Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:04/02/2006
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium to high
Damage Potential:Medium
Static file:No
File size:~20.000 Bytes
VDF version:

 General Methods of propagation:
   • Email
   • Peer to Peer

   •  Symantec: W32.Beagle.DN@mm
   •  Mcafee: W32/Bagle.dq@MM
   •  Kaspersky:
   •  TrendMicro: WORM_BAGLE.EF
   •  Bitdefender: Trojan.Downloader.Bagle.EO

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Disable security applications
   • Drops a malicious file
   • Uses its own Email engine
   • Registry modification
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\windspl.exe

It copies itself to the following locations. Those files have random bytes appended so they may differ from the original one:
   • %SYSDIR%\windspl.exeopen
   • %SYSDIR%\windspl.exeopenopen

The following file is created:

%WINDIR%\regisp32.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Dldr.Bagle.FJ

 Registry The following registry key is added in order to run the process after reboot:

– [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • DsplObjects = %SYSDIR%\windspl.exe

The values of the following registry keys are removed:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • ICQ Net
   • SkynetsRevenge
   • KasperskyAVEng
   • Norton Antivirus AV
   • PandaAVEngine
   • EasyAV
   • SysMonXP
   • MsInfo
   • FirewallSvr
   • Jammer2nd
   • NetDy
   • HtProtect
   • ICQNet
   • Tiny AV
   • service
   • Special Firewall Service
   • Antivirus
   • 9XHtProtect
   • Zone Labs Client Ex
   • My AV

–  [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • ICQ Net
   • SkynetsRevenge
   • KasperskyAVEng
   • Norton Antivirus AV
   • PandaAVEngine
   • EasyAV
   • SysMonXP
   • MsInfo
   • FirewallSvr
   • Jammer2nd
   • NetDy
   • HtProtect
   • ICQNet
   • Tiny AV
   • service
   • Special Firewall Service
   • Antivirus
   • 9XHtProtect
   • Zone Labs Client Ex
   • My AV

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:

The sender address is spoofed.

– Email addresses found in specific files on the system.

One of the following:
   • Gwd: Msg reply; Gwd: Hello :-); Gwd: Yahoo!!!; Gwd: Thank you!; Gwd:
      Thanks :); Gwd: Text message; Gwd: Document; Gwd: Incoming message;
      Gwd: Incoming Message; Gwd: Incoming Msg; Gwd: Message Notify; Gwd:
      Notification; Gwd: Changes..; Gwd: Update; Gwd: Fax Message; Gwd:
      Protected message; Gwd: Protected message; Gwd: Forum notify; Gwd:
      Site changes; Gwd: Hi; Gwd: crypted document

The body of the email is one of the lines:
   • Ok. Read the attach.
   • Ok. Your file is attached.
   • Ok. More info is in attach
   • Ok. See attach.
   • Ok. Please, have a look at the attached file.
   • Ok. Your document is attached.
   • Ok. Please, read the document.
   • Ok. Attach tells everything.
   • Ok. Attached file tells everything.
   • Ok. Check attached file for details.
   • Ok. Check attached file.
   • Ok. Pay attention at the attach.
   • Ok. See the attached file for details.
   • Ok. Message is in attach
   • Ok. Here is the file.

The filenames of the attachments is constructed out of the following:

–  It starts with one of the following:
   • www.cumonherface
   • Details
   • XXX_livebabes
   • XXX_PornoUpdates
   • xxxporno
   • fuck_her
   • Info
   • Common
   • MoreInfo
   • Message

    The file extension is one of the following:
   • .exe
   • .scr
   • .com
   • .zip
   • .vbs
   • .hta
   • .cpl

The email may look like one of the following:

 Mailing Search addresses:
It searches the following files for email addresses:
   • .wab; .txt; .msg; .htm; .shtm; .stm; .xml; .dbx; .mbx; .mdx; .eml;
      .nch; .mmf; .ods; .cfg; .asp; .php; .pl; .wsh; .adb; .tbb; .sht; .xls;
      .oft; .uin; .cgi; .mht; .dhtm; .jsp

Avoid addresses:
It does not send emails to addresses containing one of the following strings:
   • @hotmail; @msn; @microsoft; rating@; f-secur; news; update; anyone@;
      bugs@; contract@; feste; gold-certs@; help@; info@; nobody@; noone@;
      kasp; admin; icrosoft; support; ntivi; unix; bsd; linux; listserv;
      certific; sopho; @foo; @iana; free-av; @messagelab; winzip; google;
      winrar; samples; abuse; panda; cafee; spam; pgp; @avp.; noreply;
      local; root@; postmaster@

 P2P In order to infect other systems in the Peer to Peer network community the following action is performed:  

   It searches for directories that contain the following substring:
   • shar

   If successful, the following files are created:
   • Microsoft Office 2003 Crack, Working!.exe; Microsoft Windows XP, WinXP
      Crack, working Keygen.exe; Microsoft Office XP working Crack,
      Keygen.exe; Porno, sex, oral, anal cool, awesome!!.exe; Porno
      Screensaver.scr; Serials.txt.exe; KAV 5.0; Kaspersky Antivirus 5.0;
      Porno pics arhive, xxx.exe; Windows Sourcecode update.doc.exe; Ahead
      Nero 7.exe; Windown Longhorn Beta Leak.exe; Opera 8 New!.exe; XXX
      hardcore images.exe; WinAmp 6 New!.exe; WinAmp 5 Pro Keygen Crack
      Update.exe; Adobe Photoshop 9 full.exe; Matrix 3 Revolution English
      Subtitles.exe; ACDSee 9.exe

 Backdoor The following port is opened:

– windspl.exe on TCP port 6777 in order to provide backdoor capabilities.

Contact server:
The following:
   • http://ijj.**********

This is done via the HTTP GET request on a PHP script.

Sends information about:
    • Current malware status

 Miscellaneous Mutex:
It creates the following Mutexes:
   • vMuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
   • 'D'r'o'p'p'e'd'S'k'y'N'e't'
   • _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
   • []SystemsMutex
   • AdmSkynetJklS003
   • ____--->>>>U<<<<--____
   • _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

Furthermore it contains the following strings:
   • In a difficult world
   • In a nameless time
   • I want to survive
   • So, you will be mine!!
   • -- Bagle Author, 29.04.04, Germany.

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Andrei Gherman on Friday, February 10, 2006
Description updated by Andrei Gherman on Monday, February 13, 2006

Back . . . .