Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Bagle.AH@mm

Overview

Threat Risk LOW LOW
Destructivity MEDIUM MEDIUM
Payload Backdoor
Detection files published
Description created 19 Jul 2004 12:46:00
Description updated 19 Jul 2004 12:46:00
Malware type WORM
Alias W32/Bagle.AI
Spreading mechanism EMAIL
Summary None

W32/Bagle.AH@mm

Spreading

When Bagle.AH executes it copies itself to %SYSTEM% as:
winxp.exewinxp.exeopen winxp.exeopenopen winxp.exeopenopenopen winxp.exeopenopenopenopenIt then creates the following registry entry to ensure it is started with Windows:HKCU\Software\Microsoft\Windows\CurrentVersion\Run\key = "C:\WINDOWS\SYSTEM\winxp.exe"Bagle.AH will then delete the following entries from the registry in an attempt to remove Netsky variants:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\My AVHKCU\Software\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client ExHKCU\Software\Microsoft\Windows\CurrentVersion\Run\9XHtProtectHKCU\Software\Microsoft\Windows\CurrentVersion\Run\AntivirusHKCU\Software\Microsoft\Windows\CurrentVersion\Run\Special Firewall ServiceHKCU\Software\Microsoft\Windows\CurrentVersion\Run\serviceHKCU\Software\Microsoft\Windows\CurrentVersion\Run\Tiny AVHKCU\Software\Microsoft\Windows\CurrentVersion\Run\ICQNetHKCU\Software\Microsoft\Windows\CurrentVersion\Run\HtProtectHKCU\Software\Microsoft\Windows\CurrentVersion\Run\NetDvHKCU\Software\Microsoft\Windows\CurrentVersion\Run\Jammer2ndHKCU\Software\Microsoft\Windows\CurrentVersion\Run\FirewallSvrHKCU\Software\Microsoft\Windows\CurrentVersion\Run\MsInfoHKCU\Software\Microsoft\Windows\CurrentVersion\Run\SysMonXPHKCU\Software\Microsoft\Windows\CurrentVersion\Run\EasyAVHKCU\Software\Microsoft\Windows\CurrentVersion\Run\PandaAVEngineHKCU\Software\Microsoft\Windows\CurrentVersion\Run\Norton Antivirus AVHKCU\Software\Microsoft\Windows\CurrentVersion\Run\KasperskyAVEngHKCU\Software\Microsoft\Windows\CurrentVersion\Run\SkynetsRevengeHKCU\Software\Microsoft\Windows\CurrentVersion\Run\ICQ NetHKLM\Software\Microsoft\Windows\CurrentVersion\Run\My AVHKLM\Software\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client ExHKLM\Software\Microsoft\Windows\CurrentVersion\Run\9XHtProtectHKLM\Software\Microsoft\Windows\CurrentVersion\Run\AntivirusHKLM\Software\Microsoft\Windows\CurrentVersion\Run\Special Firewall ServiceHKLM\Software\Microsoft\Windows\CurrentVersion\Run\serviceHKLM\Software\Microsoft\Windows\CurrentVersion\Run\Tiny AVHKLM\Software\Microsoft\Windows\CurrentVersion\Run\ICQNetHKLM\Software\Microsoft\Windows\CurrentVersion\Run\HtProtectHKLM\Software\Microsoft\Windows\CurrentVersion\Run\NetDvHKLM\Software\Microsoft\Windows\CurrentVersion\Run\Jammer2ndHKLM\Software\Microsoft\Windows\CurrentVersion\Run\FirewallSvrHKLM\Software\Microsoft\Windows\CurrentVersion\Run\MsInfoHKLM\Software\Microsoft\Windows\CurrentVersion\Run\SysMonXPHKLM\Software\Microsoft\Windows\CurrentVersion\Run\EasyAVHKLM\Software\Microsoft\Windows\CurrentVersion\Run\PandaAVEngineHKLM\Software\Microsoft\Windows\CurrentVersion\Run\Norton Antivirus AVHKLM\Software\Microsoft\Windows\CurrentVersion\Run\KasperskyAVEngHKLM\Software\Microsoft\Windows\CurrentVersion\Run\SkynetsRevengeHKLM\Software\Microsoft\Windows\CurrentVersion\Run\ICQ NetThe worm will also create the following mutexes in order to prevent Netsky from running:MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D. ’D’r’o’p’p’e’d’S’k’y’N’e’t’. _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_. [SkyNet.cz]SystemsMutex. AdmSkynetJklS003. ____--->>>>U_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_.Bagle.AH then harvests email addresses from files with the following extension:.wab .txt .msg .htm .shtm .stm .xml .dbx .mbx .mdx .eml .nch .mmf .ods .cfg .asp .php .pl .wsh .adb .tbb .sht .xls .oft .uin .cgi .mht .dhtm .jspEmail addresses containing any of these strings are ignored:@hotmail @msn @microsoft rating@ f-secur news update anyone@ bugs@ contract@ feste gold-certs@ help@ info@ nobody@ noone@ kasp admin icrosoft support ntivi unix bsd linux listserv certific sopho @foo @iana free-av @messagelab winzip google winrar samples abuse panda cafee spam pgp @avp. noreply local root@ postmaster@The worm then begins its mass mailing routine. Mails may have the following characteristics:SubjectRe:Body>foto3 and MP3 >fotogalary and Music >fotoinfo >Lovely animals >Animals >Predators >The snake >Screen and Music(If the attachment is a .zip file then a password may be included in the mail)Password: Pass- Key- AttachmentMP3Music_MP3New_MP3_PlayerCool_MP3GarryCatDogFishThe attachment extension can be any of the following:.cpl .com.zip (password protected).exe.scr Finally, Bagle.AH will also copy itself to folders containing ‘shar’ in the name. Possible filenames include:Microsoft Office 2003 Crack, Working!.exe Microsoft Windows XP, WinXP Crack, working Keygen.exe Microsoft Office XP working Crack, Keygen.exe Porno, sex, oral, anal cool, awesome!!.exe Porno Screensaver.scr Serials.txt.exe KAV 5.0 Kaspersky Antivirus 5.0 Porno pics arhive, xxx.exe Windows Sourcecode update.doc.exe Ahead Nero 7.exe Windown Longhorn Beta Leak.exe Opera 8 New!.exe XXX hardcore images.exe WinAmp 6 New!.exe WinAmp 5 Pro Keygen Crack Update.exe Adobe Photoshop 9 full.exe Matrix 3 Revolution English Subtitles.exe ACDSee 9.exe

Payload Details

Bagle.AH@mm kills processes associated with Windows, security software and other malware. It also creates a backdoor, which listens on port 1080 (TCP) and 1040 (UDP). Once the backdoor has been started Bagle will attempt to notify the author that the infected machine is now compromised.

Analysis

n/a

Removal

The worm was detected proactively by Lumension Sandbox as W32/P2PWorm.


Last Updated: 12 Nov 2015 11:06:15