F-Secure: Be Sure

Select local site

F-Secure Virus Descriptions : Bagle.H

[Summary] | [Disinfection] | [Detailed Description] | [Detection]

NAME:	Bagle.H
ALIAS:	I-Worm.Bagle.g, W32.Beagle.H@mm, W32/Bagle.H@mm

Summary

The next new Bagle variant - Bagle.H, arrived at the evening on March 1st, 2004. This variant spreads in password protected ZIPs. The password is a random number included at the end of the email message.

Disinfection

Special Disinfection Tool

F-Secure has developed a special disinfection tool for this worm. The tool will detect and remove an active Bagle infection from the computer.

The Bagle removal tool can be downloaded in a ZIP file from:

ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.zip

http://www.f-secure.com/tools/f-bagle.zip

The unpacked version is available from:

ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.exe

ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.txt

http://www.f-secure.com/tools/f-bagle.exe

http://www.f-secure.com/tools/f-bagle.txt

Back to the Top

Detailed Description

The worm's file is a PE executable about 21 kilobytes in size packed with PEX file compressor. The unpacked file's size is over 33 kilobytes.

The worm's lifecycle is a bit over a year. If the date is 25th of March 2005, the worm uninstalls itself from a system by deleting its Registry keys and executable file.

The worm has backdoor functionality. When active, the worm listens on port 2745 for remote commands.

The worm tries to fool AV scanners that use CRC detection. It adds random garbage data to the end of its file.

Installation to system

When the worm's file is run, it copies itself as I11R54N4.EXE to Windows System folder and creates a startup key for this file in the Registry:

 [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
 "rate.exe" = "%winsysdir%\i11r54n4.exe"

where %winsysdir% represents Windows System folder name.

The worm also drops the following files:

 I11R54N4.EXEOPEN - ZIPpped sample of the worm to send out
 I1I5N1J4.EXE     - loader for GO154O.EXE file
 GO154O.EXE       - main mass mailing component of the worm

Both the loader and mass mailing component are DLL files that work under EXPLORER.EXE process (one of the main Windows component).

Searching for e-mail addresses

To find victims' e-mail addresses the worm searches all available hard drives for the files with these extensions:

 .wab
 .txt
 .htm
 .xml
 .dbx
 .mdx
 .eml
 .nch
 .mmf
 .ods
 .cfg
 .asp
 .php
 .pl
 .adb
 .tbb
 .sht

The worm avoids spreading to e-mail addresses containing any of the following:

 @hotmail.com
 @msn.com
 @microsoft
 @avp.
 noreply
 local
 root@
 postmaster@

Spreading in e-mails

The worm spreads itself in e-mail messages as a password protected ZIP archive that contains the worm's executable file with random name and EXE or SCR extension. The worm randomly selects subjects, message bodies and attachment names from its internal lists. The worm also generates random passwords that it uses to encrypt its ZIP archive with.

Here are variants of subjects that the worm uses:

 Hokki =)
 Weah, hello! :-)
 Weeeeee! ;)))
 Hi! :-)
 :-)
 :)
 ello! =))
 Hey, ya! =))
 ^_^ meay-meay!
 ^_^ meay-meay!
 ^_^ mew-mew (-:
 Hey, dude, it's me ^_^ :P

Here are variants of message bodies that the worm uses:

 Argh, i don't like the plaintext :)
 I don't bite, weah!
 Looking forward for a response :P

Here are variants of attachment names that the worm uses:

 Attach
 TextDocument
 Readme
 Msg
 MsgInfo
 Document
 Info
 AttachedFile
 AttachedDocument
 TextDocument
 Text
 TextFile
 Letter
 MoreInfo
 Message

The worm adds ZIP password information to its message. It uses one of the following strings:

 archive password: <pass>
 password: <pass>
 password -- <pass>
 pass: <pass>
 <pass> -- archive password
 ...btw, "<pass>" is a password for archive
 password for archive: <pass>

where <pass> is a randomly-generated password.

Spreading to shared folders

The worm spreads to shared folders on an infected computer. Such functionality allows the worm to spread through file sharing clients as well as it can copy itself to their shared folders.

When the worm searches for e-mail addresses on all available hard disks and it finds a folder which name contains 'shar' substring, it copies itself to that folder with one of the following names:

 Microsoft Office 2003 Crack, Working!.exe
 Microsoft Office XP working Crack, Keygen.exe
 Microsoft Windows XP, WinXP Crack, working Keygen.exe
 Porno Screensaver.scr
 Porno, sex, oral, anal cool, awesome!!.exe
 Porno pics arhive, xxx.exe
 Serials.txt.exe
 Windown Longhorn Beta Leak.exe
 Windows Sourcecode update.doc.exe
 XXX hardcore images.exe
 Opera 8 New!.exe
 WinAmp 5 Pro Keygen Crack Update.exe
 WinAmp 6 New!.exe
 Matrix 3 Revolution English Subtitles.exe
 Adobe Photoshop 9 full.exe
 Ahead Nero 7.exe
 ACDSee 9.exe

It should be noted that NetSky worm uses the similar technique, however it searches all available drives except CD-ROMs.

Killing processes of security software

The worm kills processes of anti-virus and security software that are associated with these files:

 ATUPDATER.EXE
 AVWUPD32.EXE
 AVPUPD.EXE
 LUALL.EXE
 DRWEBUPW.EXE
 ICSSUPPNT.EXE
 ICSUPP95.EXE
 UPDATE.EXE
 NUPGRADE.EXE
 ATUPDATER.EXE
 AUPDATE.EXE
 AUTODOWN.EXE
 AUTOTRACE.EXE
 AUTOUPDATE.EXE
 AVXQUAR.EXE
 CFIAUDIT.EXE
 MCUPDATE.EXE
 NUPGRADE.EXE
 OUTPOST.EXE
 AVLTMAIN.EXE

Connecting to websites

The worm connects to the following websites:

 http://postertog.de/scr.php
 http://www.gfotxt.net/scr.php
 http://www.maiklibis.de/scr.php

The worm opens PHP scripts on these pages with certain parameters. This is done for tracking purposes as the site owner gets the IP address of an infected computer and the backdoor's port number.

Back to the Top

Detection

F-Secure Anti-Virus detects Bagle.H using a generic detection since the following update:

[FSAV_Database_Version]

Version=2004-03-01_04

Back to the Top

Writeup: Katrin Tocheva, March 1st, 2004;

Technical Details: Alexey Podrezov, March 1st, 2004;

Description Updated: Alexey Podrezov, March 2nd, 2004;

F-Secure Corporation