Virus:Worm/Bagle.GC
Date discovered:30/11/2006
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:188.422 Bytes
MD5 checksum:23e143e87ff2fb1be5a3e2b2d93ce283
VDF version:6.36.01.108
IVDF version:6.36.01.113
Heuristic:HEUR/Crypted

 General Method of propagation:
   • Email


Aliases:
   •  Kaspersky: Email-Worm.Win32.Bagle.gr
   •  F-Secure: W32/Bagle.GO
   •  Sophos: W32/Bagle-QS
   •  Grisoft: I-Worm/Bagle.OI
   •  Eset: Win32/Bagle.HB

It was previously detected as:
   •  TR/Bagle.GC


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Disable security applications
   • Downloads files
   • Drops a malicious file
   • Uses its own Email engine
   • Lowers security settings
   • Registry modification


Right after execution it runs a windows application which will display the following window:


 Files It copies itself to the following locations:
   • %APPDATA%\hidn\hldrrr.exe
   • %APPDATA%\hidn\hidn2.exe



It copies itself within an archive to the following location:
   • C:\temp.zip



The following files are created:

– A file that is for temporary use and it might be deleted afterwards:
   • %malware execution directory%\aspr_keys.ini

– C:\error.txt This is a non malicious text file with the following content:
   • UTF-8 decoding error.

– %HOME%\Application Data\hidn\m_hook.sys Further investigation pointed out that this file is malware, too. Detected as: TR/Rkit.Bagle.GL




It tries to download some files:

– The locations are the following:
   • http://ujscie.one.pl/**********
   • http://1point2.iae.nl/**********
   • http://appaloosa.no/**********
   • http://apromed.com/**********
   • http://arborfolia.com/**********
   • http://pawlacz.com/**********
   • http://areal-realt.ru/**********
   • http://bitel.ru/**********
   • http://yetii.no-ip.com/**********
   • http://art4u1.superhost.pl/**********
   • http://www.artbed.pl/**********
   • http://art-bizar.foxnet.pl/**********
   • http://www.jonogueira.com/**********
   • http://asdesign.cz/**********
   • http://ftp-dom.earthlink.net/**********
   • http://www.aureaorodeley.com/**********
   • http://www.autoekb.ru/**********
   • http://www.autovorota.ru/**********
   • http://avenue.ee/**********
   • http://ouarzazateservices.com/**********
   • http://stats-adf.altadis.com/**********
   • http://bartex-cit.com.pl/**********
   • http://bazarbekr.sk/**********
   • http://gnu.univ.gda.pl/**********
   • http://bid-usa.com/**********
   • http://biliskov.com/**********
   • http://biomedpel.cz/**********
   • http://blackbull.cz/**********
   • http://bohuminsko.cz/**********
   • http://bonsai-world.com.au/**********
   • http://bpsbillboards.com/**********
   • http://cadinformatics.com/**********
   • http://canecaecia.com/**********
   • http://www.castnetnultimedia.com/**********
   • http://compucel.com/**********
   • http://continentalcarbonindia.com/**********
   • http://ceramax.co.kr/**********
   • http://prime.gushi.org/**********
   • http://www.chapisteriadaniel.com/**********
   • http://charlesspaans.com/**********
   • http://chatsk.wz.cz/**********
   • http://www.chittychat.com/**********
   • http://checkalertusa.com/**********
   • http://cibernegocios.com.ar/**********
   • http://5050clothing.com/**********
   • http://cof666.shockonline.net/**********
   • http://comaxtechnologies.net/**********
   • http://concellodesandias.com/**********
   • http://www.cort.ru/**********
   • http://donchef.com/**********
   • http://www.crfj.com/**********
   • http://kremz.ru/**********
   • http://dev.jintek.com/**********
   • http://foxvcoin.com/**********
   • http://uwua132.org/**********
   • http://v-v-kopretiny.ic.cz/**********
   • http://erich-kaestner-schule-donaueschingen.de/**********
   • http://vanvakfi.com/**********
   • http://axelero.hu/**********
   • http://kisalfold.com/**********
   • http://vega-sps.com/**********
   • http://vidus.ru/**********
   • http://viralstrategies.com/**********
   • http://svatba.viskot.cz/**********
   • http://Vivamodelhobby.com/**********
   • http://vkinfotech.com/**********
   • http://vytukas.com/**********
   • http://waisenhaus-kenya.ch/**********
   • http://watsrisuphan.org/**********
   • http://www.ag.ohio-state.edu/**********
   • http://wbecanada.com/**********
   • http://calamarco.com/**********
   • http://vproinc.com/**********
   • http://grupdogus.de/**********
   • http://knickimbit.de/**********
   • http://dogoodesign.ch/**********
   • http://systemforex.de/**********
   • http://zebrachina.net/**********
   • http://www.walsch.de/**********
   • http://hotchillishop.de/**********
   • http://innovation.ojom.net/**********
   • http://massgroup.de/**********
   • http://web-comp.hu/**********
   • http://webfull.com/**********
   • http://welvo.com/**********
   • http://www.ag.ohio-state.edu/**********
   • http://poliklinika-vajnorska.sk/**********
   • http://wvpilots.org/**********
   • http://www.kersten.de/**********
   • http://www.kljbwadersloh.de/**********
   • http://www.voov.de/**********
   • http://www.wchat.cz/**********
   • http://www.wg-aufbau-bautzen.de/**********
   • http://www.wzhuate.com/**********
   • http://zsnabreznaknm.sk/**********
   • http://xotravel.ru/**********
   • http://ilikesimple.com/**********
   • http://yeniguntugla.com/**********
It is saved on the local hard drive under: %SYSDIR%\re_file.exe At the time of writing this file was not online for further investigation.

 Registry The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • drv_st_key = %APPDATA%\hidn\hidn2.exe



The following registry keys are added in order to load the service after reboot:

– [HKEY_LOCAL-MACHINE\SYSTEM\CurrentControlSet\Services\m_hook]
   • Type = 1
   • Start = 3
   • ErrorControl = 0
   • ImagePath = \??\%APPDATA%\hidn\m_hook.sys
   • DisplayName = Empty



The following registry key including all values and subkeys is removed:
   • [HKLM\SYSTEM\CurrentControlSet\Control\Safeboot]



The following registry key is added:

– [HKCU\Software\FirstRuxzx]
   • FirstRu21n = 1

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.


To:
– Email addresses found in specific files on the system.
– The following email address:
   • user%several random digits% @gmail.com


Subject:
One of the following:
   • price_new%current date%
   • price_ %current date%
   • price%current date%
   • price %current date%



Body:
– Contains HTML code.
The body of the email is one of the following:

   • It Is Protected
     Passwrd: %image containing the password%

   • thank you !!!
     Passwrd: %image containing the password%

   • New year's discounts
     Passwrd: %image containing the password%


Attachment:
The filename of the attachment is one of the following:
   • price%current date%.zip
   • new_price%current date%.zip
   • price_list%current date%.zip
   • latest_price%current date%.zip

The attachment is an archive containing a copy of the malware itself.



The email looks like the following:


 Mailing Search addresses:
It searches the following files for email addresses:
   • .wab; .txt; .msg; .htm; .shtm; .stm; .xml; .dbx; .mbx; .mdx; .eml;
      .nch; .mmf; .ods; .cfg; .asp; .php; .pl; .wsh; .adb; .tbb; .sht; .xls;
      .oft; .uin; .cgi; .mht; .dhtm; .jsp


Avoid addresses:
It does not send emails to addresses containing one of the following strings:
   • rating@; f-secur; news; update; anyone@; bugs@; contract@; feste;
      gold-certs@; help@; info@; nobody@; noone@; kasp; admin; icrosoft;
      support; ntivi; unix; bsd; linux; listserv; certific; sopho; @foo;
      @iana; free-av; @messagelab; winzip; google; winrar; samples; abuse;
      panda; cafee; spam; pgp; @avp.; noreply; local; root@; postmaster@


Resolving server names:
If the request using the standard DNS fails it continues with the following
It has the ability to contact the DNS server:
   • 217.5.97.137

 Process termination  List of services that are disabled:
   • Aavmker4; ABVPN2K; ADFirewall; AFWMCL; Ahnlab task Scheduler; alerter;
      AlertManger; AntiVir Service; AntiyFirewall; aswMon2; aswRdr; aswTdi;
      aswUpdSv; Ati HotKey Poller; avast! Antivirus; avast! Mail Scanner;
      avast! Web Scanner; AVEService; AVExch32Service; AvFlt; Avg7Alrt;
      Avg7Core; Avg7RsW; Avg7RsXP; Avg7UpdSvc; AvgCore; AvgFsh; AVGFwSrv;
      AvgFwSvr; AvgServ; AvgTdi; AVIRAMailService; AVIRAService; avpcc;
      AVUPDService; AVWUpSrv; AvxIni; awhost32; backweb client - 4476822;
      BackWeb Client - 7681197; backweb client-4476822; Bdfndisf; bdftdif;
      bdss; BlackICE; BsFileSpy; BsFirewall; BsMailProxy; CAISafe; ccEvtMgr;
      ccPwdSvc; ccSetMgr; ccSetMgr.exe; DefWatch; drwebnet; dvpapi; dvpinit;
      ewido security suite control; ewido security suite driver; ewido
      security suite guard; F-Prot Antivirus Update Monitor; F-Secure
      Gatekeeper Handler Starter; firewall; fsbwsys; FSDFWD; FSFW; FSMA;
      FwcAgent; fwdrv; Guard NT; HSnSFW; HSnSPro; InoRPC; InoRT; InoTask;
      Ip6Fw; Ip6FwHlp; KAVMonitorService; KAVSvc; KLBLMain; KPfwSvc;
      KWatch3; KWatchSvc; McAfee Firewall; McAfeeFramework; McShield;
      McTaskManager; mcupdmgr.exe; MCVSRte; Microsoft NetWork FireWall
      Services; MonSvcNT; MpfService; navapsvc; Ndisuio; NDIS_RD; Network
      Associates Log Service; nipsvc; NISSERV; NISUM; NOD32ControlCenter;
      NOD32krn; NOD32Service; Norman NJeeves; Norman Type-R; Norman ZANDA;
      Norton AntiVirus Server; NPDriver; NPFMntor; NProtectService; NSCTOP;
      nvcoas; NVCScheduler; nwclntc; nwclntd; nwclnte; nwclntf; nwclntg;
      nwclnth; NWService; OfcPfwSvc; Outbreak Manager; Outpost Firewall;
      OutpostFirewall; PASSRV; PAVAGENTE; PavAtScheduler; PAVDRV; PAVFIRES;
      PAVFNSVR; Pavkre; PavProc; PavProt; PavPrSrv; PavReport; PAVSRV;
      PCCPFW; PCC_PFW; PersFW; Personal Firewall; PREVSRV; PSIMSVC;
      qhwscsvc; wscsvc; Quick Heal Online Protection; ravmon8; RfwService;
      SAVFMSE; SAVScan; SBService; schscnt; SharedAccess; SmcService;
      SNDSrvc; SPBBCSvc; SpiderNT; SweepNet; Symantec AntiVirus Client;
      Symantec Core LC; The_Hacker_Antivirus; Tmntsrv; TmPfw; tmproxy;
      tmtdi; tm_cfw; T_H_S_M; V3MonNT; V3MonSvc; Vba32ECM; Vba32ifs;
      Vba32Ldr; Vba32PP3; VBCompManService; VexiraAntivirus; VFILT; VisNetic
      AntiVirus Plug-in; vrfwsvc; vsmon; VSSERV; WinAntivirus; WinRoute;
      wuauserv; xcomm

 Backdoor Contact server:
One of the following:
   • http://www.titanmotors.com/images/1/**********
   • http://veranmaisala.com/1/**********
   • http://wklight.nazwa.pl/1/**********
   • http://yongsan24.co.kr/1/**********
   • http://accesible.cl/1/**********
   • http://hotelesalba.com/1/**********
   • http://amdlady.com/1/**********
   • http://inca.dnetsolution.net/1/**********
   • http://www.auraura.com/1/**********
   • http://avataresgratis.com/1/**********
   • http://beyoglu.com.tr/1/**********
   • http://brandshock.com/1/**********
   • http://www.buydigital.co.kr/1/**********
   • http://camaramafra.sc.gov.br/1/**********
   • http://camposequipamentos.com.br/1/**********
   • http://cbradio.sos.pl/1/**********
   • http://c-d-c.com.au/1/**********
   • http://www.klanpl.com/1/**********
   • http://coparefrescos.stantonstreetgroup.com/1/**********
   • http://creainspire.com/1/**********
   • http://desenjoi.com.br/1/**********
   • http://www.inprofile.gr/1/**********
   • http://www.diem.cl/1/**********
   • http://www.discotecapuzzle.com/1/**********


 Rootkit Technology It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.


Hides the following:
– Its own files
– Its own process
– Its own registry keys


Method used:
    • Hidden from Windows API

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • ASProtect

Description inserted by Alexander Vukcevic on Friday, December 1, 2006
Description updated by Andrei Gherman on Monday, December 4, 2006

Back . . . .