Another new Bagle variant - Bagle.I, arrived on
March 2nd, 2004. This worm is a minor variant of Bagle.H, but
it avoids generic detection because of a modified file compressor
code. Like the previous one, this variant spreads in password protected ZIPs.
The password is a random number included at the end of the email
message.
Special Disinfection Tool
F-Secure has developed a special disinfection tool for this worm.
The tool will detect and remove an active Bagle infection from
the computer.
The Bagle removal tool can be downloaded in a ZIP file from:
ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.zip
http://www.f-secure.com/tools/f-bagle.zip
The unpacked version is available from:
ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.exe
ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.txt
http://www.f-secure.com/tools/f-bagle.exe
http://www.f-secure.com/tools/f-bagle.txt
The worm's file is a PE executable about 21 kilobytes in size
packed with PEX file compressor. The unpacked file's size is over
33 kilobytes. This worm variant tries to avoid generic detection by
using a modified PEX file compressor.
The worm's lifecycle is a bit over a year. If the date is 25th of
March 2005, the worm uninstalls itself from a system by deleting
its Registry keys and executable file.
The worm has backdoor functionality. When active, the worm
listens on port 2745 for remote commands.
The worm tries to fool AV scanners that use CRC detection. It
adds random garbage data to the end of its file.
Installation to system
When the worm's file is run, it copies itself as I11R54N4.EXE to
Windows System folder and creates a startup key for this file in
the Registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"rate.exe" = "%winsysdir%\i11r54n4.exe"
where %winsysdir% represents Windows System folder name.
The worm also drops the following files:
I11R54N4.EXEOPEN - ZIPpped sample of the worm to send out
I1I5N1J4.EXE - loader for GO154O.EXE file
GO154O.EXE - main mass mailing component of the worm
Both the loader and mass mailing component are DLL files that
work under EXPLORER.EXE process (one of the main Windows
component).
Searching for e-mail addresses
To find victims' e-mail addresses the worm searches all available
hard drives for the files with these extensions:
.wab
.vbs
.rtf
.txt
.doc
.html
.shtml
.msg
.htm
.xml
.dbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.pl
.adb
.tbb
.sht
The worm avoids spreading to e-mail addresses containing any of
the following:
@hotmail.com
@msn.com
@microsoft
@avp.
noreply
local
root@
postmaster@
Spreading in e-mails
The worm spreads itself in e-mail messages as a password
protected ZIP archive that contains the worm's executable file
with random name and EXE or SCR extension. The worm randomly
selects subjects, message bodies and attachment names from its
internal lists. The worm also generates random passwords that it
uses to encrypt its ZIP archive with. The infected message sent
by the worm looks like that:
Here are variants of subjects that the worm uses:
Hi
Weah, hello! :-)
Weeeeee! ;)))
Hi! :-)
:-)
:)
ello! =))
Hey, ya! =))
meay-meay!
^_^ meay-meay!
^_^ mew-mew (-:
Here are variants of message bodies that the worm uses:
Argh, i don't like the plaintext :)
You have won!!!
The access is open !!!
Here are variants of attachment names that the worm uses:
Attach
TextDocument
Readme
Msg
MsgInfo
Document
Info
AttachedFile
AttachedDocument
TextDocument
Text
TextFile
Letter
MoreInfo
Message
The worm adds ZIP password information to its message. It uses
one of the following strings:
archive password: <pass>
password: <pass>
password -- <pass>
pass: <pass>
<pass> -- archive password
...btw, "<pass>" is a password for archive
password for archive: <pass>
where <pass> is a randomly-generated password.
Spreading to shared folders
The worm spreads to shared folders on an infected computer. Such
functionality allows the worm to spread through file sharing
clients as well as it can copy itself to their shared folders.
When the worm searches for e-mail addresses on all available hard
disks and it finds a folder which name contains 'shar' substring,
it copies itself to that folder with one of the following names:
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Porno Screensaver.scr
Porno, sex, oral, anal cool, awesome!!.exe
Porno pics arhive, xxx.exe
Serials.txt.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe
Opera 8 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Matrix 3 Revolution English Subtitles.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
ACDSee 9.exe
It should be noted that NetSky worm uses the similar technique,
however it searches all available drives except CD-ROMs.
Killing processes of security software
The worm kills processes of anti-virus and security software that
are associated with these files:
ATUPDATER.EXE
AVWUPD32.EXE
AVPUPD.EXE
LUALL.EXE
DRWEBUPW.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
UPDATE.EXE
NUPGRADE.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
MCUPDATE.EXE
NUPGRADE.EXE
OUTPOST.EXE
AVLTMAIN.EXE
Connecting to websites
The worm connects to the following websites:
http://postertog.de/scr.php
http://www.gfotxt.net/scr.php
http://www.maiklibis.de/scr.php
The worm opens PHP scripts on these pages with certain
parameters. This is done for tracking purposes as the site owner
gets the IP address of an infected computer and the backdoor's
port number.
F-Secure Anti-Virus detects Bagle.I worm since the following
update:
[FSAV_Database_Version]
Version=2004-03-02_02
Technical Details:
Alexey Podrezov, March 2nd, 2004;
F-Secure Corporation
