Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Bagle.AQ@mm

Overview

Threat Risk MEDIUM MEDIUM
Destructivity MEDIUM MEDIUM
Payload Opens backdoor
Detection files published
Description created 29 Oct 2004 02:21:00
Description updated 29 Oct 2004 02:21:00
Malware type WORM
Alias WORM_BAGLE.AT
W32/Bagle.AT@mm
I-Worm.Bagle.at
Spreading mechanism EMAIL
OTHER
Summary None

W32/Bagle.AQ@mm

Spreading

The worm installs itself in the Windows folder using the name WINGO.EXE, and modifies a registry key to point to itself so that it start from bootup.
After this, it harvests email addresses from local resources (it has a long list of file types to search) which it uses for the email spreading routine. At the same time, it looks for folders containing the word "share" and makes multiple copies of itself there using the file names below:
Microsoft Office 2003 Crack, Working!.exe.
Porno, sex, oral, anal cool, awesome!!.exe.
Porno Screensaver.scr.
Serials.txt.exe.
KAV 5.0
Kaspersky Antivirus 5.0.
Porno pics arhive, xxx.exe.
Windows Sourcecode update.doc.exe.
Ahead Nero 7.exe.
Opera 8 New!.exe.
XXX hardcore images.exe.
WinAmp 6 New!.exe.
Adobe Photoshop 9 full.exe.
Matrix 3 Revolution English Subtitles.exe.
ACDSee 9.exe.
Changes to registry: The worm deletes a lot of keys belonging to other worms and AV products:

"My AV" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
"My AV" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
"Zone Labs Client Ex" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
"Zone Labs Client Ex" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
"9XHtProtect" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
"9XHtProtect" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
"Antivirus" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
"Antivirus" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
"Special Firewall Service" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
"Special Firewall Service" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
"service" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
"service" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
"Tiny AV" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
"Tiny AV" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
"ICQNet" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
"ICQNet" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
"HtProtect" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
"HtProtect" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
"NetDy" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
"NetDy" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
"Jammer2nd" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
"Jammer2nd" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
"FirewallSvr" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
"FirewallSvr" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
"MsInfo" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
"MsInfo" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
"SysMonXP" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
"SysMonXP" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
"EasyAV" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
"EasyAV" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
"PandaAVEngine" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
"PandaAVEngine" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
"Norton Antivirus AV" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
"Norton Antivirus AV" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
"KasperskyAVEng" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
"KasperskyAVEng" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
"SkynetsRevenge" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
"SkynetsRevenge" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
"ICQ Net" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
"ICQ Net" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
And it adds this key to start from bootup: HKCU\Software\Microsoft\Windows\CurrentVersion\Run = "wingo"="\wingo.exe"
Process information: The worm creates the folowing mutexes to stop being loaded twice, and stop other worms from running:

MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D.
’D’r’o’p’p’e’d’S’k’y’N’e’t’.
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_.
[SkyNet.cz]SystemsMutex.
AdmSkynetJklS003.
____--->>>>U<<<<--____.
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_.

Payload Details

The worm opens a backdoor listening on port 81, allowing unauthorized access to the computer. It also may attempt to download a file from one out of several web sites; though no file was found at the time of writing.

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:15