Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Bagle.AI@mm

Overview

Threat Risk LOW LOW
Destructivity NONE NONE
Payload
Detection files published 08 Aug 2004 03:00:00
Description created 09 Aug 2004 12:27:00
Description updated 09 Aug 2004 12:27:00
Malware type WORM
Alias Win32.Bagle.AG [Computer Associates]
W32/Bagle.AJ@mm [F-secure]
W32/Bagle.aq@MM [Network Associates]
W32/Bagle.AM.worm [Panda]
W32/Bagle-AQ [Sophos]
W32.Beagle.AO@mm [Symantec]
WORM_BAGLE.AC [Trend Micro]
Spreading mechanism EMAIL
Summary None

W32/Bagle.AI@mm

Spreading

Bagle.AI is spread via a zip archive which contains two files, price.html and price.exe. When run, price.exe creates the following registry entries to ensure it is started with Windows:HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
   win_upd2.exe = "%SYSTEM%\WINdirect.exe"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
   win_upd2.exe = "%SYSTEM%\WINdirect.exe"Price.exe also drops a file named _dll.exe, which will attempt to download Bagle.AI to %WINDIR%\~.exe and launch it. _dll.exe will contact one of the following domains to download Bagle.AI:http://polobeer.de/ http://r2626r.de/http://kooltokyo.ru/http://mmag.ru/http://advm1.gm.fh-koeln.de/http://evadia.ru/http://megion.ru/http://molinero-berlin.de/http://dozenten.f1.fhtw-berlin.de/http://shadkhan.ru/http://sacred.ru/http://kypexin.ru/http://www.gantke-net.com/http://www.mcschnaeppchen.com/http://www.rollenspielzirkel.de/http://134.102.228.45/http://196.12.49.27/http://aus-Zeit.com/http://lottery.h11.ru/http://herzog.cs.uni-magdeburg.de/http://yaguark.h10.ru/http://213.188.129.72/http://thorpedo.us/http://szm.sk/http://lars-s.privat.t-online.de/http://www.no-abi2003.de/http://www.mdmedia.org/http://abi-2004.org/http://sovea.de/http://www.porta.de/http://matzlinger.com/http://pocono.ru/http://controltechniques.ru/http://alexey.pioneers.com.ru/http://momentum.ru/http://omegat.ru/http://www.perfectgirls.net/http://porno-mania.net/http://colleen.ai.net/http://ourcj.com/http://free.bestialityhost.com/http://slavarik.ru/http://burn2k.ipupdater.com/http://carabi.ru/http://spbbook.ru/http://binn.ru/http://sbuilder.ru/http://protek.ru/http://www.PlayGround.ru/http://celine.artics.ru/http://www.artics.ru/http://www.laserbuild.ru/http://www.lamatec.com/http://www.sensi.com/http://www.oldtownradio.com/http://www.youbuynow.com/http://64.62.172.118/http://www.tayles.com/http://dodgetheatre.com/http://www.thepositivesideofsports.com/http://www.bridesinrussia.com/http://fairy.dataforce.net/http://www.pakwerk.ru/http://home.profootball.ru/http://www.ankil.ru/http://www.ddosers.net/http://tarkosale.net/http://www.boglen.com/http://change.east.ru/http://www.teatr-estrada.ru/http://www.glass-master.ru/http://www.zeiss.ru/http://www.sposob.ru/http://www.glavriba.ru/http://alfinternational.ru/http://euroviolence.com/http://www.webronet.com/http://www.virtmemb.com/http://www.infognt.com/http://www.vivamedia.ru/http://www.zelnet.ru/http://www.dsmedia.ru/http://www.vendex.ru/http://www.elit-line.ru/http://pixel.co.il/http://www.milm.ru/http://dev.tikls.net/http://www.met.pl/http://www.strefa.pl/http://kafka.punkt.pl/http://www.rubikon.pl/http://www.neostrada.pl/http://werel1.web-gratis.net/http://www.tuhart.net/http://www.antykoncepcja.net/http://www.dami.com.pl/http://vip.pnet.pl/http://www.webzdarma.cz/http://emnesty.w.interia.pl/http://niebo.net/http://strony.wp.pl/http://sec.polbox.pl/http://www.phg.pl/http://emnezz.e-mania.pl/http://www.republika.pl/http://www.silesianet.pl/http://www.republika.pl/http://tdi-router.opola.pl/http://republika.pl/http://infokom.pl/http://silesianet.pl/http://terramail.pl/http://silesianet.pl/http://www.iluminati.kicks-ass.net/http://www.dilver.ru/http://www.yarcity.ru/http://www.scli.ru/http://www.elemental.ru/http://diablo.homelinux.com/http://www.interrybflot.ru/http://www.webpark.pl/http://www.rafani.cz/http://gutemine.wu-wien.ac.at/http://przeglad-tygodnik.pl/http://przeglad-tygodnik.pl/http://pb195.slupsk.sdi.tpnet.pl/http://www.ciachoo.pl/http://cavalierland.5u.com/http://www.nefkom.net/http://rausis.latnet.lv/http://www.hgr.de/http://www.airnav.com/http://www.astoria-stuttgart.de/http://ultimate-best-hgh.0my.net/http://wynnsjammer.proboards18.com/http://www.jewishgen.org/http://www.hack-gegen-rechts.com/http://host.wallstreetcity.com/http://quotes.barchart.com/http://www.aannemers-nederland.nl/http://www.sjgreatdeals.com/http://financial.washingtonpost.com/http://www.biratnagarmun.org.np/http://hsr.zhp.org.pl/http://traveldeals.sidestep.com/http://www.hbz-nrw.de/http://www.ifa-guide.co.uk/http://www.inversorlatino.com/http://www.zhp.gdynia.pl/http://host.businessweek.com/http://packages.debian.or.jp/http://www.math.kobe-u.ac.jp/http://www.k2kapital.com/http://www.tanzen-in-sh.de/http://www.wapf.com/http://www.hgrstrailer.com/http://www.forbes.com/http://www.oshweb.com/http://www.rumbgeo.ru/http://www.dicto.ru/http://www.busheron.ru/http://www.omnicom.ru/http://www.teleline.ru/http://www.dynex.ru/http://www.gamma.vyborg.ru/http://nominal.kaliningrad.ru/http://www.baltmatours.com/http://www.interfoodtd.ru/http://www.baltnet.ru/http://www.neprifan.ru/http://photo.gornet.ru/http://www.aktor.ru/http://catalog.zelnet.ru/http://www.sdsauto.ru/http://www.gradinter.ru/http://www.avant.ru/http://www.porsa.ru/http://www.taom-clan.de/http://www.perfectjewel.com/http://www.vrack.net/http://www.netradar.com/http://www.pgipearls.com/http://www.vconsole.net/http://www.ccbootcamp.com/http://host23.ipowerweb.com/http://www.timelessimages.com/http://www.peterstar.ru/http://www.5100.ru/http://www.gin.ru/http://www.rweb.ru/http://www.metacenter.ru/http://www.biysk.ru/http://www.free-time.ru/http://www.rastt.ru/http://www.chelny.ru/http://www.chat4adult.com/http://www.landofcash.net/http://relay.great.ru/http://www.kefaloniaresorts.com/http://www.epski.gr/http://www.myrtoscorp.com/http://www.aphel.de/http://www.intellect.lvc/http://www.abcdesign.ru/_dll.exe also terminates processes with these names:FIREWALL.EXE ATUPDATER.EXE winxp.exe sys_xp.exe sysxp.exe LUALL.EXE DRWEBUPW.EXE AUTODOWN.EXENUPGRADE.EXEOUTPOST.EXEICSSUPPNT.EXEICSUPP95.EXEESCANH95.EXEAVXQUAR.EXEESCANHNT.EXEATUPDATER.EXEAUPDATE.EXEAUTOTRACE.EXEAUTOUPDATE.EXEAVXQUAR.EXEAVWUPD32.EXEAVPUPD.EXECFIAUDIT.EXEUPDATE.EXENUPGRADE.EXEMCUPDATE.EXEWhen _dll.exe launches ~.exe  (downloaded Bagle.AI), ~.exe will copy itself to the %SYSTEM% folder as:windll.exewindll.exeopen windll.exeopenopenThe worm will also create the following registry value, which would normally ensure the worm is started with Windows, but due to a typo it is actually useless:HKCU\Software\Microsoft\Windows\CurrentVersion\Ru1n\erthgdr = "%SYSTEM%\windll.exe"Bagle.AI will delete the following entries from the registry in an attempt to remove various Netsky variants:HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
   My AVHKCU\Software\Microsoft\Windows\CurrentVersion\Run\
   Zone Labs Client ExHKCU\Software\Microsoft\Windows\CurrentVersion\Run\
   9XHtProtectHKCU\Software\Microsoft\Windows\CurrentVersion\Run\
   AntivirusHKCU\Software\Microsoft\Windows\CurrentVersion\Run\
   Special Firewall ServiceHKCU\Software\Microsoft\Windows\CurrentVersion\Run\
   serviceHKCU\Software\Microsoft\Windows\CurrentVersion\Run\
   Tiny AVHKCU\Software\Microsoft\Windows\CurrentVersion\Run\
   ICQNetHKCU\Software\Microsoft\Windows\CurrentVersion\Run\
   HtProtectHKCU\Software\Microsoft\Windows\CurrentVersion\Run\
   NetDvHKCU\Software\Microsoft\Windows\CurrentVersion\Run\
   Jammer2ndHKCU\Software\Microsoft\Windows\CurrentVersion\Run\
   FirewallSvrHKCU\Software\Microsoft\Windows\CurrentVersion\Run\
   MsInfoHKCU\Software\Microsoft\Windows\CurrentVersion\Run\
   SysMonXPHKCU\Software\Microsoft\Windows\CurrentVersion\Run\
   EasyAVHKCU\Software\Microsoft\Windows\CurrentVersion\Run\
  PandaAVEngineHKCU\Software\Microsoft\Windows\CurrentVersion\Run\
   Norton Antivirus AVHKCU\Software\Microsoft\Windows\CurrentVersion\Run\
   KasperskyAVEngHKCU\Software\Microsoft\Windows\CurrentVersion\Run\
   SkynetsRevengeHKCU\Software\Microsoft\Windows\CurrentVersion\Run\
   ICQ NetHKLM\Software\Microsoft\Windows\CurrentVersion\Run\
   My AVHKLM\Software\Microsoft\Windows\CurrentVersion\Run\
   Zone Labs Client ExHKLM\Software\Microsoft\Windows\CurrentVersion\Run\
   9XHtProtectHKLM\Software\Microsoft\Windows\CurrentVersion\Run\
   AntivirusHKLM\Software\Microsoft\Windows\CurrentVersion\Run\
   Special Firewall ServiceHKLM\Software\Microsoft\Windows\CurrentVersion\Run\
   serviceHKLM\Software\Microsoft\Windows\CurrentVersion\Run\
   Tiny AVHKLM\Software\Microsoft\Windows\CurrentVersion\Run\
   ICQNetHKLM\Software\Microsoft\Windows\CurrentVersion\Run\
   HtProtectHKLM\Software\Microsoft\Windows\CurrentVersion\Run\
   NetDvHKLM\Software\Microsoft\Windows\CurrentVersion\Run\
   Jammer2ndHKLM\Software\Microsoft\Windows\CurrentVersion\Run\
   FirewallSvrHKLM\Software\Microsoft\Windows\CurrentVersion\Run\
   MsInfoHKLM\Software\Microsoft\Windows\CurrentVersion\Run\
   SysMonXPHKLM\Software\Microsoft\Windows\CurrentVersion\Run\
   EasyAVHKLM\Software\Microsoft\Windows\CurrentVersion\Run\
   PandaAVEngineHKLM\Software\Microsoft\Windows\CurrentVersion\Run\
   Norton Antivirus AVHKLM\Software\Microsoft\Windows\CurrentVersion\Run\
   KasperskyAVEngHKLM\Software\Microsoft\Windows\CurrentVersion\Run\
   SkynetsRevengeHKLM\Software\Microsoft\Windows\CurrentVersion\Run\
   ICQ NetThe worm will also create the following mutexes in order to prevent Netsky from running:MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D. ’D’r’o’p’p’e’d’S’k’y’N’e’t’. _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_. [SkyNet.cz]SystemsMutex. AdmSkynetJklS003. ____--->>>>U_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_.Bagle.AI then harvests email addresses from files with the following extension:.wab .txt .msg .htm .shtm .stm .xml .dbx .mbx .mdx .eml .nch .mmf .ods .cfg .asp .php .pl .wsh .adb .tbb .sht .xls .oft .uin .cgi .mht .dhtm .jspEmail addresses containing any of these strings are ignored:@hotmail @msn @microsoft rating@ f-secur news update anyone@ bugs@ contract@ feste gold-certs@ help@ info@ nobody@ noone@ kasp admin icrosoft support ntivi unix bsd linux listserv certific sopho @foo @iana free-av @messagelab winzip google winrar samples abuse panda cafee spam pgp @avp. noreply local root@ postmaster@The worm then begins its mass mailing routine. Emails may have the following characteristics:SubjectNoneBodyNew PriceAttachmentprice_08.zipprice.zip price2.zip new_price.zip price_new.zip08_price.zip new__price.zip  newprice.zipFinally, Bagle.AI will also copy itself to folders containing ‘shar’ in the pathname. Possible filenames include:Microsoft Office 2003 Crack, Working!.exe Microsoft Windows XP, WinXP Crack, working Keygen.exe Microsoft Office XP working Crack, Keygen.exe Porno, sex, oral, anal cool, awesome!!.exe Porno Screensaver.scr Serials.txt.exe KAV 5.0 Kaspersky Antivirus 5.0 Porno pics arhive, xxx.exe Windows Sourcecode update.doc.exe Ahead Nero 7.exe Windown Longhorn Beta Leak.exe Opera 8 New!.exe XXX hardcore images.exe WinAmp 6 New!.exe WinAmp 5 Pro Keygen Crack Update.exe Adobe Photoshop 9 full.exe Matrix 3 Revolution English Subtitles.exe ACDSee 9.exe

Payload Details

n/a

Analysis

n/a

Removal

The worm was detected proactively by Lumension Sandbox as W32/EMailWorm.


Last Updated: 12 Nov 2015 11:06:09