W32/Bagle.bb@mm

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Minimum DAT

4402 (2004-10-29)

Updated DAT

4900 (2006-11-20)

Minimum Engine

5.1.00

File Length

Varies

Description Added

2004-10-29

Description Modified

2005-02-03

Malware Proliferation

Characteristics

-- Update February 3, 2005 --

The assessment of this threat has been downgraded to Low-Profiled due to a decrease in prevalence.

--

The risk assessment of this mass-mailing virus has been deemed Medium due to high prevalence. The 4402 DATs have been released early to address this threat.

If you think that you may be infected with W32/Bagle.bb@MM, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present. This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).

Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.

This variant of W32/Bagle bears the following characteristics:

packed with PeX
contains its own SMTP engine for constructing outgoing email messages. The From: address is spoofed.
harvests target email addresses from the victim machine
copies itself to local folders on the victim machine (to folders containing the string 'shar')
terminates processes associated with various AV/security products
uses various mutex names selected from those W32/Netsky variants have used, in order to prevent those W32/Netsky variants running on infected machines
deletes registry entries of security programs and other worms
opens port 81 for listening. Initial analysis suggests that the backdoor may be used for remote file execution.

Proactive Detection
McAfee gateway products (and the email-scanner plugin within the desktop product) running the 4382 DATs or greater will detect the original email messages generated by this virus as W32/Bagle!eml.gen .

Symptoms

When executed, the worm installs itself to the victim machine with the Windows system folder as WINGO.EXE. For example:

C:\WINNT\SYSTEM32\WINGO.EXE

The following Registry key is added to hook system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "wingo" = C:\WINNT\SYSTEM32\WINGO.EXE

The following Registry key is also added to store data (within a "TimeKey" key):

HKEY_CURRENT_USER\Software\Params

Additionally, the virus may make multiple copies of itself in the Windows system directory, appending the string "open" to the filename. For example:

C:\WINNT\SYSTEM32\WINGO.EXEOPEN
C:\WINNT\SYSTEM32\WINGO.EXEOPENOPEN
etc

Port 81 (TCP) is also opened on the victim machine.

A mutex is created to ensure only one instance of the worm is running at a time. One of the following mutex names is used in an attempt to stop particular variants of W32/Netsky running on the infected machine:

{z4wMuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
'D'r'o'p'p'e'd'S'k'y'N'e't'
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
[SkyNet.cz]SystemsMutex
AdmSkynetJklS003
____--->>>>U<<<<--____
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

Method of Infection

Mail Propagation

The virus constructs outgoing messages with its own SMTP engine. Target email addresses are harvested from the victim machine. Files with the following extensions are searched:

.wab
.txt
.msg
.htm
.shtm
.stm
.xml
.dbx
.mbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.pl
.wsh
.adb
.tbb
.sht
.xls
.oft
.uin
.cgi
.mht
.dhtm
.jsp

Outgoing messages are constructed with the varying subject, message body and attachment filename.

The From: address is spoofed.

Subject: The subject line is one of the following:

Re:
Re: Hello
Re: Thank you!
Re: Thanks :)
Re: Hi

Message Body: The message body will be one of the following:

:)
:))

Attachment: The attachment is an executable of name:

Price
price
Joke

with one of the following extensions:

.exe
.scr
.com
.cpl

The virus does not mail itself to email addresses containing the following strings:

@hotmail
@msn
@microsoft
rating@
f-secur
news
update
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
kasp
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
sopho
@foo
@iana
free-av
@messagelab
winzip
google
winrar
samples
abuse
panda
cafee
spam
pgp
@avp.
noreply
local
root@
postmaster@

P2P Propagation

The worm copies itself using enticing filenames to folders on the victim machine containing the string 'shar' . The following filenames are used:

Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe

Process Termination Payload

The virus terminates the following processes if they are running on the victim machine:

mcagent.exe
mcvsshld.exe
mcshield.exe
mcvsescn.exe
mcvsrte.exe
DefWatch.exe
Rtvscan.exe
ccEvtMgr.exe
NISUM.EXE
ccPxySvc.exe
navapsvc.exe
NPROTECT.EXE
nopdb.exe
ccApp.exe
Avsynmgr.exe
VsStat.exe
Vshwin32.exe
alogserv.exe
RuLaunch.exe
Avconsol.exe
PavFires.exe
FIREWALL.EXE
ATUPDATER.EXE
LUALL.EXE
DRWEBUPW.EXE
AUTODOWN.EXE
NUPGRADE.EXE
OUTPOST.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ESCANH95.EXE
AVXQUAR.EXE
ESCANHNT.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
AVWUPD32.EXE
AVPUPD.EXE
CFIAUDIT.EXE
UPDATE.EXE
NUPGRADE.EXE
MCUPDATE.EXE
pavsrv50.exe
AVENGINE.EXE
APVXDWIN.EXE
pavProxy.exe
navapw32.exe
navapsvc.exe
ccProxy.exe
navapsvc.exe
NPROTECT.EXE
SAVScan.exe
SNDSrvc.exe
symlcsvc.exe
LUCOMS~1.EXE
blackd.exe
bawindo.exe
FrameworkService.exe
VsTskMgr.exe
SHSTAT.EXE
UpdaterUI.exe

BackDoor Component

The worm opens port 81 (TCP) on the victim machine. Initial analysis suggests this is a file execution backdoor. Once listening, the hacker is able to connect to a victim machine, and execute a file on that machine.

Downloading

This threat contacts a list of websites to retrieve a file named G.JPG. At the time of writing, this file was not available on any of the sites.

http://www.24-7-transportation.com
http://www.adhdtests.com
http://www.aegee.org
http://www.aimcenter.net
http://www.alupass.lu
http://www.amanit.ru
http://www.andara.com
http://www.angelartsanctuary.com
http://www.anthonyflanagan.com
http://www.approved1stmortgage.com
http://www.argontech.net
http://www.asianfestival.nl
http://www.atlantisteste.hpg.com.br
http://www.aviation-center.de
http://www.bbsh.org
http://www.bga-gsm.ru
http://www.boneheadmusic.com
http://www.bottombouncer.com
http://www.bradster.com
http://www.buddyboymusic.com
http://www.bueroservice-it.de
http://www.calderwoodinn.com
http://www.capri-frames.de
http://www.celula.com.mx
http://www.ceskyhosting.cz
http://www.chinasenfa.com
http://www.cntv.info
http://www.compsolutionstore.com
http://www.coolfreepages.com
http://www.corpsite.com
http://www.couponcapital.net
http://www.cpc.adv.br
http://www.crystalrose.ca
http://www.cscliberec.cz
http://www.curtmarsh.com
http://www.customloyal.com
http://www.DarrkSydebaby.com
http://www.deadrobot.com
http://www.dontbeaweekendparent.com
http://www.dragcar.com
http://www.ecofotos.com.br
http://www.elenalazar.com
http://www.ellarouge.com.au
http://www.esperanzaparalafamilia.com
http://www.eurostavba.sk
http://www.everett.wednet.edu
http://www.fcpages.com
http://www.featech.com
http://www.fepese.ufsc.br
http://www.firstnightoceancounty.org
http://www.flashcorp.com
http://www.fleigutaetscher.ch
http://www.fludir.is
http://www.freeservers.com
http://www.FritoPie.NET
http://www.gamp.pl
http://www.gci-bln.de
http://www.gcnet.ru
http://www.generationnow.net
http://www.gfn.org
http://www.giantrevenue.com
http://www.glass.la
http://www.handsforhealth.com
http://www.hartacorporation.com
http://www.himpsi.org
http://www.idb-group.net
http://www.immonaut.sk
http://www.ims-i.com
http://www.innnewport.com
http://www.irakli.org
http://www.irinaswelt.de
http://www.jansenboiler.com
http://www.jasnet.pl
http://www.jhaforpresident.7p.com
http://www.jimvann.com
http://www.jldr.ca
http://www.justrepublicans.com
http://www.kencorbett.com
http://www.knicks.nl
http://www.kps4parents.com
http://www.kps4parents.com
http://www.kradtraining.de
http://www.kranenberg.de
http://www.kranenberg.de
http://www.lasermach.com
http://www.leonhendrix.com
http://www.magicbottle.com.tw
http://www.mass-i.kiev.ua
http://www.mepbisu.de
http://www.mepmh.de
http://www.metal.pl
http://www.mexis.com
http://www.mongolische-renner.de
http://www.mtfdesign.com
http://www.oboe-online.com
http://www.ohiolimo.com
http://www.onepositiveplace.org
http://www.oohlala-kirkland.com
http://www.orari.net
http://www.pankration.com
http://www.pe-sh.com
http://www.pfadfinder-leobersdorf.com
http://www.pipni.cz
http://www.polizeimotorrad.de
http://www.programmierung2000.de
http://www.pyrlandia-boogie.pl
http://www.raecoinc.com
http://www.realgps.com
http://www.redlightpictures.com
http://www.reliance-yachts.com
http://www.relocationflorida.com
http://www.rentalstation.com
http://www.rieraquadros.com.br
http://www.scanex-medical.fi
http://www.sea.bz.it
http://www.selu.edu
http://www.sigi.lu
http://www.sljinc.com
http://www.sljinc.com
http://www.smacgreetings.com
http://www.soloconsulting.com
http://www.spadochron.pl
http://www.srg-neuburg.de
http://www.ssmifc.ca
http://www.sugardas.lt
http://www.sunassetholdings.com
http://www.szantomierz.art.pl
http://www.the-fabulous-lions.de
http://www.tivogoddess.com
http://www.tkd2xcell.com
http://www.topko.sk
http://www.transportation.gov.bh
http://www.travelchronic.de
http://www.traverse.com
http://www.uhcc.com
http://www.ulpiano.org
http://www.uslungiarue.it
http://www.vandermost.de
http://www.vbw.info
http://www.velezcourtesymanagement.com
http://www.velocityprint.com
http://www.vikingpc.pl
http://www.vinirforge.com
http://www.wecompete.com
http://www.worest.com.ar
http://www.woundedshepherds.com
http://www.wwwebad.com
http://www.wwwebmaster.com

Registry Entry Removal

In both of the following startup locations

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run

The following keys for other worms and security products are deleted:

My AV
Zone Labs Client Ex
9XHtProtect
Antivirus
Special Firewall Service
service
Tiny AV
ICQNet
HtProtect
NetDy
Jammer2nd
FirewallSvr
MsInfo
SysMonXP
EasyAV
PandaAVEngine
Norton Antivirus AV
KasperskyAVEng
SkynetsRevenge
ICQ Net

Removal

All Users :
The specified DATs have been released early for this threat.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Manual Removal Instructions

To remove this worm manually, follow the steps below:

Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
Delete the following files from your WINDOWS System directory (typically C:\Windows\System or C:\Winnt\System32)
wingo.exe
wingo.exeopen
wingo.exeopenopen
Edit the registry
- Delete the "wingo.exe" value from
  - HKEY_CURRENT_USER\Software\Microsoft\
    Windows\CurrentVersion\Run
Reboot the system into Default Mode

McAfee Desktop Firewall
To prevent possibly remote access McAfee Desktop Firewall users can block incoming TCP port 81

Network General Sniffer
A Network General Sniffer filter is available at http://www.networkgeneral.com/SnifferFilters_Details.aspx?Type=1

Threat Detail