Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:W32/Bagle.aq@MM, WORM_BAGLE.AC
Type:Worm 
Size:19.460Bytes/14.848Bytes-Trojan 
Origin: 
Date:08-09-2004 
Damage:Sent by email. Installs a Trojan. 
VDF Version:6.26.00.60 
Danger:Low 
Distribution:Medium 

DistributionWorm/Bagle.aq sends a Trojan, which then downloads the actual Bagle Win PE file from various websites. For spreading, it searches for email addresses in files with the following extensions:
.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.eml
.htm
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.pl
.sht
.shtm
.stm
.tbb
.txt
.uin
.wab
.wsh
.xls
.xml

The email sent by Bagle.aq contains:
Subject:

Body:
new price

Attachment: (one of the files below)
08_price.zip
new__price.zip
new_price.zip
newprice.zip
price.zip
price2.zip
price_08.zip
price_new.zip

The worm copies itself in all directories, that contain the string 'SHAR' in their name, using the following file names:
Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe

Technical DetailsWorm/Bagle.aq is a mass mailer, that is sent using its own SMTP engine.
This Bagle version does not send itself directly, but by activating a Trojan. If the recipient opens an email attachment sent by Bagle, the Trojan is installed on the system and downloads the actual Bagle through UDP and TCP port 80 from the Internet.

If the Trojan is opened, the following files are created:
\%SystemDIR%\WINdirect.exe
\%SystemDIR%\_dll.exe
and the following registry entries are made:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"win_upd.exe"="%SystemDIR%\WINdirect.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"win_upd.exe"="%SystemDIR%\WINdirect.exe"

If one of the following processes is active, it tries to terminate them automatically:
ATUPDATER.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVPUPD.EXE
AVWUPD32.EXE
AVXQUAR.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
DRWEBUPW.EXE
ESCANH95.EXE
ESCANHNT.EXE
FIREWALL.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
MCUPDATE.EXE
NUPGRADE.EXE
NUPGRADE.EXE
OUTPOST.EXE
UPDATE.EXE
sys_xp.exe
sysxp.exe
winxp.exe

The Trojan is able to download files from the following websites, into the Windows directory of the infected system:
134.102.228.45
196.12.49.27
213.188.129.72
64.62.172.118
abi-2004.org
advm1.gm.fh-koeln.de
alexey.pioneers.com.ru
alfinternational.ru
aus-Zeit.com
binn.ru
burn2k.ipupdater.com
carabi.ru
catalog.zelnet.ru
cavalierland.5u.com
celine.artics.ru
change.east.ru
colleen.ai.net
controltechniques.ru
dev.tikls.net
diablo.homelinux.com
dodgetheatre.com
dozenten.f1.fhtw-berlin.de
emnesty.w.interia.pl
emnezz.e-mania.pl
euroviolence.com
evadia.ru
fairy.dataforce.net
financial.washingtonpost.com
free.bestialityhost.com
gutemine.wu-wien.ac.at
herzog.cs.uni-magdeburg.de
home.profootball.ru
host.businessweek.com
host.wallstreetcity.com
host23.ipowerweb.com
hsr.zhp.org.pl
infokom.pl
kafka.punkt.pl
kooltokyo.ru
kypexin.ru
lars-s.privat.t-online.de
lottery.h11.ru
matzlinger.com
megion.ru
mmag.ru
molinero-berlin.de
momentum.ru
niebo.net
nominal.kaliningrad.ru
omegat.ru
ourcj.com
packages.debian.or.jp
pb195.slupsk.sdi.tpnet.pl
photo.gornet.ru
pixel.co.il
pocono.ru
polobeer.de
porno-mania.net
protek.ru
przeglad-tygodnik.pl
przeglad-tygodnik.pl
quotes.barchart.com
r2626r.de
rausis.latnet.lv
relay.great.ru
republika.pl
sacred.ru
sbuilder.ru
sec.polbox.pl
shadkhan.ru
silesianet.pl
silesianet.pl
slavarik.ru
sovea.de
spbbook.ru
strony.wp.pl
szm.sk
tarkosale.net
tdi-router.opola.pl
terramail.pl
thorpedo.us
traveldeals.sidestep.com
ultimate-best-hgh.0my.net
vip.pnet.pl
werel1.web-gratis.net
www.5100.ru
www.PlayGround.ru
www.aannemers-nederland.nl
www.abcdesign.ru
www.airnav.com
www.aktor.ru
www.ankil.ru
www.antykoncepcja.net
www.aphel.de
www.artics.ru
www.astoria-stuttgart.de
www.avant.ru
www.baltmatours.com
www.baltnet.ru
www.biratnagarmun.org.np
www.biysk.ru
www.boglen.com
www.bridesinrussia.com
www.busheron.ru
www.ccbootcamp.com
www.chat4adult.com
www.chelny.ru
www.ciachoo.pl
www.dami.com.pl
www.ddosers.net
www.dicto.ru
www.dilver.ru
www.dsmedia.ru
www.dynex.ru
www.elemental.ru
www.elit-line.ru
www.epski.gr
www.forbes.com
www.free-time.ru
www.gamma.vyborg.ru
www.gantke-net.com
www.gin.ru
www.glass-master.ru
www.glavriba.ru
www.gradinter.ru
www.hack-gegen-rechts.com
www.hbz-nrw.de
www.hgr.de
www.hgrstrailer.com
www.ifa-guide.co.uk
www.iluminati.kicks-ass.net
www.infognt.com
www.intellect.lvc
www.interfoodtd.ru
www.interrybflot.ru
www.inversorlatino.com
www.jewishgen.org
www.k2kapital.com
www.kefaloniaresorts.com
www.lamatec.com
www.landofcash.net
www.laserbuild.ru
www.math.kobe-u.ac.jp
www.mcschnaeppchen.com
www.mdmedia.org
www.met.pl
www.metacenter.ru
www.milm.ru
www.myrtoscorp.com
www.nefkom.net
www.neostrada.pl
www.neprifan.ru
www.netradar.com
www.no-abi2003.de
www.oldtownradio.com
www.omnicom.ru
www.oshweb.com
www.pakwerk.ru
www.perfectgirls.net
www.perfectjewel.com
www.peterstar.ru
www.pgipearls.com
www.phg.pl
www.porsa.ru
www.porta.de
www.rafani.cz
www.rastt.ru
www.republika.pl
www.republika.pl
www.rollenspielzirkel.de
www.rubikon.pl
www.rumbgeo.ru
www.rweb.ru
www.scli.ru
www.sdsauto.ru
www.sensi.com
www.silesianet.pl
www.sjgreatdeals.com
www.sposob.ru
www.strefa.pl
www.tanzen-in-sh.de
www.taom-clan.de
www.tayles.com
www.teatr-estrada.ru
www.teleline.ru
www.thepositivesideofsports.com
www.timelessimages.com
www.tuhart.net
www.vconsole.net
www.vendex.ru
www.virtmemb.com
www.vivamedia.ru
www.vrack.net
www.wapf.com
www.webpark.pl
www.webronet.com
www.webzdarma.cz
www.yarcity.ru
www.youbuynow.com
www.zeiss.ru
www.zelnet.ru
www.zhp.gdynia.pl
wynnsjammer.proboards18.com
yaguark.h10.ru

If Bagle.aq Win PE file is downloaded and opened by the Trojan, the following files are created:
%SystemDIR%\windll.exe.
%SystemDIR%\windll.exeopen
%SystemDIR%\windll.exeopenopen
%SystemDIR%\re_file.exe

and the following entry is made in the registry:
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
"erthgdr"="%SystemDIR%\windll.exe"

It deletes the following Windows registry entries, if available:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
"9XHtProtect"=
"Antivirus"=
"EasyAV"=
"FirewallSvr"=
"HtProtect"=
"ICQ Net"=
"ICQNet"=
"Jammer2nd"=
"KasperskyAVEng"=
"MsInfo"=
"My AV"=
"NetDy"=
"Norton Antivirus AV"=
"PandaAVEngine"=
"SkynetsRevenge"=
"Special Firewall Service"=
"SysMonXP"=
"Tiny AV"=
"Zone Labs Client Ex"=
"service"=

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
"9XHtProtect"=
"Antivirus"=
"EasyAV"=
"FirewallSvr"=
"HtProtect"=
"ICQ Net"=
"ICQNet"=
"Jammer2nd"=
"KasperskyAVEng"=
"MsInfo"=
"My AV"=
"NetDy"=
"Norton Antivirus AV"=
"PandaAVEngine"=
"SkynetsRevenge"=
"Special Firewall Service"=
"SysMonXP"=
"Tiny AV"=
"Zone Labs Client Ex"=
"service"=
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .