Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Bagle.EB
Date discovered:07/11/2005
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:17.858 Bytes
MD5 checksum:5da48adaa372b9754140812317cd3870
VDF version:6.32.00.152

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: W32.Beagle@mm
   •  Kaspersky: Email-Worm.Win32.Bagle.en
   •  TrendMicro: WORM_BAGLE.BS
   •  Sophos: W32/Bagle-AR
   •  Grisoft: I-Worm/Bagle.IR
   •  VirusBuster: I-Worm.Bagle.EK
   •  Eset: Win32/Bagle.ES
   •  Bitdefender: Win32.Bagle.EK@mm


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows 2000
   • Windows XP


Side effects:
   • Downloads malicious files
   • Uses its own Email engine
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\windll2.exe




It tries to download some files:

– The locations are the following:
   • http://clickhare.com/images/**********
   • http://amerikansk-bulldog.dk/images/**********
   • http://eventpeopleforyou.com/help/**********
   • http://ekshrine.com/images/**********
   • http://www.familia-sanchez.net/images/**********
   • http://www.asymchem.com/images/**********
   • http://www.baku-xeber.com/images/**********
   • http://www.abmedical.pl/images/**********
   • http://www.cellphonemadeinchina.com/images/**********
It is saved on the local hard drive under: %WINDIR%\eml.exe At the time of writing this file was not online for further investigation.

– The locations are the following:
   • http://localhost/**********
   • http://localhost/**********
   • http://localhost/**********
It is saved on the local hard drive under: %SYSDIR%\re_file.exe At the time of writing this file was not online for further investigation.

 Registry The values of the following registry keys are removed:

–  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n
   • ICQ Net
   • SkynetsRevenge
   • KasperskyAVEng
   • Norton Antivirus AV
   • PandaAVEngine
   • EasyAV
   • SysMonXP
   • MsInfo
   • FirewallSvr
   • Jammer2nd
   • NetDy
   • HtProtect
   • ICQNet
   • Tiny AV
   • service
   • Special Firewall Service
   • Antivirus
   • 9XHtProtect
   • Zone Labs Client Ex
   • My AV

–  HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n
   • ICQ Net
   • SkynetsRevenge
   • KasperskyAVEng
   • Norton Antivirus AV
   • PandaAVEngine
   • EasyAV
   • SysMonXP
   • MsInfo
   • FirewallSvr
   • Jammer2nd
   • NetDy
   • HtProtect
   • ICQNet
   • Tiny AV
   • service
   • Special Firewall Service
   • Antivirus
   • 9XHtProtect
   • Zone Labs Client Ex
   • My AV

–  HKCU\Software\Microsoft\Windows\CurrentVersion\Ru1n
   • "erthegdr"="%SYSDIR%\windll2.exe"



The following registry key is added:

– HKCU\Software\Microsoft\Windows\CurrentVersion\Ru1n
   • "erthegdr"="%SYSDIR%\windll2.exe"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.
Generated addresses. Please do not assume that it was the sender's intention to send this email to you. He might not know about his infection or might not even be infected at all. Furthermore it is possible that you will receive bounced emails telling you that you are infected. This might also not be the case.


Subject:
The subject line is empty.


Body:
The body of the email is one of the lines:
   • Password:
   • The password is:
   • info
   • texte


Attachment:
The contents of the file is not a copy of itself but another malware.

The filename of the attachment is one of the following:
   • text_sms.zip
   • sms_text.zip
   • The_new_prices.zip
   • Info_prices.zip
   • Business_dealing.zip
   • max.zip
   • Health_and_knowledge.zip
   • Business.zip

 Mailing  Address generation for FROM field:
To generate addresses it uses the following strings:
   • Ales; Alice; Alyce; Andrew; Androw; Androwe; Ann; Anna; Anne; Annes;
      Anthonie; Anthony; Anthonye; Avice; Avis; Bennet; Bennett; Christean;
      Christian; Constance; Cybil; Daniel; Danyell; Dorithie; Dorothee;
      Dorothy; Edmond; Edmonde; Edmund; Edward; Edwarde; Elizabeth;
      Elizabethe; Ellen; Ellyn; Emanual; Emanuel; Emanuell; Ester; Frances;
      Francis; Fraunces; Gabriell; Geoffraie; George; Grace; Harry; Harrye;
      Henrie; Henry; Henrye; Hughe; Humphrey; Humphrie; Isabel; Isabell;
      James; Jane; Jeames; Jeffrey; Jeffrye; Joane; Johen; John; Josias;
      Judeth; Judith; Judithe; Katherine; Katheryne; Leonard; Leonarde;
      Margaret; Margarett; Margerie; Margerye; Margret; Margrett; Marie;
      Martha; Mary; Marye; Michael; Mychaell; Nathaniel; Nathaniell;
      Nathanyell; Nicholas; Nicholaus; Nycholas; Peter; Ralph; Rebecka;
      Richard; Richarde; Robert; Roberte; Roger; Rose; Rycharde; Samuell;
      Sara; Sidney; Sindony; Stephen; Susan; Susanna; Suzanna; Sybell;
      Sybyll; Syndony; Thomas; Valentyne; William; Winifred; Wynefrede;
      Wynefreed; Wynnefreede



Avoid addresses:
It does not send emails to addresses containing one of the following strings:
   • @eerswqe; @derewrdgrs; @microsoft; rating@; f-secur; news; update;
      anyone@; bugs@; contract@; feste; gold-certs@; help@; info@; nobody@;
      noone@; kasp; admin; icrosoft; support; ntivi; unix; bsd; linux;
      listserv; certific; sopho; @foo; @iana; free-av; @messagelab; winzip;
      google; winrar; samples; abuse; panda; cafee; spam; pgp; @avp.;
      noreply; local; root@; postmaster@


MX Server:
It does not use the standard MX server.
It has the ability to contact the MX server:
   • smtp.mail.ru

 Process termination It tries to terminate the following processes and delete the corresponding files:
   • 1t1epad.exe
   • t1es1t.exe


 Backdoor The following port is opened:

%SYSDIR%\windll2.exe on TCP port 80 in order to provide a proxy server.

 Miscellaneous It creates the following Mutexes:
   • vMuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
   • 'D'r'o'p'p'e'd'S'k'y'N'e't'
   • _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
   • [SkyNet.cz]SystemsMutex
   • AdmSkynetJklS003
   • ____--->>>>U<<<<--____
   • _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Irina Boldea on Monday, May 29, 2006
Description updated by Irina Boldea on Monday, May 29, 2006

Back . . . .