Virus:Worm/Bagle.CW
Date discovered:20/09/2005
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:31.416 Bytes
MD5 checksum:67f2c0b3ca58bdcae30A4c557cde5a24
VDF version:6.32.00.25

 General Method of propagation:
   • Email


Aliases:
   •  Symantec: W32.Beagle.CG@mm
   •  Kaspersky: Email-Worm.Win32.Bagle.cz
   •  TrendMicro: WORM_BAGLE.CZ
   •  VirusBuster: I-Worm.Bagle.DU
   •  Eset: Win32/Bagle.CO
   •  Bitdefender: Win32.Bagle.FH@mm


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP


Side effects:
   • Downloads malicious files
   • Uses its own Email engine
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\windll2.exe




It tries to download some files:

– The locations are the following:
   • http://localhost/**********
   • http://localhost/**********
   • http://localhost/**********
It is saved on the local hard drive under: %SYSDIR%\re_file.exe At the time of writing this file was not online for further investigation.

– The locations are the following:
   • http://clickhare.com/images/**********
   • http://amerikansk-bulldog.dk/images/**********
   • http://eventpeopleforyou.com/help/**********
   • http://fyeye.com/lyra/**********
   • http://ligapichangueras.cl/images/**********
   • http://ekshrine.com/images/**********
   • http://directeenhuis.nl/images/**********
   • http://creacionesartisticasandaluzas.com/bovedas/**********
It is saved on the local hard drive under: %WINDIR%\eml.exe At the time of writing this file was not online for further investigation.

 Registry The following registry key is added in order to run the process after reboot:

– [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n]
   • "erthegdr" = "%SYSDIR%\windll2.exe"



The values of the following registry keys are removed:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n]
   • ICQ Net
   • SkynetsRevenge
   • KasperskyAVEng
   • Norton Antivirus AV
   • PandaAVEngine
   • EasyAV
   • SysMonXP
   • MsInfo
   • FirewallSvr
   • Jammer2nd
   • NetDy
   • HtProtect
   • ICQNet
   • Tiny AV
   • service
   • Special Firewall Service
   • Antivirus
   • 9XHtProtect
   • Zone Labs Client Ex
   • My AV

–  [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n]
   • erthegdr
   • ICQ Net
   • SkynetsRevenge
   • KasperskyAVEng
   • Norton Antivirus AV
   • PandaAVEngine
   • EasyAV
   • SysMonXP
   • MsInfo
   • FirewallSvr
   • Jammer2nd
   • NetDy
   • HtProtect
   • ICQNet
   • Tiny AV
   • service
   • Special Firewall Service
   • Antivirus
   • 9XHtProtect
   • Zone Labs Client Ex
   • My AV

–  [HKCU\SOFTWARE\ewrt]

 Email It doesn't have its own spreading routine but it was spammed out via email. The characteristics are described in the following:


From:
The sender address is spoofed.


To:
– Email addresses found in specific files on the system.
– Email addresses gathered from WAB (Windows Address Book)


Subject:
The subject line is empty.


Body:
The body of the email is one of the lines:
   • The password is
   • Password:
   • price
   • new price


Attachment:
The contents of the file is not a copy of itself but another malware.

The filename of the attachment is one of the following:
   • price.zip
   • price2.zip
   • price_new.zip
   • price_09.zip
   • 09_price.zip
   • newprice.zip
   • new_price.zip
   • new__price.zip

 Mailing Avoid addresses:
It does not send emails to addresses containing one of the following strings:
   • @eerswqe; @derewrdgrs; @microsoft; rating@; f-secur; news; update;
      anyone@; bugs@; contract@; feste; gold-certs@; help@; info@; nobody@;
      noone@; kasp; admin; icrosoft; support; ntivi; unix; bsd; linux;
      listserv; certific; sopho; @foo; @iana; free-av; @messagelab; winzip;
      google; winrar; samples; abuse; panda; cafee; spam; pgp; @avp.;
      noreply; local; root@; postmaster@

 Process termination List of processes that are terminated:
   • 1t1epad.exe
   • t1es1t.exe


 Miscellaneous Mutex:
It creates the following Mutexes:
   • MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
   • 'D'r'o'p'p'e'd'S'k'y'N'e't'
   • _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
   • [SkyNet.cz]SystemsMutex
   • AdmSkynetJklS003
   • ____--->>>>U<<<<--____
   • _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
   • (null)

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Irina Boldea on Monday, February 20, 2006
Description updated by Irina Boldea on Thursday, March 16, 2006

Back . . . .