx .mdx .eml .nch .mmf .ods .cfg .asp .php .pl .wsh .adb .tbb .sht .xls .oft .uin .cgi .mht .dhtm .jsp It will avoid addresses containing the strings below: @hotmail.com @msn @microsoft anyone@ bugs@ contract@ feste gold-certs@ help@ info@ nobody@ noone@ rating@ kasp admin icrosoft support ntivi unix bsd linux listserv certific samples sopho @foo @iana free-av @messagelab winzip google winrar abuse panda cafee spam pgp @avp. noreply local root@ postmaster@ f-secur Spreading via network/file-sharing software The virus copies itself into folders containing the string "shar" using the names below. Such folders will often belong to filesharing software, thus enabling the worm to spread via Kazaa, IMesh etc. Microsoft Office 2003 Crack, Working!.exe Microsoft Windows XP, WinXP Crack, working Keygen.exe Microsoft Office XP working Crack, Keygen.exe Porno, sex, oral, anal cool, awesome!!.exe Porno Screensaver.scr Serials.txt.exe Porno pics arhive, xxx.exe Windows Sourcecode update.doc.exe Ahead Nero 7.exe Windown Longhorn Beta Leak.exe Opera 8 New!.exe XXX hardcore images.exe WinAmp 6 New!.exe WinAmp 5 Pro Keygen Crack Update.exe Adobe Photoshop 9 full.exe Matrix 3 Revolution English Subtitles.exe ACDSee 9.exe File infection During the directory traversal, the virus also looks for and infects EXE files, which will grow by approximately 21kb. Infected files will, when run, extract, install and run the virus. Email propagation The virus may send itself as a password-protected archive attachment to mail. The password is, in contrast to previous variants, not mentioned in the mail as text, but is inserted as a picture in the mail. There are two main mail variants the virus sends. Possible email composition, variant 1 1. Subject Re: Msg reply Re: Hello Re: Yahoo! Re: Thank you! Re: Thanks :) RE: Text message Re: Document Incoming message Re: Incoming Message Re: Incoming Fax Hidden message Fax Message Received Protected message RE: Protected message Forum notify Request response Site changes Re: Hi Encrypted document 2. Body text Read the attach. Your file is attached. More info in attach See attach. Follow the wabbit. Find the white rabbit. Please, have a look at the attached file. See the attached file for details. Message is in attach Here is the file. Possible email composition, variant 2 1. Subject E-mail account security warning. Notify about using the e-mail account. Warning about your e-mail account. Important notify about your e-mail account. Email account utilization warning. E-mail technical support message. E-mail technical support warning. Email report Important notify Account notify E-mail warning Notify from e-mail technical support. Notify about your e-mail account utilization. E-mail account disabling warning. 2. Body text 2.1 Introduction: Dear user of [recipient domain], Dear user of [recipient domain] e-mail server gateway, Dear user of e-mail server "[recipient domain]", Hello user of [recipient domain] e-mail server, Dear user of "[recipient domain]" mailing system, Dear user, the management of [recipient domain] mailing system wants to let you know that,2.2 Main body text Your e-mail account has been temporary disabled because of unauthorized access. Our main mailing server will be temporary unavaible for next two days, to continue receiving mail in these days you have to configure our free auto-forwarding service. Your e-mail account will be disabled because of improper using in next three days, if you are still wishing to use it, please,resign your account information. We warn you about some attacks on your e-mail account. Your computer may contain viruses, in order to keep your computer and e-mail account safe, please, follow the instructions. Our antivirus software has detected a large ammount of viruses outgoing from your email account, you may use our free anti-virus tool to clean up your computer software. Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to keep your computer safe, follow the instructions. 2.3 Encouragement to open the attachment: For more information see the attached file. Further details can be obtained from attached file. Advanced details can be found in attached file. For details see the attach. For details see the attached file. For further details see the attach. Please, read the attach for further details. Pay attention on attached file. 2.4 Ending The Management, Sincerely, Best wishes, Yours, Have a good day, Cheers, Kind regards, The [recipient domain] team http://www.[recipient domain] The attachment can be a password-protected archive. If it is, there is about 90% chance that this will be a ZIP file, if not it is of RAR format. One of the following sentences will then be present in the mail: 3. Password string For security reasons attached file is password protected. The password is [image] For security purposes the attached file is password protected. Password -- [image] Note: Use password [image] to open archive. Attached file is protected with the password for security reasons. Password is [image] In order to read the attach you have to use the following password: [image] Archive password: [image] Password - [image]  Password: [image]  4. Attachment name: Attach Information Details Encrypted first_part Readme Document Info TextDocument Text details Gift text_document pub_document MoreInfo Message File name inside the archives will be a random character string. 5. Attachment extension: .RAR .ZIP .EXE .PIF The password image that is sent along with the mail may be of JPG or GIF extension if the virus finds the GDIPLUS.DLL on the infected machine, if not the image is of BMP type.

Payload Details

This virus looks for and terminates the following processes: CLEANER3.EXE au.exe d3dupdate.exe CLEANPC.EXE AVprotect9x.exe CMGRDIAN.EXE CMON016.EXE CPF9X206.EXE CPFNT206.EXE CV.EXE CWNB181.EXE CWNTDWMO.EXE ICSSUPPNT.EXE DEFWATCH.EXE DEPUTY.EXE DPF.EXE DPFSETUP.EXE DRWATSON.EXE ENT.EXE ESCANH95.EXE AVXQUAR.EXE ESCANHNT.EXE ESCANV95.EXE AVPUPD.EXE EXANTIVIRUS-CNET.EXE FAST.EXE FIREWALL.EXE FLOWPROTECTOR.EXE FP-WIN_TRIAL.EXE FRW.EXE FSAV.EXE AUTODOWN.EXE FSAV530STBYB.EXE FSAV530WTBYB.EXE FSAV95.EXE GBMENU.EXE GBPOLL.EXE GUARD.EXE GUARDDOG.EXE HACKTRACERSETUP.EXE HTLOG.EXE HWPE.EXE IAMAPP.EXE IAMAPP.EXE IAMSERV.EXE ICLOAD95.EXE ICLOADNT.EXE ICMON.EXE ICSUPP95.EXE ICSUPPNT.EXE IFW2000.EXE IPARMOR.EXE IRIS.EXE JAMMER.EXE ATUPDATER.EXE AUPDATE.EXE KAVLITE40ENG.EXE KAVPERS40ENG.EXE KERIO-PF-213-EN-WIN.EXE KERIO-WRL-421-EN-WIN.EXE BORG2.EXE BS120.EXE CDP.EXE CFGWIZ.EXE CFIADMIN.EXE CFIAUDIT.EXE AUTOUPDATE.EXE CFINET.EXE NAVAPW32.EXE NAVDX.EXE NAVSTUB.EXE NAVW32.EXE NC2000.EXE NCINST4.EXE AUTOTRACE.EXE NDD32.EXE NEOMONITOR.EXE NETARMOR.EXE NETINFO.EXE NETMON.EXE NETSCANPRO.EXE NETSPYHUNTER-1.2.EXE NETSTAT.EXE NISSERV.EXE NISUM.EXE NMAIN.EXE NORTON_INTERNET_SECU_3.0_407.EXE NPF40_TW_98_NT_ME_2K.EXE NPFMESSENGER.EXE NPROTECT.EXE NSCHED32.EXE NTVDM.EXE NVARCH16.EXE KERIO-WRP-421-EN-WIN.EXE KILLPROCESSSETUP161.EXE LDPRO.EXE LOCALNET.EXE LOCKDOWN.EXE LOCKDOWN2000.EXE LSETUP.EXE OUTPOST.EXE CFIAUDIT.EXE LUCOMSERVER.EXE AGENTSVR.EXE ANTI-TROJAN.EXE ANTI-TROJAN.EXE ANTIVIRUS.EXE ANTS.EXE APIMONITOR.EXE APLICA32.EXE APVXDWIN.EXE ATCON.EXE ATGUARD.EXE ATRO55EN.EXE ATWATCH.EXE AVCONSOL.EXE AVGSERV9.EXE AVSYNMGR.EXE BD_PROFESSIONAL.EXE BIDEF.EXE BIDSERVER.EXE BIPCP.EXE BIPCPEVALSETUP.EXE BISP.EXE BLACKD.EXE BLACKICE.EXE BOOTWARN.EXE NWINST4.EXE NWTOOL16.EXE OSTRONET.EXE OUTPOSTINSTALL.EXE OUTPOSTPROINSTALL.EXE PADMIN.EXE PANIXK.EXE PAVPROXY.EXE DRWEBUPW.EXE PCC2002S902.EXE PCC2K_76_1436.EXE PCCIOMON.EXE PCDSETUP.EXE PCFWALLICON.EXE PCFWALLICON.EXE PCIP10117_0.EXE PDSETUP.EXE PERISCOPE.EXE PERSFW.EXE PF2.EXE AVLTMAIN.EXE PFWADMIN.EXE PINGSCAN.EXE PLATIN.EXE POPROXY.EXE POPSCAN.EXE PORTDETECTIVE.EXE PPINUPDT.EXE PPTBC.EXE PPVSTOP.EXE PROCEXPLORERV1.0.EXE PROPORT.EXE PROTECTX.EXE PSPF.EXE WGFE95.EXE WHOSWATCHINGME.EXE AVWUPD32.EXE NUPGRADE.EXE WHOSWATCHINGME.EXE WINRECON.EXE WNT.EXE WRADMIN.EXE WRCTRL.EXE WSBGATE.EXE WYVERNWORKSFIREWALL.EXE XPF202EN.EXE ZAPRO.EXE ZAPSETUP3001.EXE ZATUTOR.EXE CFINET32.EXE CLEAN.EXE CLEANER.EXE CLEANER3.EXE CLEANPC.EXE CMGRDIAN.EXE CMON016.EXE CPD.EXE CFGWIZ.EXE CFIADMIN.EXE PURGE.EXE PVIEW95.EXE QCONSOLE.EXE QSERVER.EXE RAV8WIN32ENG.EXE REGEDT32.EXE REGEDIT.EXE UPDATE.EXE RESCUE.EXE RESCUE32.EXE RRGUARD.EXE RSHELL.EXE RTVSCN95.EXE RULAUNCH.EXE SAFEWEB.EXE SBSERV.EXE SD.EXE SETUP_FLOWPROTECTOR_US.EXE SETUPVAMEEVAL.EXE SFC.EXE SGSSFW32.EXE SH.EXE SHELLSPYINSTALL.EXE SHN.EXE SMC.EXE SOFI.EXE SPF.EXE SPHINX.EXE SPYXX.EXE SS3EDIT.EXE ST2.EXE SUPFTRL.EXE LUALL.EXE SUPPORTER5.EXE SYMPROXYSVC.EXE SYSEDIT.EXE TASKMON.EXE TAUMON.EXE TAUSCAN.EXE TC.EXE TCA.EXE TCM.EXE TDS2-98.EXE TDS2-NT.EXE TDS-3.EXE TFAK5.EXE TGBOB.EXE TITANIN.EXE TITANINXP.EXE TRACERT.EXE TRJSCAN.EXE TRJSETUP.EXE TROJANTRAP3.EXE UNDOBOOT.EXE VBCMSERV.EXE VBCONS.EXE VBUST.EXE VBWIN9X.EXE VBWINNTW.EXE VCSETUP.EXE VFSETUP.EXE VIRUSMDPERSONALFIREWALL.EXE VNLAN300.EXE VNPC3000.EXE VPC42.EXE VPFW30S.EXE VPTRAY.EXE VSCENU6.02D30.EXE VSECOMR.EXE VSHWIN32.EXE VSISETUP.EXE VSMAIN.EXE VSMON.EXE VSSTAT.EXE VSWIN9XE.EXE VSWINNTSE.EXE VSWINPERSE.EXE W32DSM89.EXE W9X.EXE WATCHDOG.EXE WEBSCANX.EXE CFIAUDIT.EXE CFINET.EXE ICSUPP95.EXE MCUPDATE.EXE CFINET32.EXE CLEAN.EXE CLEANER.EXE LUINIT.EXE MCAGENT.EXE MCUPDATE.EXE MFW2EN.EXE MFWENG3.02D30.EXE MGUI.EXE MINILOG.EXE MOOLIVE.EXE MRFLUX.EXE MSCONFIG.EXE MSINFO32.EXE MSSMMC32.EXE MU0311AD.EXE NAV80TRY.EXE ZAUINST.EXE ZONALM2601.EXE ZONEALARM.EXE It also sets up a listening thread on port 2556, allowing an attacker to upload and execute programs.

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:15