Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/Bagle.FI
CME number:328
Date discovered:03/02/2006
Type:Worm
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Medium to high
Damage Potential:Medium
Static file:No
File size:~19.000 Bytes
VDF version:6.33.00.194
Heuristic:TR/Bagle.Gen.B

 General Methods of propagation:
   • Email
   • Peer to Peer


Aliases:
   •  Symantec: W32.Beagle.DL@mm
   •  Mcafee: W32/Bagle.dp@MM
   •  Kaspersky: Email-Worm.Win32.Bagle.fj
   •  TrendMicro: WORM_BAGLE.CL
   •  F-Secure: W32/Bagle.DW@mm
   •  Sophos: Troj/BagleDl-BZ
   •  Panda: W32/Bagle.GS.worm
   •  VirusBuster: I-Worm.Bagle.GJ
   •  Eset: Win32/Bagle.FA
   •  Bitdefender: Win32.Worm.Bagle.FJ

It was previously detected as:
     TR/Bagle.Gen.B


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Blocks access to security websites
   • Disable security applications
   • Downloads files
   • Uses its own Email engine
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\sysformat.exe



It copies itself to the following location. This file has random bytes appended so it may differ from the original one:
   • %SYSDIR%\sysformat.exeopen



It renames the following files:

      aaa.exe into bbb.exe
      mysuperprog1.exe into mysuperprog2.exe



It deletes the following file:
   • mysuperprog.exe



The following files are created:

It creates the following archive containing a copy of the malware:
   • %SYSDIR%\sysformat.exeopenopen

%SYSDIR%\sysformat.exeopenopenopen This is a non malicious text file with the following content:
   • %random character string%




It tries to download a file:

The locations are the following:
   • http://www.cnsrvr.com/**********
   • http://www.casinofunnights.com/**********
   • http://www.ec.cox-wacotrib.com/**********
   • http://www.crazyiron.ru/**********
   • http://www.uni-esma.de/**********
   • http://www.sorisem.net/**********
   • http://www.varc.lv/**********
   • http://www.belwue.de/**********
   • http://www.thetildegroup.com/**********
   • http://www.vybercz.cz/**********
   • http://www.kyno.cz/**********
   • http://www.forumgestionvilles.com/**********
   • http://www.campus-and-more.com/**********
   • http://www.capitalforex.com/**********
   • http://www.capitalspreadspromo.com/**********
   • http://www.prineus.de/**********
   • http://www.databoots.de/**********
   • http://www.steintrade.net/**********
   • http://www.njzt.net/**********
   • http://www.emarrynet.com/**********
   • http://www.zebrachina.net/**********
   • http://www.lxlight.com/**********
   • http://www.yili-lighting.com/**********
   • http://www.fachman.com/**********
   • http://www.q-serwer.net/**********
   • http://www.wellness-i.com/**********
   • http://www.newportsystemsusa.com/**********
   • http://www.westcoastcadd.com/**********
   • http://www.wing49.cz/**********
   • http://www.posteffects.com/**********
   • http://www.provax.sk/**********
   • http://www.casinobrillen.de/**********
   • http://www.duodaydream.nl/**********
   • http://www.finlaw.ru/**********
   • http://www.fitdina.com/**********
   • http://www.flashcardplayer.com/**********
   • http://www.flox-avant.ru/**********
   • http://www.lotslink.com/**********
   • http://www.algor.com/**********
   • http://www.gaspekas.com/**********
   • http://www.ezybidz.com/**********
   • http://www.genesisfinancialonline.com/**********
   • http://www.georg-kuenzle.ch/**********
   • http://www.girardelli.com/**********
   • http://www.rodoslovia.ru/**********
   • http://www.golden-gross.ru/**********
   • http://www.gregoryolson.com/**********
   • http://www.gtechna.com/**********
   • http://www.lunardi.com/**********
   • http://www.sgmisburg.de/**********
   • http://www.harmony-farms.net/**********
   • http://www.hftmusic.com/**********
   • http://www.hiwmreport.com/**********
   • http://www.horizonimagingllc.com/**********
   • http://www.hotelbus.de/**********
   • http://www.howiwinmoney.com/**********
   • http://www.ietcn.com/**********
   • http://www.import-world.com/**********
   • http://www.houstonzoo.org/**********
   • http://www.interorient.ru/**********
   • http://www.internalcardreaders.com/**********
   • http://www.interstrom.ru/**********
   • http://www.iutoledo.org/**********
   • http://www.wena.net/**********
   • http://www.iesgrantarajal.org/**********
   • http://www.alexandriaradiology.com/**********
   • http://www.booksbyhunter.com/**********
   • http://www.wxcsxy.com/**********
   • http://www.coupdepinceau.com/**********
   • http://www.erotologist.com/**********
   • http://www.jackstitt.com/**********
   • http://www.imspress.com/**********
   • http://www.digitalefoto.net/**********
   • http://www.josemarimuro.com/**********
   • http://www.eversetic.com/**********
   • http://www.curious.be/**********
   • http://www.kameo-bijux.ru/**********
   • http://www.karrad6000.ru/**********
   • http://www.kaztransformator.kz/**********
   • http://www.keywordthief.com/**********
It is saved on the local hard drive under: %SYSDIR%\re_file.exe At the time of writing this file was not online for further investigation.

 Registry The following registry key is continuously in an infinite loop added in order to run the process after reboot.

  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • sysformat = %SYSDIR%\sysformat.exe



The values of the following registry keys are removed:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • My AV
   • ICQ Net

–  [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   • My AV
   • ICQ Net



The following registry keys including all values and subkeys are removed:
   • [HKCU\Software\New Key 1\1]
   • [HKCU\Software\New Key 1\2]
   • [HKCU\Software\New Key 1\New Key 1]



The following registry keys are added:

[HKCU\Software\Microsoft\Params]
   • FirstRun = dword:00000001

[HKLM\SOFTWARE\Microsoft\DownloadManager]


The following registry key is changed:

Deactivate Windows Firewall:
[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess]
   Old value:
   • Start = %user defined settings%
   New value:
   • Start = dword:00000004

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.


To:
– Email addresses found in specific files on the system.


Subject:
The following:
   • price



Body:
The body of the email is the following:
   • February price


Attachment:
The filename of the attachment is one of the following:
   • price.zip
   • pricelst.zip
   • pricelist.zip
   • price_lst.zip
   • new_price.zip
   • February_price.zip
   • 21_price.zip
   • upd02.zip
   • Jol03.zip

The attachment is a copy of the created file: %SYSDIR%\sysformat.exeopenopen



The email looks like the following:


 Mailing Search addresses:
It searches the following files for email addresses:
   • .wab; .txt; .msg; .htm; .shtm; .stm; .xml; .dbx; .mbx; .mdx; .eml;
      .nch; .mmf; .ods; .cfg; .asp; .php; .pl; .wsh; .adb; .tbb; .sht; .xls;
      .oft; .uin; .cgi; .mht; .dhtm; .jsp


Avoid addresses:
It does not send emails to addresses containing one of the following strings:
   • @microsoft; rating@; f-secur; news; update; anyone@; bugs@; contract@;
      feste; gold-certs@; help@; info@; nobody@; noone@; kasp; admin;
      icrosoft; support; ntivi; unix; bsd; linux; listserv; certific; sopho;
      @foo; @iana; free-av; @messagelab; winzip; google; winrar; samples;
      abuse; panda; cafee; spam; pgp; @avp.; noreply; local; root@;
      postmaster@


Resolving server names:
It does not use the standard DNS server.
It has the ability to contact the DNS server:
   • 217.5.97.137

 P2P In order to infect other systems in the Peer to Peer network community the following action is performed:


   It searches for directories that contain the following substring:
   • shar

   If successful, the following files are created:
   • 1.exe; 2.exe; 3.exe; 4.exe; 5.scr; 6.exe; 7.exe; 8.exe; 9.exe; 10.exe;
      Ahead Nero 7.exe; Windown Longhorn Beta Leak.exe; Opera 8 New!.exe;
      XXX hardcore images.exe; WinAmp 6 New!.exe; WinAmp 5 Pro Keygen Crack
      Update.exe; Adobe Photoshop 9 full.exe; Matrix 3 Revolution English
      Subtitles.exe; ACDSee 9.exe


 Hosts The host file is modified as explained:

In this case existing entries are deleted.

Access to the following domains is effectively blocked:
   • ad.doubleclick.net; ad.fastclick.net; ads.fastclick.net;
      ar.atwola.com; atdmt.com; avp.ch; avp.com; avp.ru; awaps.net;
      banner.fastclick.net; banners.fastclick.net; ca.com; click.atdmt.com;
      clicks.atdmt.com; dispatch.mcafee.com; download.mcafee.com;
      download.microsoft.com; downloads.microsoft.com; engine.awaps.net;
      fastclick.net; f-secure.com; ftp.f-secure.com; ftp.sophos.com;
      go.microsoft.com; liveupdate.symantec.com; mast.mcafee.com;
      mcafee.com; media.fastclick.net; msdn.microsoft.com; my-etrust.com;
      nai.com; networkassociates.com; office.microsoft.com;
      phx.corporate-ir.net; secure.nai.com; securityresponse.symantec.com;
      service1.symantec.com; sophos.com; spd.atdmt.com;
      support.microsoft.com; symantec.com; update.symantec.com;
      updates.symantec.com; us.mcafee.com; vil.nai.com; viruslist.ru;
      windowsupdate.microsoft.com; www.avp.ch; www.avp.com; www.avp.ru;
      www.awaps.net; www.ca.com; www.fastclick.net; www.f-secure.com;
      www.kaspersky.ru; www.mcafee.com; www.my-etrust.com; www.nai.com;
      www.networkassociates.com; www.sophos.com; www.symantec.com;
      www.trendmicro.com; www.viruslist.ru; www3.ca.com




The modified host file will look like this:


 Process termination List of processes that are terminated:
   • mcagent.exe; mcvsshld.exe; mcshield.exe; mcvsescn.exe; mcvsrte.exe;
      DefWatch.exe; Rtvscan.exe; ccEvtMgr.exe; NISUM.EXE; ccPxySvc.exe;
      navapsvc.exe; NPROTECT.EXE; nopdb.exe; ccApp.exe; Avsynmgr.exe;
      VsStat.exe; Vshwin32.exe; alogserv.exe; RuLaunch.exe; Avconsol.exe;
      PavFires.exe; FIREWALL.EXE; ATUPDATER.EXE; LUALL.EXE; DRWEBUPW.EXE;
      AUTODOWN.EXE; NUPGRADE.EXE; OUTPOST.EXE; ICSSUPPNT.EXE; ICSUPP95.EXE;
      ESCANH95.EXE; AVXQUAR.EXE; ESCANHNT.EXE; ATUPDATER.EXE; AUPDATE.EXE;
      AUTOTRACE.EXE; AUTOUPDATE.EXE; AVXQUAR.EXE; AVWUPD32.EXE; AVPUPD.EXE;
      CFIAUDIT.EXE; UPDATE.EXE; NUPGRADE.EXE; MCUPDATE.EXE; pavsrv50.exe;
      AVENGINE.EXE; APVXDWIN.EXE; pavProxy.exe; navapw32.exe; navapsvc.exe;
      ccProxy.exe; navapsvc.exe; NPROTECT.EXE; SAVScan.exe; SNDSrvc.exe;
      symlcsvc.exe; LUCOMS~1.EXE; blackd.exe; bawindo.exe;
      FrameworkService.exe; VsTskMgr.exe; SHSTAT.EXE; UpdaterUI.exe


 Miscellaneous Mutex:
It creates the following Mutexes:
   • vMuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
   • _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Andrei Gherman on Friday, February 3, 2006
Description updated by Andrei Gherman on Friday, February 10, 2006

Back . . . .