Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/Bagle.BQ
Date discovered:13/12/2012
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium to high
Damage Potential:Low to medium
Static file:Yes
File size:21.696 Bytes
MD5 checksum:8BF7C959945E8B5DC51B444C9F837F0C
VDF version:7.11.53.216

 General Methods of propagation:
   • Email
   • Peer to Peer


Aliases:
   •  Symantec: W32.Beagle.BY@mm
   •  Kaspersky: Email-Worm.Win32.Bagle.bw
   •  TrendMicro: WORM_BAGLE.BM
   •  F-Secure: W32/Bagle.CG@mm
   •  Sophos: W32/Bagle-BW
   •  VirusBuster: Trojan.PR.Mitglied.CH
   •  Bitdefender: Win32.Worm.Lewor.F


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Disable security applications
   • Uses its own Email engine
   • Lowers security settings

 Files It copies itself to the following location:
   • %SYSDIR%\winhost.exe




It tries to download a file:

The location is the following:
   • http://cardgoods.com/**********/ip.txt
It is saved on the local hard drive under: %WINDIR%\IP.txt

 Registry The following registry key is added in order to run the process after reboot:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "winhost.exe"="<%sysdir%>\winhost.exe"



The following registry key is added:

[HKCU\Software\Timeout]
   • "uid"
   • "port"="dword:00002346"
   • "pid"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.
Generated addresses. Please do not assume that it was the sender's intention to send this email to you. He might not know about his infection or might not even be infected at all. Furthermore it is possible that you will receive bounced emails telling you that you are infected. This might also not be the case.


To:
– Email addresses found in specific files on the system.


Subject:
One of the following:
   • Re: Msg reply; Re: Hello; Re:; Re: Yahoo!; Re: Thank you!; Re: Thanks
      :); RE: Text message; Re: Document; Incoming message; Re: Incoming
      Message; RE: Incoming Msg; RE: Message Notify; Notification;
      Changes..; Update; Fax Message; Protected message; RE: Protected
      message; Forum notify; Site changes; Re: Hi; Encrypted document; Read
      the attach



Body:
The body of the email is one of the lines:
   • Your file is attached.
   • Try this.
   • More info is in attach
   • See attach.
   • Please, have a look at the attached file.
   • Your document is attached.
   • Please, read the document.
   • Attach tells everything.
   • Attached file tells everything.
   • Check attached file for details.
   • Check attached file.
   • Pay attention at the attach.
   • See the attached file for details.
   • Message is in attach
   • Here is the file.


Attachment:
The filename of the attachment is one of the following:
   • Information.exe
   • Details.exe
   • text_document.exe
   • Updates.exe
   • Readme.exe
   • Document.exe
   • Info.exe
   • Details.exe
   • MoreInfo.exe
   • Message.exe
   • Sources.exe

 Mailing Search addresses:
It searches the following files for email addresses:
   • .wab; .txt; .msg; .htm; .html; .shtm; .stm; .xml; .dbx; .mbx; .mdx;
      .eml; .nch; .mmf; .ods; .cfg; .asp; .php; .pl; .wsh; .adb; .tbb; .sht;
      .xls; .oft; .uin; .cgi; .mht; .dhtm; .jsp; .ini; .cfg; .txt; .vxd;
      .def; .dll
It combines the result with domains that were found in files, which were previously searched for addresses.


Avoid addresses:
It does not send emails to addresses containing one of the following strings:
   • virus; norton; @msn; @microsoft; rating@; f-secur; news; update;
      anyone@; bugs@; contract@; feste; gold-certs@; help@; info@; nobody@;
      noone@; kasp; admin; icrosoft; support; ntivi; unix; bsd; linux;
      listserv; certific; sopho; @foo; @iana; free-av; @messagelab; winzip;
      google; winrar; samples; abuse; panda; cafee; spam; pgp; @avp.;
      noreply; local; root@; postmaster@

 P2P In order to infect other systems in the Peer to Peer network community the following action is performed:


   It searches for directories that contain the following substring:
   • "shar"

   If successful, the following files are created:
   • "Microsoft Office 2003 Crack, Working!.exe"; "Microsoft Windows XP,
      WinXP Crack, working Keygen.exe"; "Microsoft Office XP working Crack,
      Keygen.exe"; "Porno, sex, oral, anal cool, awesome!!.exe"; "Porno
      Screensaver.scr"; "Serials.txt
       .exe"; "text.txt .exe";
      "Kaspersky Antivirus 5.0"; "Porno pics arhive, xxx.exe"; "Windows
      Sourcecode update.doc .exe";
      "Ahead Nero 7.exe"; "Windown Longhorn Beta Leak.exe"; "New
      document.doc .exe"; "XXX
      hardcore images.exe"; "WinAmp 6 New!.exe"; "hardcore arhive.exe";
      "install.exe"; "important.exe"; "important update.exe"; "update.exe";
      "patch.exe"; "New patch.exe"; "setup.exe"; "message.msg
       .exe"


 Process termination List of processes that are terminated:
   • OUTPOST.EXE; SAVSCAN.EXE; navapsvc.exe; NPROTECT.EXE; ccApp.exe;
      ccEvtMgr.exe; SymWSC.exe; NavShExt.dll; NMAIN.EXE;
      NORTON_INTERNET_SECU_3.0_407.EXE; NPF40_TW_98_NT_ME_2K.EXE;
      NPFMESSENGER.EXE; NPROTECT.EXE; NSCHED32.EXE; NTVDM.EXE; NVARCH16.EXE;
      KERIO-WRP-421-EN-WIN.EXE; KILLPROCESSSETUP161.EXE; LDPRO.EXE;
      LOCALNET.EXE; LOCKDOWN.EXE; LOCKDOWN2000.EXE; LSETUP.EXE; CLEANPC.EXE;
      AVprotect9x.exe; CMGRDIAN.EXE; CMON016.EXE; CPF9X206.EXE;
      CPFNT206.EXE; CV.EXE; CWNB181.EXE; CWNTDWMO.EXE; ICSSUPPNT.EXE;
      DEFWATCH.EXE; DEPUTY.EXE; DPF.EXE; DPFSETUP.EXE; DRWATSON.EXE;
      ENT.EXE; ESCANH95.EXE; AVXQUAR.EXE; ESCANHNT.EXE; ESCANV95.EXE;
      AVPUPD.EXE; EXANTIVIRUS-CNET.EXE; FAST.EXE; FIREWALL.EXE;
      FLOWPROTECTOR.EXE; FP-WIN_TRIAL.EXE; FRW.EXE; FSAV.EXE; AUTODOWN.EXE;
      FSAV530STBYB.EXE; FSAV530WTBYB.EXE; FSAV95.EXE; GBMENU.EXE;
      GBPOLL.EXE; GUARD.EXE; GUARDDOG.EXE; HACKTRACERSETUP.EXE; HTLOG.EXE;
      HWPE.EXE; IAMAPP.EXE; IAMAPP.EXE; IAMSERV.EXE; ICLOAD95.EXE;
      ICLOADNT.EXE; ICMON.EXE; ICSUPP95.EXE; ICSUPPNT.EXE; IFW2000.EXE;
      IPARMOR.EXE; IRIS.EXE; JAMMER.EXE; ATUPDATER.EXE; AUPDATE.EXE;
      KAVLITE40ENG.EXE; KAVPERS40ENG.EXE; KERIO-PF-213-EN-WIN.EXE;
      KERIO-WRL-421-EN-WIN.EXE; BORG2.EXE; BS120.EXE; CDP.EXE; CFGWIZ.EXE;
      CFIADMIN.EXE; CFIAUDIT.EXE; AUTOUPDATE.EXE; CFINET.EXE; NAVAPW32.EXE;
      NAVDX.EXE; NAVSTUB.EXE; NAVW32.EXE; NC2000.EXE; NCINST4.EXE;
      AUTOTRACE.EXE; NDD32.EXE; NEOMONITOR.EXE; NETARMOR.EXE; NETINFO.EXE;
      NETMON.EXE; NETSCANPRO.EXE; NETSPYHUNTER-1.2.EXE; NETSTAT.EXE;
      NISSERV.EXE; NISUM.EXE; CFIAUDIT.EXE; LUCOMSERVER.EXE; AGENTSVR.EXE;
      ANTI-TROJAN.EXE; ANTI-TROJAN.EXE; ANTIVIRUS.EXE; ANTS.EXE;
      APIMONITOR.EXE; APLICA32.EXE; APVXDWIN.EXE; ATCON.EXE; ATGUARD.EXE;
      ATRO55EN.EXE; ATWATCH.EXE; AVCONSOL.EXE; AVGSERV9.EXE; AVSYNMGR.EXE;
      BD_PROFESSIONAL.EXE; BIDEF.EXE; BIDSERVER.EXE; BIPCP.EXE;
      BIPCPEVALSETUP.EXE; BISP.EXE; BLACKD.EXE; BLACKICE.EXE; BOOTWARN.EXE;
      NWINST4.EXE; NWTOOL16.EXE; OSTRONET.EXE; OUTPOSTINSTALL.EXE;
      OUTPOSTPROINSTALL.EXE; PADMIN.EXE; PANIXK.EXE; PAVPROXY.EXE;
      DRWEBUPW.EXE; PCC2002S902.EXE; PCC2K_76_1436.EXE; PCCIOMON.EXE;
      PCDSETUP.EXE; PCFWALLICON.EXE; PCFWALLICON.EXE; PCIP10117_0.EXE;
      PDSETUP.EXE; PERISCOPE.EXE; PERSFW.EXE; PF2.EXE; AVLTMAIN.EXE;
      PFWADMIN.EXE; PINGSCAN.EXE; PLATIN.EXE; POPROXY.EXE; POPSCAN.EXE;
      PORTDETECTIVE.EXE; PPINUPDT.EXE; PPTBC.EXE; PPVSTOP.EXE;
      PROCEXPLORERV1.0.EXE; PROPORT.EXE; PROTECTX.EXE; PSPF.EXE; WGFE95.EXE;
      WHOSWATCHINGME.EXE; AVWUPD32.EXE; NUPGRADE.EXE; WHOSWATCHINGME.EXE;
      WINRECON.EXE; WNT.EXE; WRADMIN.EXE; WRCTRL.EXE; WSBGATE.EXE;
      WYVERNWORKSFIREWALL.EXE; XPF202EN.EXE; ZAPRO.EXE; ZAPSETUP3001.EXE;
      ZATUTOR.EXE; CFINET32.EXE; CLEAN.EXE; CLEANER.EXE; CLEANER3.EXE;
      CLEANPC.EXE; CMGRDIAN.EXE; CMON016.EXE; CPD.EXE; CFGWIZ.EXE;
      CFIADMIN.EXE; PURGE.EXE; PVIEW95.EXE; QCONSOLE.EXE; QSERVER.EXE;
      RAV8WIN32ENG.EXE; REGEDT32.EXE; REGEDIT.EXE; UPDATE.EXE; RESCUE.EXE;
      RESCUE32.EXE; RRGUARD.EXE; RSHELL.EXE; RTVSCN95.EXE; RULAUNCH.EXE;
      SAFEWEB.EXE; SBSERV.EXE; SD.EXE; SETUP_FLOWPROTECTOR_US.EXE;
      SETUPVAMEEVAL.EXE; SFC.EXE; SGSSFW32.EXE; SH.EXE; SHELLSPYINSTALL.EXE;
      SHN.EXE; SMC.EXE; SOFI.EXE; SPF.EXE; SPHINX.EXE; SPYXX.EXE;
      SS3EDIT.EXE; ST2.EXE; SUPFTRL.EXE; LUALL.EXE; SUPPORTER5.EXE;
      SYMPROXYSVC.EXE; SYSEDIT.EXE; TASKMON.EXE; TAUMON.EXE; TAUSCAN.EXE;
      TC.EXE; TCA.EXE; TCM.EXE; TDS2-98.EXE; TDS2-NT.EXE; TDS-3.EXE;
      TFAK5.EXE; TGBOB.EXE; TITANIN.EXE; TITANINXP.EXE; TRACERT.EXE;
      TRJSCAN.EXE; TRJSETUP.EXE; TROJANTRAP3.EXE; UNDOBOOT.EXE;
      VBCMSERV.EXE; VBCONS.EXE; VBUST.EXE; VBWIN9X.EXE; VBWINNTW.EXE;
      VCSETUP.EXE; VFSETUP.EXE; VIRUSMDPERSONALFIREWALL.EXE; VNLAN300.EXE;
      VNPC3000.EXE; VPC42.EXE; VPFW30S.EXE; VPTRAY.EXE; VSCENU6.02D30.EXE;
      VSECOMR.EXE; VSHWIN32.EXE; VSISETUP.EXE; VSMAIN.EXE; VSMON.EXE;
      VSSTAT.EXE; VSWIN9XE.EXE; VSWINNTSE.EXE; VSWINPERSE.EXE; W32DSM89.EXE;
      W9X.EXE; WATCHDOG.EXE; WEBSCANX.EXE; CFIAUDIT.EXE; CFINET.EXE;
      ICSUPP95.EXE; MCUPDATE.EXE; CFINET32.EXE; CLEAN.EXE; CLEANER.EXE;
      LUINIT.EXE; MCAGENT.EXE; MCUPDATE.EXE; MFW2EN.EXE; MFWENG3.02D30.EXE;
      MGUI.EXE; MINILOG.EXE; MOOLIVE.EXE; MRFLUX.EXE; MSCONFIG.EXE;
      MSINFO32.EXE; MSSMMC32.EXE; MU0311AD.EXE; NAV80TRY.EXE; ZAUINST.EXE;
      ZONALM2601.EXE; ZONEALARM.EXE


 Backdoor The following port is opened:

%SYSDIR%\winhost.exe on TCP port 9030 in order to provide backdoor capabilities.

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Andrei Gherman on Friday, August 5, 2005
Description updated by Andrei Gherman on Friday, August 19, 2005

Back . . . .